Web application security

11/04/15www.ivizindia.com 2
Attacks
Web
Application
Attacks
Web Application
Attacks on
OS/ System
Applications
Network Attacks Network
Operating System
Web Server
Patches
Hardening
Firewall
IDS/IPS

Breaching the perimeter

Threat
 Custom vulnerabilities exist in web
applications

Affects the web applications regardless of the web
server operating system configuration or patches.
 Extremely easy to exploit

Sometimes require nothing more than a web browser

Extremely difficult to monitor – these are “Port 80”
hacks

Considered the easiest form of hacking
 Cannot be effectively defended against
at the perimeter -the code must be
cleaned up.

SQL Injection
 Massively Serious Issue
 Exploits common techniques developers
use to query database.
 Allows attacker to indirectly access the
database by piggybacking their queries
onto the web developer’s queries.

Example

Dumping the database
 Web application working
the way its supposed to

Get ErrorCode from request

Append to query

Run query

Write results
 It has no idea it ran a
different query

The DumbWaiter Effect

Potential Threats
 Data Manipulation

Manipulate the actual data in a table

Select, Insert, Update, Delete rows
 Data Definition

Manipulate the database itself

Add / Drop / Shrink / Grow tables and databases

Manage the database:
 users management, ports, disk management

Stored procedures, extended stored procedures,
functions

Annoyances
 Annoy the DBA

Finding the root DB login
 SA ? Predictable,
but BORING.
 Let’s try to be a bit
more creative

Adding your own DB User
 Not that we really needed a login anyhow
…

Port Scanning
General network error, because the port’s open
but no database is there. But the port’s
open ;)
Initiate a new database connection within the query

Port Scanning (contd..)
Port Closed!!!

The Web Application
Security Gap
 Security Professionals Don’t Know The
Applications

“As a Network Security Professional, I don’t
know how my company’s web applications are
supposed to work so I deploy a protective
solution…but don’t know if it’s protecting what
it’s supposed to.”
 Application Developers and QA
Professionals Don’t Know Security

“As an Application Developer, I can build great
features and functions while meeting
deadlines, but I don’t know how to build
security into my web applications.”

Google Hacking
 Search Engine Hacking Almost Ten Years
Old
 Web Hacking: Pick a site, find the
vulnerability
 Google Hacking : Pick a vulnerability, find
the site.

Database queries
Hooray Source Code !

Google Hacking
 Database
Connection
Strings ?
 Keep tuning

More Results
Get database passwords… right inside the search results

Some Results

SQL Injection worm??

Santy Worm
 Used a WEB
APPLICATION
VULNERABILITY
in a common
freeware PHP
application
 Used GOOGLE to
find new targets
 Multiple improved
variants out very
quickly

Vulnerable Code
 No input validation!!!
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{

PHP MagicQuotes
 Escapes single quotes
 Turns ‘ into ’
 Functional : prevents O’Malley and
O’Brian from O’Crashing your query.
 MagicQuote are magically functional, but
not a security feature, and were never
meant to be
 But loads of developers still think they
are ;)

Attack of the Worms:
How it works
 MagicQuotes recognizes plain and
encoded ‘
 The Attack:

Decoding the attack
 Decode
Once, still
coded
 Decode
Twice:
unallowable
characters

Back to the code
 Magic Quotes decoded the attack once from
%2527 to %27
 The string was decoded, and %27 is not a ‘ so
it’s allowed through
 %27 in a query doesn’t do anything though.
 Fortunately for the worm writer, the software
author decodes the %27 into ‘ before using it,
completing the injection.

Basic Google
 Viewtopic.php with random
numbers as a parameter
 Numbers NOT evasion –
ensure different websites in
each result.
 Unimaginative and easily
signatured ….

Google shutdown the
query…
 …and gave us spyware advice

Google Evasion
 Viewtopic by itself could be anything.
Add phpBB’s footer and it’s more
accurate
 Viewtopic.php is not the same as
viewtopic and php
 Hmm …. Does Google recognize Blank
Spaces ?

Or do not use Google
 There’s more than one engine to search the
web
4 Variants in JUST DAYS.

Remedy
 New Version of phpBB released
 Remedial Action suggested to immediate
users of the software was to remove the
“URLDECODE”
 Prevents the second decode: ‘ remains as
%27
 Still no input validation !

Passive Attacks
 A generally flawed assumption:

Most security breaches are from outside the
company,

Therefore the attacker will be located on the
outside

And therefore attack will be conducted from
the outside
 Currently, passive attacks are probably the most
significant threat in practical security

Attacking Browsers
 A scary trend involves attackers using websites
to exploit browsers that surf there

Installing malicious code (usually spyware, ransomware) on the
system running the browser

Numerous browser holes discovered regularly
 Buffer overflows, escape virtual machine,
bypass code signature checks, bypass zone
restrictions, etc.
 Microsoft has tended to rate such browser
holes as less than critical…

…because they say the victim has to be tricked into surfing to
the attacker's site
 But is that really so?

Commerce
Sites as Distribution
Points The bad guys exploited trusted mid-sized e-
commerce sites run by third parties. Then,
posing as those sites, attackers installed
malicious code that exploited browsers surfing
there
 Recently, we’ve seen some major attacks

June 2004: Download.Ject (browser flaw) installing
the berbew keystroke logger

November 2004: IFRAME buffer overflow (browser
flaw) installing the Bofra worm via banner ads

March 2005: DNS Cache poisoning against .com to
install spyware

Distributing Evil Code

International Domain
Names
 Background: Essentially adds support for
Unicode to browsers, domain registrars
and DNS
 Allows you to browse “localized” URLs

Problem
 Allows super easy URL hiding
 http://www.shmoo.com/idn/

Defenses
 Disable IDN support in browsers
 Keep browsers patched

But… there were no patches for the browser flaws
in June and Nov 2004 when the attacks occurred
 Anti-virus tools

Sigs released quickly for 2004/2005 attacks

Update signatures every day or when new ones are
released
 Anti-spyware tools
 Consider using a different browser

Firefox isn’t flawless, but is attacked less often

Don’t underestimate the effort to switch browsers

MD5 collisions
 August 2004

researchers announced problems with the MD5 hash
algorithm

research done by Wang, Feng, Lai, and Yu, … more analysis
by Joux

attacks seemed scary, but theoretical
 December 2004

Dan Kaminsky released a white paper and tool called Stripwire
based on the problems "MD5 To Be Considered Harmful
Someday" at www.doxpara.com

Not so theoretical anymore… but not yet totally practical
 February, 2005

Interestingly, additional concerns expressed about SHA-1…
not necessarily the same attack, though

One-Way Hash Functions
And Collisions
 Hash functions take in an arbitrary large
amount of data, and crunch it down to a
small fingerprint
 One-way hashes should:

Be easy to compute going forward (from
original data to hash)

Be really really hard to compute going
backward (i.e., deriving original data
that yields a specific hash)

Avoid collisions (i.e., it should be really
really hard to create two original data
elements that have the same hash)

A Limited Collision
 One result of the 2004 research
was the release of two different
blocks of data that have the same
hash

A very limited collision
 Let's call them x and y…
 The research from 2004 included
example vectors x and y

Extending the collision
 Now, what's more,
researchers knew that if x
and y are the same length,
and if that length is a multiple
of 64-bytes…

If md5(x) = md5(y)… then
md5(x + q) = md5(y + q)

Where q is any data we can
append to x and y

Example Collision
 http://www.doxpara.com/research/md5/t1.html
 MD5 (t1.html) = c0f3adb824590b40944614268e627421
 http://www.doxpara.com/research/md5/t2.html
 MD5 (t2.html) = c0f3adb824590b40944614268e627421

Lessons Learnt
 Don't rely exclusively on MD5

Utilize multiple hash algorithms in parallel
 MD5
 SHA-1
 RIPEMD-160
 Code available at
http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
 It's very unlikely that someone will find collisions
in multiple, different hash algorithms at the same
time

…but hey, you never know
 Still, it's a reasonable level of protection

Web application security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Web application security

Similar to Web application security (20)

Recently uploaded

Recently uploaded (20)

Web application security