Secure Programming And Common Errors Part II


Published on

- Discuss other important attack vectors, not limited to Web Applications
- Practical screen-casts that show how attackers exploit common flows
- Understand the impact of these threats on your privacy, data and identity

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure Programming And Common Errors Part II

  1. 1. Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1

  2. 2. h$p://
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of security O advisory blog Who am I?   EE developer
 J 2 of 25
  3. 3. h$p://
 Seminar outline (part II)   iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications   ractical screen-casts that show how P attackers exploit common flows   nderstand the impact of these threats U on your privacy, data and identity 3 of 25
  4. 4. h$p://
 What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25
  5. 5. h$p://
 CWE-22: Path Traversal   Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation   If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25
  6. 6. h$p://
 CWE-22: Example!   Credits: antisnatchor CWE-22:   Path traversal vulnerability on ONERROR parameter   The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned files 6 of 25
  7. 7. h$p://
 CWE-22: Screen-Cast! 7 of 25
  8. 8. h$p://
 Links   Good books:  h$p://‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

   SANS/MITRE: h$p://
   OWASP: h$p://
 CWE-22: Links   Good hacker: h$p://‐path‐ traversal.html
   PHP security guru: h$p://‐527‐ and‐ziparchiveextrac$o/

 8 of 25
  9. 9. h$p://
 CWE-89: ! SQL Injection   If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit   Thanks to Bernardo for SQLmap    Open source, written in python   Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server   Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25
  10. 10. h$p://
 CWE-89:Example! Credits: antisnatchor CWE-89:     Confirmed unescaped numeric injection on GET parameter “anno” (patched from many months)   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25
  11. 11. h$p://
 CWE-89: Screen-Cast! 11 of 25
  12. 12. h$p://
 Links   Good books:  h$p://‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2
  h$p://‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-89: Links   SQLmap author:  h$p://‐injec1on‐not‐only‐and‐11
 12 of 25
  13. 13. CWE-79: The Plague of Cross Site Scripting h$p://
 CWE-79: Cross Site Scripting   When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts   Really difficult to create a powerful anti-XSS filter:   Multiple data encoding handling   Data truncation handling   New vectors (CSS, JSON, XUL) 13 of 25
  14. 14. h$p://
 CWE-79: Example! 1. KonaKart   Credits: antisnatchor   KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (   Stored XSS has been found and verified in the backend   More info here: h$p://‐2260‐responsible‐disclosure/

   Let see how we can exploit them 14 of 25
  15. 15. h$p://
 Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25
  16. 16. h$p://
 CWE-79: Examples! 2. WMSmonitor   Credits: antisnatchor CWE-79: WMSmonitor   Internal Penetration Test at INFN (National Institute of Nuclear Physics)   Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor   Some serious flows have been identified   Unsecure handling of X.509 client certificates   Reflected XSS   TRACE method enabled   Let see how can we take full control of the victim browser 16 of 25
  17. 17. h$p://
 Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25
  18. 18. h$p://
 Links   Wade Alcorn’s works:   BeEF: h$p://

   Inter-Protocol Exploitation: h$p://
   The Advanced Cross-Site Scripting Virus: h$p://
   Rsnake works:   XSS cheat sheet: h$p://
 CWE-79: Links   XSS worm context: h$p://‐ xss‐worm‐contest‐drama‐and‐status‐update/

   AntiSnatcOr works research:   Advisories on SecurityFocus: h$p://‐on‐bugtraq/
 18 of 25
  19. 19. h$p://
 Links   Good books:  h$p://‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1

  h$p://‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4
  h$p://‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-79: Links 19 of 25
  20. 20. h$p://
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)   But they have well known limitations and security flows   They all suffer from MITM attacks and network protocol manipulation   Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed 20 of 25
  21. 21. h$p://
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Latest research of Moxie Marlinspike (   Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.   We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing   Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25
  22. 22. h$p://
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Old exploit method (still useful)   MITM and fake certificate injection   ARP spoofing   IP forwarding   Sniffing   webmitm   Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)   Press OK  … That’s FINE 22 of 25
  23. 23. h$p://
 Screen-Cast! Appendix: HTTPS insecurity Fake certificate injection 23 of 25
  24. 24. h$p://
 Links   Vimeo screencasts:  h$p://
  h$p://]ware/sslstrip/video/

   Papers: Appendix: Links  OCSP: h$p://‐a$ack.pdf
  Null-byte: h$p://‐prefix‐a$acks.pdf
  Fake-cert: h$p://‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/
 24 of 25
  25. 25. h$p://
 Thanks for your ! attention! Questions? 25 of 25