Secure Programming And Common Errors Part II

Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1 

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Who am I?  irector and CSO of Integrating Web LTD D  achelor Degree in Internet Sciences B  ndependent Security Researcher I  wner of http://antisnatchor.com security O advisory blog Who am I?  EE developer  J 2 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Seminar outline (part II)  iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications  ractical screen-casts that show how P attackers exploit common ﬂows  nderstand the impact of these threats U on your privacy, data and identity 3 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-22: Path Traversal  Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation  If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-22: Example! www.essedi.it  Credits: antisnatchor CWE-22: www.essedi.it  Path traversal vulnerability on ONERROR parameter  The HTML ﬁle requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned ﬁles 6 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-22: www.essedi.it Screen-Cast! www.essedi.it 7 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Links  Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1   h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3    SANS/MITRE: h$p://cwe.mitre.org/data/deﬁni1ons/22.html   OWASP: h$p://www.owasp.org/index.php/Path_Traversal  CWE-22: Links  Good hacker: h$p://kuza55.blogspot.com/2008/07/cookie‐path‐ traversal.html   PHP security guru: h$p://www.suspekt.org/2008/12/05/php‐527‐ and‐ziparchiveextrac$o/   8 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-89: ! SQL Injection  If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit  Thanks to Bernardo for SQLmap  http://sqlmap.sourceforge.net  Open source, written in python  Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server  Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-89:Example! www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it   Conﬁrmed unescaped numeric injection on GET parameter “anno” (patched from many months)  We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0  For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-89: www.dm.unibo.it Screen-Cast! www.dm.unibo.it 11 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Links  Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1   h$p://www.amazon.com/Database‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2   h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3   CWE-89: Links  SQLmap author:  h$p://www.slideshare.net/inquis/sql‐injec1on‐not‐only‐and‐11  12 of 25

CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-79: Cross Site Scripting  When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts  Really difﬁcult to create a powerful anti-XSS ﬁlter:  Multiple data encoding handling  Data truncation handling  New vectors (CSS, JSON, XUL) 13 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-79: Example! 1. KonaKart  Credits: antisnatchor  KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (www.konakart.com)  Stored XSS has been found and veriﬁed in the backend  More info here: h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/    Let see how we can exploit them 14 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  CWE-79: Examples! 2. WMSmonitor  Credits: antisnatchor CWE-79: WMSmonitor  Internal Penetration Test at INFN (National Institute of Nuclear Physics)  Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor  Some serious flows have been identified  Unsecure handling of X.509 client certificates  Reflected XSS  TRACE method enabled  Let see how can we take full control of the victim browser 16 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Links  Wade Alcorn’s works:  BeEF: h$p://www.bindshell.net/tools/beef/    Inter-Protocol Exploitation: h$p://www.bindshell.net/papers/ipe   The Advanced Cross-Site Scripting Virus: h$p:// www.bindshell.net/papers/axssv   Rsnake works:  XSS cheat sheet: h$p://ha.ckers.org/xss.html  CWE-79: Links  XSS worm context: h$p://ha.ckers.org/blog/20080106/diminu1ve‐ xss‐worm‐contest‐drama‐and‐status‐update/     AntiSnatcOr works research:  Advisories on SecurityFocus: h$p://an1snatchor.com/2009/10/14/ﬁnally‐on‐bugtraq/  18 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Links  Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1    h$p://www.amazon.com/XSS‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4   h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3    CWE-79: Links 19 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity  SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)  But they have well known limitations and security ﬂows  They all suffer from MITM attacks and network protocol manipulation  Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are ﬂowed 20 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity  Latest research of Moxie Marlinspike (http://www.thoughtcrime.org)  Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.  We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing  Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity  Old exploit method (still useful)  MITM and fake certificate injection  ARP spoofing  IP forwarding  Sniffing  webmitm  Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)  Press OK  … That’s FINE 22 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Screen-Cast! Appendix: HTTPS insecurity Fake certiﬁcate injection 23 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Links  Vimeo screencasts:  h$p://www.vimeo.com/6149119   h$p://www.thoughtcrime.org/so]ware/sslstrip/video/sslstrip.mov    Papers: Appendix: Links  OCSP: h$p://www.thoughtcrime.org/papers/ocsp‐a$ack.pdf   Null-byte: h$p://www.thoughtcrime.org/papers/null‐prefix‐a$acks.pdf   Fake-cert: h$p://an1snatchor.com/works/sniffing‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/  24 of 25

h$p://www.integra1ngweb.com  h$p://an1snatchor.com  Thanks for your ! attention! Questions? 25 of 25

Secure Programming And Common Errors Part II

by Michele Orru' on Dec 09, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 78

Statistics

Secure Programming And Common Errors Part II — Presentation Transcript

http://antisnatchor.com	75
http://www.slideshare.net	3