This document provides an outline for a seminar on web insecurity and browser exploitation. It introduces the speaker and their background and experience. The seminar will discuss the top 25 security errors from SANS, with practical demonstrations of vulnerabilities in real world web applications. Specific vulnerabilities that will be covered include improper input validation, improper output encoding, information leaks in error messages, SQL injection, and cross-site scripting. Mitigation strategies and frameworks for each vulnerability will also be discussed. Practical examples of discovered vulnerabilities are provided for selected websites.

1. 1Web Insecurity and Browser Exploitationbrought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD20th January 2009

2. http://www.integratingweb.comhttp://antisnatchor.comWho am I?Director and CSO of Integrating Web LTD

3. Bachelor Degree in Internet Sciences

4. Owner of http://antisnatchor.com security advisory blog

5. JEE developerOutline2 of 59

6. http://www.integratingweb.comhttp://antisnatchor.comSeminar outline Discuss the most relevant SANS top 25 errors that concern Web Applications

7. Practical demonstrations of some vulnerable Real World web applications (my totally independent security research)

8. Understand the impact of these threats on the most valuable web-app assets

9. Practical screen-casts that show how attackers exploit common flows

10. Browser exploitation discussionSeminar outline3 of 59

11. http://www.integratingweb.comhttp://antisnatchor.comWhat we will discuss:CWE-20: Improper Input Validation

12. CWE-116: Improper Encoding or Escaping of Output

13. CWE-209: Error Message Information Leak

14. CWE-89: Failure to Preserve SQL Query Structure (SQL injection)

15. CWE-79: Failure to Preserve Web Page Structure (XSS)

16. CWE-352: Cross-Site Request Forgery (XSRF)What we will discuss4 of 59

17. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: Improper Input ValidationThe biggest issue on today’s Internet Applications (not just Web Applications)

18. Improper Input Validation can lead to security vulnerabilities when attackers can modify input in unexpected ways for the application

19. The only way to protect our applications is by understanding that all input can be maliciousCWE-20: Improper Input Validation5 of 59

20. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: Example8e6 R3000 Internet Filter (commercial HTTP(S) Proxy filter solution)CWE-20: Example6 of 59

21. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: ExampleCredits: nnposter

22. DNS based website blacklist can be bypassed by providing a forged request with a custom HTTP headerHttp request:GET / HTTP/1.1X-DecoyHost: www.milw0rm.orgHost: www.blocked.orgCWE-20: Example7 of 59

23. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: MitigationUnderstand every potential attack areas: parameters, arguments, cookies, headers, files, database queries...

24. Whitelist approachinstead of blacklist (you are certainly going to miss some character encoding variants)

25. WebApp case: use a WebApp Firewall (ModSecurity/F5) or an Input Validation Framework for your language.CWE-20: Mitigation8 of 59

26. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: MitigationModSecurityCWE-20: Mitigation with ModSecurity9 of 59

27. http://www.integratingweb.comhttp://antisnatchor.comCWE-20:MITIGATION OWASP ESAPIA common set of interfaces for security controls such as:

28. Authentication

29. Access Control

30. Input Validation

31. Output Encoding

32. Cryptography

33. Error handling/loggingCWE-20:MITIGATION OWASP ESAPI10 of 59

34. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: MITIGATION PHPIDSCWE-20: MITIGATION PHPIDSInput validation framework for PHP based applications

35. Developed by skilled hackers (Mario Heiderich - .mario on sla.ckers.org)

36. Try their demo with your nasty attack vectors here: http://demo.php-ids.org

37. Integrated as a module in Drupal, works with the powerful Zend Framework (http://forum.php-ids.org/comments.php?DiscussionID=113)11 of 59

38. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: Improper Encoding/Escaping of OutputInsufficient output encoding is the often-ignored sibling to poor input validation

39. Even if input has been filtered, application output could not be safe: it need to be encoded too

40. Common examples: HTML/JavaScript injection on web based applicationsCWE-116: Improper Encoding of Output12 of 59

41. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: ExampleEclipse BIRT (reporting system that integrates with Java/JEE applications)CWE-116: Example13 of 59

42. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: ExampleCredits: antisnatchor[http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss]

43. Java Exception stack trace was not HTML-encoded, so we can inject an iframeGET /birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>&r=-703171660 HTTP/1.1 Host: localhost:8780Our code was executed correctly in the application outputCWE-116: Example14 of 59

44. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: MitigationAlways encode Java stack traces (better to don’t show them to prevent Information Leakage)

45. Always encode application output, especially if it contains previously user-supplied input

46. WebApp firewall and ESAPI/PHPIDS (you lazy developers :-))CWE-116: Mitigation15 of 59

47. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Error Message Information LeakChatty or debug error messages could disclose important important information to attackers

48. This information is used in the Penetration Testing phase called “Reconnaissance”

49. Even these little secrets can greatly simplify a more concerted attack that yields much bigger rewardsCWE-209: Error Message Information Leak16 of 59

50. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples1. www.dm.unibo.itCredits: antisnatchor

51. MySQL error when forging a malicious request altering the anno parameterGET /seminari/archivio.php?anno=2008%27 HTTP/1.1Host: www.dm.unibo.it[...]Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Proxy-Connection: keep-aliveCookie: dm=[...]CWE-209: www.dm.unibo.it17 of 59

52. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples1. www.dm.unibo.itApplication response:CWE-209: www.dm.unibo.itCausing an SQL syntax error we discovered that the DB backend is MySQL

53. We can now run more targeted attacks18 of 59

54. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples2. uniwex.unibo.itCredits: antisnatchor

55. Session Management was (IS actually) broken and can be manipulated

56. If we are the hacker riding the victim’s session, and the victim then logout from Uniwex, his session (and ours, because is the same) is invalidated.

57. If we invalidate a session and then we try to submit the previously “invalid” session token... MAGICALLY ...CWE-209: unibo.unibo.it19 of 59

58. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples2. uniwex.unibo.itCWE-209: unibo.unibo.it20 of 59

59. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples2. uniwex.unibo.itThe JSP page /unique/UniqueNewException.jsp is clearly leaved there for debug purposes