• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web Application Hacking
 

Web Application Hacking

on

  • 3,602 views

Presentation by Haroon Meer at ReCon in 2005. ...

Presentation by Haroon Meer at ReCon in 2005.

This presentation is about web application security. Various web application attacks like XSS, SQLi and directory traversal are discussed. The wikto and crowbar tools developed by sensepost are also discussed.

Statistics

Views

Total Views
3,602
Views on SlideShare
3,569
Embed Views
33

Actions

Likes
0
Downloads
38
Comments
0

4 Embeds 33

http://research.sensepost.com 17
http://www.sensepost.com 11
http://localhost 4
http://sensepost.co.za 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web Application Hacking Web Application Hacking Presentation Transcript

    •  
    • Hacking Web Applications
      • Why its still a walk in the park!
    • Agenda
      • about SensePost
      • why do we care about web-apps ?
      • so what exactly is….
      • testing && test automation
      • its all fixed with Web-Services… (or not..)
      • the road ahead ?
      • questions ?
    • about us
      • about SensePost
        • small independent Info. Sec company
        • > 50% of our business international
        • Fairly well published
          • Security Focus
          • BlackHat
          • RSA
          • Books (Special Ops, Nessus, STC, ANS..)
      • about me
        • joined SensePost in 2001
        • have not slept since…
        • across the board fiddler & coffee drinker
    • Why do we care about web apps?
      • “ Cool shellcode gets you the chicks”
      • but we like web apps because…
      • ubiquity
      • if the company you are targeting is big enough, they have (at least one)
      • they are everywhere because:
        • So easy to do
        • So easy to do (badly/wrong/insecurely)
      • exposed by their nature
      • rapid deployment
      • complex business logic  point n click
      • actually tricksy to do it right…
    • So what exactly is a.... ?
      • Directory Traversal Attacks:
      • As simple as it gets..
        • open(fHandle, "$user_input")
        • open(fHandle, "results.txt")
        • open(fHandle, "../../../../../../../../../etc/passwd") ?
      • Who would be so stupid ? *cough*
      • root : Sanitization problem.
      • : $user_input (shoulda been 8.3 filename)
      • : white-listing VS. blacklisting
      • http://victim2k/showcode.asp
    • So what exactly is a.... ?
      • Canonicalization
      • Clearly a big word!
      • simply? simplification..
        • deny access to c:stuffsecret
        • permit access to c:stuffpublic
        • ???? access to c:stuffpublic..secret
      • http://victim2k/showcode.asp
      • Do people still make this mistake? *cough*
    • So what exactly is.... ?
      • Information Disclosure
      • Is it a big deal?
      • <…>
      • Production code should not fail verbosely..
        • e.printStackTrace();
        • CGI::fatalsToBrowser;
      • {mnemonix + &quot;Web Application Disassembly with ODBC Error Messages&quot;}
    • So what exactly is.... ?
      • Information Disclosure
      • Is it a big deal?
      • <…>
      • Production code should not fail verbosely..
        • e.printStackTrace();
        • CGI::fatalsToBrowser;
      • {mnemonix + &quot;Web Application Disassembly with ODBC Error Messages&quot;}
    • So what exactly is.... ?
      • Command Execution
      • Simplest example: <http://netcheck>
      • Root cause: Still just sanitization
      • pops up in the weirdest places..
      • <.mailto:?.>
      • [hackrack + login page!!!]
      • [lets re-look at that directory traversal problem? :>]
    • So what exactly is.... ?
      • Command Execution
      • Simplest example: http://netcheck
      • Root cause: Still just sanitization
      • pops up in the weirdest places..
      • <.mailto:?.>
      • [hackrack + login page!!!]
      • [lets re-look at that directory traversal problem? :>]
    • So what exactly is.... ?
      • Command Execution
      • Simplest example: http://netcheck
      • Root cause: Still just sanitization
      • pops up in the weirdest places..
      • <.mailto:?.>
      • [hackrack + login page!!!]
      • [lets re-look at that directory traversal problem? :>]
    • So what exactly is.... ?
      • Parameter Passing
      • An old favorite..
      • Typical example?
      • <…>
      • Even bigger problem when multiple parties are involved..
      <html> <form method= &quot;POST&quot; action= &quot;http://www.book.com/cgi-bin/buy.cgi&quot; > <input type= &quot;text&quot; name= &quot;quantity&quot; size= &quot;3&quot; > <INPUT TYPE= &quot;hidden&quot; NAME= &quot;TOTAL_PRICE&quot; VALUE= &quot;$500&quot; > <input type= &quot;submit&quot; value= &quot;Submit&quot; name= &quot;submit&quot; > </form> </html>
    • So what exactly is.... ?
      • Parameter Passing
      • An old favorite..
      • Typical example?
      • <…>
      • Even bigger problem when multiple parties are involved..
    • So what exactly is.... ?
      • SQL Injection
      • everybody loves OR 1=1
      • Basic problem *yawn* sanitization
      • SELECT * FROM FOO WHERE NAME='BAR'
      • SELECT * FROM FOO WHERE NAME='BAR' AND blah, blah, blah
      • http://sql
      • It gets worse ?
        • xp_cmdshell..
        • old security architecture books!
        • crown jewels?
      • How far do you want to take it today ?
      • (dns tunnels / sing?)
    • So what exactly is.... ?
      • Cross Site Scripting
      • Isnt that just lame ?
      • Yes:
        • because it requires interaction
        • because it kills the signal to noise ratio on mail lists
      • No:
        • because if your banking app is vuln...
      • Overview: <…>
    • So what exactly is.... ?
    • So what exactly is.... ?
      • State-Tracking
      • Always working off the back foot..
      • tokens
      • a whole new can of worms...
      • being tracked consistently across the app?
      • token predictability ? <…>
      • token theft ? <xss gets teeth?>
    • So what exactly is.... ?
      • State-Tracking
      • Always working off the back foot..
      • tokens
      • a whole new can of worms...
      • being tracked consistently across the app?
      • token predictability ? <…>
      • token theft ? <xss gets teeth?>
    • Test Automation
      • Evolution from everyone's Perl scripts to a few:
        • webproxy, Scarab, Paros
      • Still manual, still resource intensive..
      • Attempts at automation..
        • How do they spider without logout ?
        • Delete Customer buttons?
        • Calendar / halting problems ?
        • Authentication vs. Authorization
    • Test Automation
      • Some tools we use (and give away ;>)
      • Wikto:
      • Do we need another cgi scanner ?
      • depends.. is 200 == 404 ?
      • GET /Scripts/showcode.asp
      • wikto sends 2 requests:
        • [a] GET /Scripts/moomoomoo.asp
        • [b] GET /Scripts/showcode.asp
      • compare contents and then report..
      • {now with netsquare integration ;>}
    • Test Automation
      • Some tools we use (and give away ;>)
      • E-or:
      • Manually mirror, and selectively fuzz
      • sendraw != MSIE
      • snapshots + text compare (broken again :()
      • spend time on the real analysis
      • <..>
      • Crowbar...
      • <..>
      • Todo...
    • Test Automation
      • Some tools we use (and give away ;>)
      • E-or:
      • Manually mirror, and selectively fuzz
      • sendraw != MSIE
      • snapshots + text compare (broken again :()
      • spend time on the real analysis
      • <..>
      • Crowbar...
      • <..>
      • Todo...
    • Finally…
      • WebServices && The Future
      • Same old, same old?
      • Where are we focusing our efforts? (token bfs?)
      • MS + ASP.Net
      • Education!
      • Still going to be around for a while..
    • Crowbar – BETA!
    • Application level
      • E-Or – the process
      • User walks the target application
      • Proxy writes requests and responses to file
      • User reads file, configures which actions and variables to fuzz
      • User configured state information such as Cookies in HTTP headers
      • Each action and variable is fuzzed using IE as a rendering tool
      • Screenshots of each reply is taken, rendered text is saved from browser
      • User can now watch the responses as a “movie”, pausing anywhere
      • User can reply the request