Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Ope...
DenyAll & RECRO-NET <ul><ul><li>French WAF vendor pioneer since 2001  </li></ul></ul><ul><ul><li>Headquarter – Paris </li>...
DenyAll in France
DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - ...
Threats Overview
Why Application Security ? 75%  of all attacks are directed to the Web applications layer 2/3  of all Web applications are...
Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromis...
Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise ...
Threats Keyloggers
What is a keylogger <ul><li>Program reporting every keystroke </li></ul><ul><ul><li>Can be stored on a file </li></ul></ul...
Example : A simple keylogger <ul><li>Really simple </li></ul><ul><ul><li>~100 lines (including comments) </li></ul></ul><u...
Example : A simple keylogger
Threats Browsers Compromise
Code Injection <ul><li>Makes a process execute arbitrary code </li></ul><ul><ul><li>This process may be your browser </li>...
Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EX...
Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigat...
An example <ul><li>Legitimate action </li></ul><ul><ul><li>Bank client JV (account 5204320422040001) </li></ul></ul><ul><u...
Example : A simple keylogger
Threats Servers Compromise
What is Cross-Site Scripting <ul><li>Client-Side executed code injection </li></ul><ul><ul><li>A variant of HTML injection...
Impacts of XSS <ul><li>Full control of compromised browser through Javascript </li></ul><ul><ul><li>Cookie theft </li></ul...
Dangers of XSS <ul><li>Hard to detect </li></ul><ul><ul><li>Volatile XSS can only be detected through log file analysis </...
101 XSS exploitation <ul><li>Usual PoC </li></ul><ul><ul><li>Inject  <script>alert(‘XSS’)</script> </li></ul></ul><ul><ul>...
Real XSS Exploitation Method <ul><li>Up to 4 players game </li></ul><ul><ul><li>The Hacker  : the very bad guy </li></ul><...
4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits  XSS vulnerability  3 . Victim goes on compromised ...
PoC – The XSS Popup <ul><li>Command sent to the client: </li></ul><ul><ul><li>alert(« Gotcha ») </li></ul></ul>
Portscan <ul><li>A Javascript Porstcanner is loaded in an invisible iFrame </li></ul><ul><li>Victim performs the scan </li...
Redirection <ul><li>The victim is silently redirected to another web page </li></ul><ul><li>Could be a similar page </li><...
Thank you for your valuable time Q&A
(Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai,  Unit...
Upcoming SlideShare
Loading in...5
×

Renaud Bido & Mohammad Shams - Hijacking web servers & clients

836

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
836
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Renaud Bido & Mohammad Shams - Hijacking web servers & clients

  1. 1. Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Operations
  2. 2. DenyAll & RECRO-NET <ul><ul><li>French WAF vendor pioneer since 2001 </li></ul></ul><ul><ul><li>Headquarter – Paris </li></ul></ul><ul><ul><li>More than 200+ large clients all over the World </li></ul></ul><ul><ul><ul><li>40% of EurostoXX 50 </li></ul></ul></ul><ul><ul><ul><li>35% CAC40 </li></ul></ul></ul><ul><ul><li>Partnership with major players </li></ul></ul><ul><ul><ul><li>RECRO-NET ( Middle-East, Central Europe ) </li></ul></ul></ul><ul><ul><ul><li>HP ( Iberia, South America ) </li></ul></ul></ul><ul><ul><ul><li>British Telecom, Orange Business Services ( Western Europe, North America, APAC ) </li></ul></ul></ul><ul><ul><li>Recently listed as prime European WAF player by Forrester “ Web Application Firewall : 2010 And Beyond’’  - Chenxi Wang – februrary 2010 </li></ul></ul>
  3. 3. DenyAll in France
  4. 4. DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc. SOCIETE GENERALE, etc. SH&Co, etc. BNPP, etc. SOCIETE GENERALE, etc. ACCOR - SOCIETE GENERALE - AREVA – etc. Accor, etc. BNP PARIBAS INSURANCE - ACCOR – etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP, etc. IP LIMITED, etc. SOCIETE GENERALE LUX – EBRC - CACEIS – etc. DANSKE BANK – KOPENHAGEN-FUR – etc. AKTIA BANK, etc. SENTOR – SVERIGE – etc TOYOTA BANK – etc. SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc. GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc. ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc. BNP PARIBAS UK - ARVAL UK – etc. . LA POSTE – DZ BANK – PETERCAM -etc INPS, etc
  5. 5. Threats Overview
  6. 6. Why Application Security ? 75% of all attacks are directed to the Web applications layer 2/3 of all Web applications are vulnerable In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported. Most web site owners fail to scan effectively for the common flaws. Application patching is much slower than Operating System patching.
  7. 7. Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
  8. 8. Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
  9. 9. Threats Keyloggers
  10. 10. What is a keylogger <ul><li>Program reporting every keystroke </li></ul><ul><ul><li>Can be stored on a file </li></ul></ul><ul><ul><li>Can be sent over the network </li></ul></ul><ul><li>Recent Keyloggers add many more features </li></ul><ul><ul><li>Window names and field values </li></ul></ul><ul><ul><li>Mouse activity reports </li></ul></ul><ul><ul><li>Screenshots and “video”-like records </li></ul></ul><ul><li>Operating from the compromised computer </li></ul><ul><ul><li>Encryption is inefficient </li></ul></ul><ul><ul><li>No detection possible from the server-side </li></ul></ul><ul><ul><li>Applications can be seamlessly compromised </li></ul></ul>
  11. 11. Example : A simple keylogger <ul><li>Really simple </li></ul><ul><ul><li>~100 lines (including comments) </li></ul></ul><ul><ul><li>Based on common windows techniques </li></ul></ul><ul><ul><ul><li>SetWindowsHookEx(WH_KEYBOARD_LL,…) </li></ul></ul></ul><ul><ul><li>Public </li></ul></ul><ul><ul><ul><li>Code at : http://batcheur.tuxfamily.org/?p=16 </li></ul></ul></ul><ul><li>Really efficient </li></ul><ul><ul><li>Runs fine on windows 7 (with UAC) </li></ul></ul><ul><ul><li>Undetected by anti-viruses </li></ul></ul>
  12. 12. Example : A simple keylogger
  13. 13. Threats Browsers Compromise
  14. 14. Code Injection <ul><li>Makes a process execute arbitrary code </li></ul><ul><ul><li>This process may be your browser </li></ul></ul><ul><li>Most common techniques </li></ul><ul><ul><li>SetWindowsHookEx </li></ul></ul><ul><ul><ul><li>Seen before, undetected </li></ul></ul></ul><ul><ul><li>CreateRemoteThreadEx & ( LoadLibrary | WriteProcessMemory) </li></ul></ul><ul><ul><ul><li>The most basic, detected and blocked </li></ul></ul></ul><ul><ul><li>SetThreadContext </li></ul></ul><ul><ul><ul><li>Relies on the DebugActiveProcess API </li></ul></ul></ul><ul><ul><ul><li>Undetected, requires debug rights </li></ul></ul></ul><ul><li>Widely documented… and used. </li></ul>
  15. 15. Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n IE user interface Bars, menus etc. Browser Control Navigation, history Exposes ActiveX interface Rendering MIME handling Code download Security IP Handler HTTP & FTP Windows UI Handles components Base API Calls NTDLL API Native API OS user-mode components ~200.000 function calls at IE launch You cannot monitor everything
  16. 16. Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigation Control display Alter security policy Communicate…
  17. 17. An example <ul><li>Legitimate action </li></ul><ul><ul><li>Bank client JV (account 5204320422040001) </li></ul></ul><ul><ul><li>Transfer 100 $ to bank client JM (5204320422040003) </li></ul></ul><ul><li>Malware injected into the browser </li></ul><ul><ul><li>Modifies content </li></ul></ul><ul><ul><li>Founds transferred to bank user JC (5204320422040005) </li></ul></ul>
  18. 18. Example : A simple keylogger
  19. 19. Threats Servers Compromise
  20. 20. What is Cross-Site Scripting <ul><li>Client-Side executed code injection </li></ul><ul><ul><li>A variant of HTML injections </li></ul></ul><ul><ul><li>Based on Javascript code execution </li></ul></ul><ul><li>Two possible vectors </li></ul><ul><ul><li>Volatile XSS: generated through a malicious link </li></ul></ul><ul><ul><li>Persistent XSS: malicious code is stored on the server </li></ul></ul><ul><li>Oldy but goody </li></ul><ul><ul><li>In the wild for more than 10 years </li></ul></ul><ul><ul><li>Improved together with browser & Javascript capabilties </li></ul></ul>
  21. 21. Impacts of XSS <ul><li>Full control of compromised browser through Javascript </li></ul><ul><ul><li>Cookie theft </li></ul></ul><ul><ul><li>Information gathering regarding the client browser </li></ul></ul><ul><ul><li>Redirection to alternate/concurrent/malicious site </li></ul></ul><ul><ul><li>Portscan from the client </li></ul></ul><ul><ul><li>Proxy on client’s network </li></ul></ul><ul><ul><li>Flashmob DDoS </li></ul></ul><ul><li>Exploitation of Javascript capabilities </li></ul><ul><ul><li>Propagation thanks to Javascript web transactions capabilities </li></ul></ul><ul><ul><li>Dynamic/Polymorphic code generation </li></ul></ul>
  22. 22. Dangers of XSS <ul><li>Hard to detect </li></ul><ul><ul><li>Volatile XSS can only be detected through log file analysis </li></ul></ul><ul><ul><li>Persitent XSS tracking getting more complicated with polymorphic code </li></ul></ul><ul><ul><li>Numerous advanced Javascript obfuscation techniques </li></ul></ul><ul><li>More and more powerful </li></ul><ul><ul><li>Complete control of remote browsers </li></ul></ul><ul><ul><li>Networking operations (see CSRF) </li></ul></ul><ul><ul><li>Next generation of botnets </li></ul></ul><ul><ul><li>Considered as the buffer overflow of the beginning of teh 21st century </li></ul></ul><ul><li>Unrecognized </li></ul><ul><ul><li>Most people think XSS is limited to cookie theft </li></ul></ul><ul><ul><li>Bang. You’re dead. </li></ul></ul>
  23. 23. 101 XSS exploitation <ul><li>Usual PoC </li></ul><ul><ul><li>Inject <script>alert(‘XSS’)</script> </li></ul></ul><ul><ul><li>Volatile and harmless XSS </li></ul></ul><ul><ul><li>Used in most pentest </li></ul></ul><ul><ul><li>Generates a popup in the « compromised » browser </li></ul></ul>
  24. 24. Real XSS Exploitation Method <ul><li>Up to 4 players game </li></ul><ul><ul><li>The Hacker : the very bad guy </li></ul></ul><ul><ul><li>The Goat : XSS vulnerable website </li></ul></ul><ul><ul><li>The Victim : innocent user which browser will be compromised </li></ul></ul><ul><ul><li>The Relay : a compromised or malicious website (optional) </li></ul></ul><ul><li>3 players games rules </li></ul><ul><ul><li>The Hacker finds an XSS vulnerability on The Goat and exploits it </li></ul></ul><ul><ul><ul><li>Designs a script which will be executed on The Victim </li></ul></ul></ul><ul><ul><li>The Victim goes to the compromised page in The Goat </li></ul></ul><ul><ul><ul><li>Via malicious link (volatile) </li></ul></ul></ul><ul><ul><ul><li>Directly on the page (persistent) </li></ul></ul></ul><ul><ul><li>The script is executed by The Victim </li></ul></ul><ul><ul><ul><li>Script may enforce the connection to The Relay to send back information </li></ul></ul></ul>
  25. 25. 4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits XSS vulnerability 3 . Victim goes on compromised page 4 . Malicious Javascript is loaded on Victim 6 . Victim sends information to Relay 7 . Information sent back to Hacker 5 . Victim executes Javascript 8 . Relay sends new commands to Victim
  26. 26. PoC – The XSS Popup <ul><li>Command sent to the client: </li></ul><ul><ul><li>alert(« Gotcha ») </li></ul></ul>
  27. 27. Portscan <ul><li>A Javascript Porstcanner is loaded in an invisible iFrame </li></ul><ul><li>Victim performs the scan </li></ul><ul><li>Results are sent through a request </li></ul><ul><ul><li>Made in the invisible iFrame </li></ul></ul><ul><ul><li>Collected on the malicious server </li></ul></ul><ul><li>Victims sees nothing </li></ul><ul><li>Portscan victim doesn’t have any clue regarding the real attacker </li></ul>
  28. 28. Redirection <ul><li>The victim is silently redirected to another web page </li></ul><ul><li>Could be a similar page </li></ul><ul><ul><li>Used to steal authentication credentials </li></ul></ul><ul><li>Could be a competitve </li></ul><ul><ul><li>Made in the invisible iFrame </li></ul></ul><ul><ul><li>Collected on the malicious server </li></ul></ul><ul><li>Victims sees nothing </li></ul><ul><li>Portscan victim doesn’t have any clue regarding the real attacker </li></ul>
  29. 29. Thank you for your valuable time Q&A
  30. 30. (Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai, United Arab Emirates Tel: 04-3754306 E-mail: middle-east@recro-net.com www.recro-net.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×