SlideShare a Scribd company logo

Chapter 5: Attack Execution - The Client

Download as PPTX, PDF
D
Dr.Sami Khiami

slides for the book web application security the fast guide chapter5 Attack Execution - The Client- authored by dr. sami khiami - skcomputerco

Education
1 of 22
Attack Execution the client Web Application Security Fast Guide (book slides) By Dr.Sami Khiami Chapter 5
Why Attack the client? 2017-05-10 Web Application Security Fast Guide (book slides) Slide 2By Dr.Sami Khiami
Two types of attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 3By Dr.Sami Khiami Exploit AttacksTrickery Attacks
Altering cookies 2017-05-10 Web Application Security Fast Guide (book slides) Slide 4By Dr.Sami Khiami Send a request to sever Send a response with legitimate cookieIntercept request with Burp Alter and retransmit Write altered cookie on the client Send Altered cookie with privileged value to sever Send a privileged response Attack requirement: A. Existence of a cookie used to store state information B. The used cookie is used directly without being checked by the server. Attack process A. Using a proxy capture the request or the response writing the cookie. B. Alter the cookie value after intercepting request or response. C. Release the altered request or response.
Flash Cookies 2017-05-10 Web Application Security Fast Guide (book slides) Slide 5By Dr.Sami Khiami Attack requirement: A- Being able to access the LSO file B- No validation for data retrieved from the LSO files stored on the client. Attack process A- Access the LSO file. B-Use the LSO editor to change an invalidated value that might give higher privileges Send a request to sever to get App.swf Respond sending App.swf Attacker alters .lso file written by App.swf since he has access to the machine Send request by App.swf with altered parameters App.swf write on client machine .lso ServerClient 2 1 3 4 5
intercepting messages from Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 6By Dr.Sami Khiami Attack requirement 1. Extension interacts with server through Http 2. No special encryption is used to preserve messages confidentiality. Attack process 1. Capture the request initiated by the page using a proxy like Burp. 2. Depending on the type of extension use the right deciphering method to unpack the message sent. Flash or java applet Sends a request to sever Extract and Decipher message Alter and retransmit message Send a privileged responsecapture and Decipher message
Decompile Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 7By Dr.Sami Khiami Attack requirement 1. Targeted functionality fully executed on the client side. 2. Low complexity of application bytecode. Attack process 1. use Flare, JAD or Telerik decompiler depending on the type of component. The result will be ActionScript source for Flare or Java for JAD. 2. review the source to identify any attack points that will enable you to reengineer the Flash object and bypass any controls implemented within it. 3. modify the decompiled source to change the behavior of the applet, recompile it to bytecode, and modify the source code of the HTML page to load the modified applet in place of the original. Send request to retrieve Flash component or java applet Retrieve flash component or applet Decompile bytecode and analyze result Recompile a privileged version Send a privileged request to get privileged response
Decompile Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 8By Dr.Sami Khiami Attack requirement: 1. For successful attack 2. victim should be logged to the sensitive website. 3. The victim should access a page on the attacker site Attack process 1. The attacker creates a transparent Iframe on his page and load the page the user logged on with sensitive action. 2. The attacker is hiding the iframe using JavaScript and CSS 3. The victim cannot see the overlaying page and try to interact with the visible page. 4. The attacker has the buttons and clicks designed to be clicked in a sequence that helps the attacker to execute the malicious action on the hidden page.
Decompile Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 9By Dr.Sami Khiami Attack requirement: Store data are not encrypted Attacker has access to client machine. Attack process Direct access to SQLlight data file using SQLlight DB browser Exploit the discovered data or use as base to initiate another attack.
ActiveX Attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 10By Dr.Sami Khiami Attack requirement: ActiveX or browser extension has a high privilege. ActiveX is vulnerable or built as malicious component with attack purpose. Attack process victim access a site with vulnerable or malicious Activex or install a vulnerable or malicious browser extension. Victim accept to run Activex or browser extension. The component is available to provide a back door or to send information to attacker. ActiveX Vulnerability Impact DHTML Editing LoadURL method can violate same origin policy Read and write data Microsoft DDS Library Shape Control Heap memory corruption Arbitrary code execution as caller JView Profiler Heap memory corruption Arbitrary code execution as caller ADODB.Stream None—used to write data after exploiting LMZ Files with arbitrary content placed in known locations Shell Application Use CLSID to disguise malicious file being loaded Files with arbitrary content placed in known locations Shell.Explorer Rich folder view drag-n-drop timing attack Files with arbitrary content placed in known locations HTML Help Stack-based buffer overflow from overlong “Contents file” field in .hhp file Arbitrary code execution as caller WebBrowser Potentially all exploits that affect IE Arbitrary code execution as caller XMLHTTP Old: LMZ access New: none, used to read/ download files from/to LMZ Read/write arbitrary content from/to known locations
ActiveX Attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 11By Dr.Sami Khiami Attack requirement A flash file (.swf) on the site. No validation for the url passed to the .swf file. Attack process Use JavaScript directly in the url Http:Host.com/pathToSwf/app.swf? url=javascript: any code
MAX Length Attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 12By Dr.Sami Khiami Attack requirement: No server side check on the input length. Attack process Using a proxy capture the response containing the page with the form. Alter the value of max length directly as required Submit the form. User Name User Name <input type="text" name="usrname" maxlength="10">
View State Attack 2017-05-10 Web Application Security Fast Guide (book slides) Slide 13By Dr.Sami Khiami Attack requirement: 1. Ability to decrypt the Base64 encoded string in ViewState hidden value. 2. MAC is disabled which represent a tampering protection method that adds a hash with key to view state value. Attack process 1. Using a proxy capture a request containing view state value. 2. Use decoder to decode the value normally coded as Base64 value (Burp decoder can be used for that purpose) this will show the hidden parameter. 3. Alter the parameter and recode the ViewState value. 4. Release the request to be served by the server. Send ViewState info Intercept request with Burp resend Altered request with privileged value to sever Send a privileged response Decode and extract the value Alter the value and recode it
Time To Create to Time to Use 2017-05-10 Web Application Security Fast Guide (book slides) Slide 14By Dr.Sami Khiami Attack requirement: 1. The application gives the ability for user to extend or preserve session for long in a high changing environment. Attack process: 1. Normally login before the denial period and extends the session time out using the given option. 2. After the denial period the user is still able to execute most of the denied activities. Create legitimate session Time Invalidate credentials without invalidating the session Use the application with privileged role Session Validity
Phishing 2017-05-10 Web Application Security Fast Guide (book slides) Slide 15By Dr.Sami Khiami Attack requirement: 1. victim convinced that the message is sent by legitimate party 2. the victim clicks on the fake link to access the phished site that collect sensitive data. Attack process 1. use a compromised machine or a shared one to escape tracking. 2. Use the compromised machine to send email that lead to the phished version of the site 3. Victims will visit phished site and provide sensitive information. 4. Information are directly used to benefit before the scam get disclosed. BRAND
Altering Hidden Fields 2017-05-10 Web Application Security Fast Guide (book slides) Slide 16By Dr.Sami Khiami Attack requirement: 1. One or more parameter is passed as hidden field 2. The server is not checking those parameters before usage Attack process 1. Using a proxy capture the request. 2. Alter the hidden field as required 3. Release the altered request
Hashed Hidden Fields 2017-05-10 Web Application Security Fast Guide (book slides) Slide 17By Dr.Sami Khiami Attack requirement: 1. One or more parameter is passed as hidden field 2. The server is not checking those parameters before usage Attack process 1. Using a proxy capture the request. 2. Alter the hidden field as required 3. Release the altered request 67fdg43098743mazxcd445 Encrypted hidden field Containing account number 67fdg43098743mazxcd445 Copied from another account 67fdg43098743mazxcd445 Regenerate another based on algorithm discloser OR
Hashed Hidden Fields 2017-05-10 Web Application Security Fast Guide (book slides) Slide 18By Dr.Sami Khiami Attack requirement: 1. Application developer falsely depends on the Referer Header to check the page from which the request id originated. Attack process 1. Using a proxy capture a request heading to restricted page. 2. Alter the Referer Header to match a page with the same or higher authority level 3. Release the altered request. Attacker page Send Request to a privileged page faking Referer Header Send privileged response because application considered it is a local request from trusted page Application Server
Forge Referer Header 2017-05-10 Web Application Security Fast Guide (book slides) Slide 19By Dr.Sami Khiami Attack requirement: 1. Application developer falsely depends on the Referer Header to check the page from which the request id originated. Attack process 1. Using a proxy capture a request heading to restricted page. 2. Alter the Referer Header to match a page with the same or higher authority level 3. Release the altered request. Attacker page Send Request to a privileged page faking Referer Header Send privileged response because application considered it is a local request from trusted page Application Server
Direct Change to URL parameters 2017-05-10 Web Application Security Fast Guide (book slides) Slide 20By Dr.Sami Khiami Attack requirement: 1. Information are passed through parameters embedded in the URL . 2. Wrong inputs are not well validated Attack process 1. This attack considered one of the easiest attacks, it can be mainly done without the need of any tool but in the worst scenario all what is needed is: 2. Using a proxy capture the request. 3. Alter the parameters as requested directly from URL. 4. Release the altered request.
Only Client side validation 2017-05-10 Web Application Security Fast Guide (book slides) Slide 21By Dr.Sami Khiami Attack requirement 1. No server side form validation. Attack process 1. Using a proxy capture the response containing the page with the form. 2. Alter the values to required values to execute any attack like SQL injection. 3. Alter the JavaScript validation by disable or by simply returning valid whatever value is entered. 4. Release the altered response and submit the form. Web Form No Server Validation Intercept request with Proxy like Burp Client Only Validation Send legitimate Request with valid values Manipulate Values and add malicious Contents (SQL inj.) Retransmit with malicious contents Send privileged response to client (and/or ) execute a malicious code
2017-05-10 Web Application Security Fast Guide (book slides) Slide 22By Dr.Sami Khiami End Of Chapter5

Recommended

Chapter 2: Web application technologies
Chapter 2: Web application technologiesChapter 2: Web application technologies
Chapter 2: Web application technologies
Dr.Sami Khiami
 
Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)
Dr.Sami Khiami
 
Chapter4:Be The Attacker
Chapter4:Be The Attacker Chapter4:Be The Attacker
Chapter4:Be The Attacker
Dr.Sami Khiami
 
Chapter1:information security overview
Chapter1:information security overview Chapter1:information security overview
Chapter1:information security overview
Dr.Sami Khiami
 
Chapter 3: Vulnerabilities and threat models
Chapter 3: Vulnerabilities and threat modelsChapter 3: Vulnerabilities and threat models
Chapter 3: Vulnerabilities and threat models
Dr.Sami Khiami
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
InnoTech
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 

Recommended

Chapter 2: Web application technologies
Chapter 2: Web application technologiesChapter 2: Web application technologies
Chapter 2: Web application technologies
Dr.Sami Khiami
 
Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)
Dr.Sami Khiami
 
Chapter4:Be The Attacker
Chapter4:Be The Attacker Chapter4:Be The Attacker
Chapter4:Be The Attacker
Dr.Sami Khiami
 
Chapter1:information security overview
Chapter1:information security overview Chapter1:information security overview
Chapter1:information security overview
Dr.Sami Khiami
 
Chapter 3: Vulnerabilities and threat models
Chapter 3: Vulnerabilities and threat modelsChapter 3: Vulnerabilities and threat models
Chapter 3: Vulnerabilities and threat models
Dr.Sami Khiami
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
InnoTech
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
Mindfire Solutions
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
Miva
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid them
Elad Elrom
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 

More Related Content

What's hot

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 

What's hot (20)

OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Spring security
Spring securitySpring security
Spring security
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

Similar to Chapter 5: Attack Execution - The Client

Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 

Similar to Chapter 5: Attack Execution - The Client (20)

Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid them
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Silverlight2 Security
Silverlight2 SecuritySilverlight2 Security
Silverlight2 Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
 
Security Function
Security FunctionSecurity Function
Security Function
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 

Recently uploaded

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 

Chapter 5: Attack Execution - The Client

  • 1. Attack Execution the client Web Application Security Fast Guide (book slides) By Dr.Sami Khiami Chapter 5
  • 2. Why Attack the client? 2017-05-10 Web Application Security Fast Guide (book slides) Slide 2By Dr.Sami Khiami
  • 3. Two types of attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 3By Dr.Sami Khiami Exploit AttacksTrickery Attacks
  • 4. Altering cookies 2017-05-10 Web Application Security Fast Guide (book slides) Slide 4By Dr.Sami Khiami Send a request to sever Send a response with legitimate cookieIntercept request with Burp Alter and retransmit Write altered cookie on the client Send Altered cookie with privileged value to sever Send a privileged response Attack requirement: A. Existence of a cookie used to store state information B. The used cookie is used directly without being checked by the server. Attack process A. Using a proxy capture the request or the response writing the cookie. B. Alter the cookie value after intercepting request or response. C. Release the altered request or response.
  • 5. Flash Cookies 2017-05-10 Web Application Security Fast Guide (book slides) Slide 5By Dr.Sami Khiami Attack requirement: A- Being able to access the LSO file B- No validation for data retrieved from the LSO files stored on the client. Attack process A- Access the LSO file. B-Use the LSO editor to change an invalidated value that might give higher privileges Send a request to sever to get App.swf Respond sending App.swf Attacker alters .lso file written by App.swf since he has access to the machine Send request by App.swf with altered parameters App.swf write on client machine .lso ServerClient 2 1 3 4 5
  • 6. intercepting messages from Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 6By Dr.Sami Khiami Attack requirement 1. Extension interacts with server through Http 2. No special encryption is used to preserve messages confidentiality. Attack process 1. Capture the request initiated by the page using a proxy like Burp. 2. Depending on the type of extension use the right deciphering method to unpack the message sent. Flash or java applet Sends a request to sever Extract and Decipher message Alter and retransmit message Send a privileged responsecapture and Decipher message
  • 7. Decompile Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 7By Dr.Sami Khiami Attack requirement 1. Targeted functionality fully executed on the client side. 2. Low complexity of application bytecode. Attack process 1. use Flare, JAD or Telerik decompiler depending on the type of component. The result will be ActionScript source for Flare or Java for JAD. 2. review the source to identify any attack points that will enable you to reengineer the Flash object and bypass any controls implemented within it. 3. modify the decompiled source to change the behavior of the applet, recompile it to bytecode, and modify the source code of the HTML page to load the modified applet in place of the original. Send request to retrieve Flash component or java applet Retrieve flash component or applet Decompile bytecode and analyze result Recompile a privileged version Send a privileged request to get privileged response
  • 8. Decompile Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 8By Dr.Sami Khiami Attack requirement: 1. For successful attack 2. victim should be logged to the sensitive website. 3. The victim should access a page on the attacker site Attack process 1. The attacker creates a transparent Iframe on his page and load the page the user logged on with sensitive action. 2. The attacker is hiding the iframe using JavaScript and CSS 3. The victim cannot see the overlaying page and try to interact with the visible page. 4. The attacker has the buttons and clicks designed to be clicked in a sequence that helps the attacker to execute the malicious action on the hidden page.
  • 9. Decompile Flash, Java applet and Silverlight 2017-05-10 Web Application Security Fast Guide (book slides) Slide 9By Dr.Sami Khiami Attack requirement: Store data are not encrypted Attacker has access to client machine. Attack process Direct access to SQLlight data file using SQLlight DB browser Exploit the discovered data or use as base to initiate another attack.
  • 10. ActiveX Attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 10By Dr.Sami Khiami Attack requirement: ActiveX or browser extension has a high privilege. ActiveX is vulnerable or built as malicious component with attack purpose. Attack process victim access a site with vulnerable or malicious Activex or install a vulnerable or malicious browser extension. Victim accept to run Activex or browser extension. The component is available to provide a back door or to send information to attacker. ActiveX Vulnerability Impact DHTML Editing LoadURL method can violate same origin policy Read and write data Microsoft DDS Library Shape Control Heap memory corruption Arbitrary code execution as caller JView Profiler Heap memory corruption Arbitrary code execution as caller ADODB.Stream None—used to write data after exploiting LMZ Files with arbitrary content placed in known locations Shell Application Use CLSID to disguise malicious file being loaded Files with arbitrary content placed in known locations Shell.Explorer Rich folder view drag-n-drop timing attack Files with arbitrary content placed in known locations HTML Help Stack-based buffer overflow from overlong “Contents file” field in .hhp file Arbitrary code execution as caller WebBrowser Potentially all exploits that affect IE Arbitrary code execution as caller XMLHTTP Old: LMZ access New: none, used to read/ download files from/to LMZ Read/write arbitrary content from/to known locations
  • 11. ActiveX Attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 11By Dr.Sami Khiami Attack requirement A flash file (.swf) on the site. No validation for the url passed to the .swf file. Attack process Use JavaScript directly in the url Http:Host.com/pathToSwf/app.swf? url=javascript: any code
  • 12. MAX Length Attacks 2017-05-10 Web Application Security Fast Guide (book slides) Slide 12By Dr.Sami Khiami Attack requirement: No server side check on the input length. Attack process Using a proxy capture the response containing the page with the form. Alter the value of max length directly as required Submit the form. User Name User Name <input type="text" name="usrname" maxlength="10">
  • 13. View State Attack 2017-05-10 Web Application Security Fast Guide (book slides) Slide 13By Dr.Sami Khiami Attack requirement: 1. Ability to decrypt the Base64 encoded string in ViewState hidden value. 2. MAC is disabled which represent a tampering protection method that adds a hash with key to view state value. Attack process 1. Using a proxy capture a request containing view state value. 2. Use decoder to decode the value normally coded as Base64 value (Burp decoder can be used for that purpose) this will show the hidden parameter. 3. Alter the parameter and recode the ViewState value. 4. Release the request to be served by the server. Send ViewState info Intercept request with Burp resend Altered request with privileged value to sever Send a privileged response Decode and extract the value Alter the value and recode it
  • 14. Time To Create to Time to Use 2017-05-10 Web Application Security Fast Guide (book slides) Slide 14By Dr.Sami Khiami Attack requirement: 1. The application gives the ability for user to extend or preserve session for long in a high changing environment. Attack process: 1. Normally login before the denial period and extends the session time out using the given option. 2. After the denial period the user is still able to execute most of the denied activities. Create legitimate session Time Invalidate credentials without invalidating the session Use the application with privileged role Session Validity
  • 15. Phishing 2017-05-10 Web Application Security Fast Guide (book slides) Slide 15By Dr.Sami Khiami Attack requirement: 1. victim convinced that the message is sent by legitimate party 2. the victim clicks on the fake link to access the phished site that collect sensitive data. Attack process 1. use a compromised machine or a shared one to escape tracking. 2. Use the compromised machine to send email that lead to the phished version of the site 3. Victims will visit phished site and provide sensitive information. 4. Information are directly used to benefit before the scam get disclosed. BRAND
  • 16. Altering Hidden Fields 2017-05-10 Web Application Security Fast Guide (book slides) Slide 16By Dr.Sami Khiami Attack requirement: 1. One or more parameter is passed as hidden field 2. The server is not checking those parameters before usage Attack process 1. Using a proxy capture the request. 2. Alter the hidden field as required 3. Release the altered request
  • 17. Hashed Hidden Fields 2017-05-10 Web Application Security Fast Guide (book slides) Slide 17By Dr.Sami Khiami Attack requirement: 1. One or more parameter is passed as hidden field 2. The server is not checking those parameters before usage Attack process 1. Using a proxy capture the request. 2. Alter the hidden field as required 3. Release the altered request 67fdg43098743mazxcd445 Encrypted hidden field Containing account number 67fdg43098743mazxcd445 Copied from another account 67fdg43098743mazxcd445 Regenerate another based on algorithm discloser OR
  • 18. Hashed Hidden Fields 2017-05-10 Web Application Security Fast Guide (book slides) Slide 18By Dr.Sami Khiami Attack requirement: 1. Application developer falsely depends on the Referer Header to check the page from which the request id originated. Attack process 1. Using a proxy capture a request heading to restricted page. 2. Alter the Referer Header to match a page with the same or higher authority level 3. Release the altered request. Attacker page Send Request to a privileged page faking Referer Header Send privileged response because application considered it is a local request from trusted page Application Server
  • 19. Forge Referer Header 2017-05-10 Web Application Security Fast Guide (book slides) Slide 19By Dr.Sami Khiami Attack requirement: 1. Application developer falsely depends on the Referer Header to check the page from which the request id originated. Attack process 1. Using a proxy capture a request heading to restricted page. 2. Alter the Referer Header to match a page with the same or higher authority level 3. Release the altered request. Attacker page Send Request to a privileged page faking Referer Header Send privileged response because application considered it is a local request from trusted page Application Server
  • 20. Direct Change to URL parameters 2017-05-10 Web Application Security Fast Guide (book slides) Slide 20By Dr.Sami Khiami Attack requirement: 1. Information are passed through parameters embedded in the URL . 2. Wrong inputs are not well validated Attack process 1. This attack considered one of the easiest attacks, it can be mainly done without the need of any tool but in the worst scenario all what is needed is: 2. Using a proxy capture the request. 3. Alter the parameters as requested directly from URL. 4. Release the altered request.
  • 21. Only Client side validation 2017-05-10 Web Application Security Fast Guide (book slides) Slide 21By Dr.Sami Khiami Attack requirement 1. No server side form validation. Attack process 1. Using a proxy capture the response containing the page with the form. 2. Alter the values to required values to execute any attack like SQL injection. 3. Alter the JavaScript validation by disable or by simply returning valid whatever value is entered. 4. Release the altered response and submit the form. Web Form No Server Validation Intercept request with Proxy like Burp Client Only Validation Send legitimate Request with valid values Manipulate Values and add malicious Contents (SQL inj.) Retransmit with malicious contents Send privileged response to client (and/or ) execute a malicious code
  • 22. 2017-05-10 Web Application Security Fast Guide (book slides) Slide 22By Dr.Sami Khiami End Of Chapter5