Web Insecurity And Browser Exploitation

1. 1Web Insecurity and Browser Exploitationbrought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD20th January 2009

2. http://www.integratingweb.comhttp://antisnatchor.comWho am I?Director and CSO of Integrating Web LTD

3. Bachelor Degree in Internet Sciences

4. Owner of http://antisnatchor.com security advisory blog

5. JEE developerOutline2 of 59

6. http://www.integratingweb.comhttp://antisnatchor.comSeminar outline Discuss the most relevant SANS top 25 errors that concern Web Applications

7. Practical demonstrations of some vulnerable Real World web applications (my totally independent security research)

8. Understand the impact of these threats on the most valuable web-app assets

9. Practical screen-casts that show how attackers exploit common flows

10. Browser exploitation discussionSeminar outline3 of 59

11. http://www.integratingweb.comhttp://antisnatchor.comWhat we will discuss:CWE-20: Improper Input Validation

12. CWE-116: Improper Encoding or Escaping of Output

13. CWE-209: Error Message Information Leak

14. CWE-89: Failure to Preserve SQL Query Structure (SQL injection)

15. CWE-79: Failure to Preserve Web Page Structure (XSS)

16. CWE-352: Cross-Site Request Forgery (XSRF)What we will discuss4 of 59

17. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: Improper Input ValidationThe biggest issue on today’s Internet Applications (not just Web Applications)

18. Improper Input Validation can lead to security vulnerabilities when attackers can modify input in unexpected ways for the application

19. The only way to protect our applications is by understanding that all input can be maliciousCWE-20: Improper Input Validation5 of 59

20. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: Example8e6 R3000 Internet Filter (commercial HTTP(S) Proxy filter solution)CWE-20: Example6 of 59

21. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: ExampleCredits: nnposter

22. DNS based website blacklist can be bypassed by providing a forged request with a custom HTTP headerHttp request:GET / HTTP/1.1X-DecoyHost: www.milw0rm.orgHost: www.blocked.orgCWE-20: Example7 of 59

23. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: MitigationUnderstand every potential attack areas: parameters, arguments, cookies, headers, files, database queries...

24. Whitelist approachinstead of blacklist (you are certainly going to miss some character encoding variants)

25. WebApp case: use a WebApp Firewall (ModSecurity/F5) or an Input Validation Framework for your language.CWE-20: Mitigation8 of 59

26. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: MitigationModSecurityCWE-20: Mitigation with ModSecurity9 of 59

27. http://www.integratingweb.comhttp://antisnatchor.comCWE-20:MITIGATION OWASP ESAPIA common set of interfaces for security controls such as:

28. Authentication

29. Access Control

30. Input Validation

31. Output Encoding

32. Cryptography

33. Error handling/loggingCWE-20:MITIGATION OWASP ESAPI10 of 59

34. http://www.integratingweb.comhttp://antisnatchor.comCWE-20: MITIGATION PHPIDSCWE-20: MITIGATION PHPIDSInput validation framework for PHP based applications

35. Developed by skilled hackers (Mario Heiderich - .mario on sla.ckers.org)

36. Try their demo with your nasty attack vectors here: http://demo.php-ids.org

37. Integrated as a module in Drupal, works with the powerful Zend Framework (http://forum.php-ids.org/comments.php?DiscussionID=113)11 of 59

38. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: Improper Encoding/Escaping of OutputInsufficient output encoding is the often-ignored sibling to poor input validation

39. Even if input has been filtered, application output could not be safe: it need to be encoded too

40. Common examples: HTML/JavaScript injection on web based applicationsCWE-116: Improper Encoding of Output12 of 59

41. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: ExampleEclipse BIRT (reporting system that integrates with Java/JEE applications)CWE-116: Example13 of 59

42. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: ExampleCredits: antisnatchor[http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss]

43. Java Exception stack trace was not HTML-encoded, so we can inject an iframeGET /birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>&r=-703171660 HTTP/1.1 Host: localhost:8780Our code was executed correctly in the application outputCWE-116: Example14 of 59

44. http://www.integratingweb.comhttp://antisnatchor.comCWE-116: MitigationAlways encode Java stack traces (better to don’t show them to prevent Information Leakage)

45. Always encode application output, especially if it contains previously user-supplied input

46. WebApp firewall and ESAPI/PHPIDS (you lazy developers :-))CWE-116: Mitigation15 of 59

47. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Error Message Information LeakChatty or debug error messages could disclose important important information to attackers

48. This information is used in the Penetration Testing phase called “Reconnaissance”

49. Even these little secrets can greatly simplify a more concerted attack that yields much bigger rewardsCWE-209: Error Message Information Leak16 of 59

50. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples1. www.dm.unibo.itCredits: antisnatchor

51. MySQL error when forging a malicious request altering the anno parameterGET /seminari/archivio.php?anno=2008%27 HTTP/1.1Host: www.dm.unibo.it[...]Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Proxy-Connection: keep-aliveCookie: dm=[...]CWE-209: www.dm.unibo.it17 of 59

52. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples1. www.dm.unibo.itApplication response:CWE-209: www.dm.unibo.itCausing an SQL syntax error we discovered that the DB backend is MySQL

53. We can now run more targeted attacks18 of 59

54. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples2. uniwex.unibo.itCredits: antisnatchor

55. Session Management was (IS actually) broken and can be manipulated

56. If we are the hacker riding the victim’s session, and the victim then logout from Uniwex, his session (and ours, because is the same) is invalidated.

57. If we invalidate a session and then we try to submit the previously “invalid” session token... MAGICALLY ...CWE-209: unibo.unibo.it19 of 59

58. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples2. uniwex.unibo.itCWE-209: unibo.unibo.it20 of 59

59. http://www.integratingweb.comhttp://antisnatchor.comCWE-209: Examples2. uniwex.unibo.itThe JSP page /unique/UniqueNewException.jsp is clearly leaved there for debug purposes

60. It shouldn’t be there in production!!!

61. This revealed us that Tomcat is used as Application Server, and we’ve also obtained the specific version of a few frameworks on which the application was built:/home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/struts-1.1.jar /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/myfaces-api-1.1.4.jarCWE-209: unibo.unibo.it21 of 59

62. http://www.integratingweb.comhttp://antisnatchor.comCWE-89: SQL InjectionThese days most software is all about the data and how it can be served to maximize user and business needs

63. The most common storage solution is a Relational Database(Oracle, MySQL, Postgres, MS-SQL, Sybase)

64. If attackers can influence the SQL that you use to communicate with your database, then they can do nasty things for fun and profitCWE-89: SQL Injection22 of 59

65. http://www.integratingweb.comhttp://antisnatchor.comCWE-89: SQL InjectionExploiting escape characters:"SELECT * FROM customers WHERE name= '" + customerName+ "';"IfcustomerName=marcus’ UNION SELECT 1,2,3,4 FROM admin_users;Then the final query becomes: SELECT * FROM customers WHERE name='marcus’ UNION SELECT 1,2,3,4 FROM admin_users;Exploiting type handling:"SELECT * FROM product_data WHERE product_id = " + productId + ";"IfproductId=10078;DROP TABLE admin_usersThen the final query becomes:SELECT * FROM product_data WHERE product_id =10078;DROP TABLE admin_users;CWE-89: SQL Injection23 of 59

66. http://www.integratingweb.comhttp://antisnatchor.comCWE-89: SQL InjectionDiscovering which web application parameters/cookie/headers are querying the DB, we can test if input is properly escaped or not

67. The previous example on www.dm.unibo.it demonstrates that input is not being escaped at all

68. After we discovered the SQL injection we can fire-up our favorite injection tool to retrieve useful informationCWE-89: SQL Injection24 of 59

69. http://www.integratingweb.comhttp://antisnatchor.comCWE-89:Example1. www.dm.unibo.itCredits: antisnatchor

70. Confirmed unescaped numeric injection on GET parameter “anno”

71. We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0

72. For demonstration we retrieved the exact name of the database name to which the web app is bounded:dipartimentoCWE-89: www.dm.unibo.it25 of 59

73. http://www.integratingweb.comhttp://antisnatchor.comScreen-Castwww.dm.unibo.itCWE-89: www.dm.unibo.it26 of 59

74. http://www.integratingweb.comhttp://antisnatchor.comCWE-89:Example2. www.virtus.itCredits: antisnatchor

75. Confirmed unescaped numeric injection on GET parameter “ID” (SPNewsDettaglio.asp)

76. We were able to obtain details about the application stack: Microsoft IIS 6, ASP and SQL Server 2000

77. We retrieved the exact name of the database name to which the web app is bounded: ServizioNews(and a few tables too)CWE-89: www.virtus.it27 of 59

78. http://www.integratingweb.comhttp://antisnatchor.comCWE-89: MitigationImplement a validation framework (previously discussed) to protect your application

79. Use stored procedures

80. Hibernate on JEE, NHibernate on .NET

81. DB specific: Oracle DBMS_ASSERT directive, MySQLreal_escape_string() function

82. Use a whitelist approach, permitting only “known good input”CWE-89: Mitigation28 of 59

83. http://www.integratingweb.comhttp://antisnatchor.comCWE-89: DangersAs you can see SQL injection can be devastating for the integrity of your data

84. Data loss is probably the most negative consequence for an Enterprise

85. If the web application (most of them, if not all) is storing web page content inside the DB, we can deface the site tooCWE-89: Dangers29 of 59

86. http://www.integratingweb.comhttp://antisnatchor.comLinksGood books:

87. http://www.amazon.co.uk/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8-1

88. http://www.amazon.com/Database-Hackers-Handbook-Defending-Servers/dp/0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8-2

89. http://www.amazon.com/Web-Security-Testing-Cookbook-Systematic/dp/0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8-3

90. SQLmap author:

91. http://www.slideshare.net/inquis/sql-injection-not-only-and-11CWE-89: Links30 of 59

92. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: The Plague ofCross Site ScriptingWe can inject JavaScript, HTML, VBscript or other browser-executable content into pages generated by the application

93. The page is then accessed by other users, whose browsers execute that malicious script as if it came from the legitimate user (the victim)

94. It always happen when a server-side script/servlet/whatever process the malicious data to generate a page without properly sanitizing the response (non-DOM-based XSS)CWE-79: The Plague of Cross Site Scripting31 of 59

95. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Examples1. www.cia.govCWE-79: www.cia.gov32 of 59

96. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Examples2. portal.hotspotsvankpn.comCWE-79: portal.hotspotsvankpn.com33 of 59

97. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: MitigationA real world case example: Apache OFBiz implementation of ESAPI toolkit.

98. After my JIRA issue they started to take really care of security (I’m glad to)

99. See http://fisheye6.atlassian.com/changelog/ofbiz?cs=746409 and http://antisnatchor.com/2008/12/11/apache-ofbiz-multiple-security-vulnerabilitiesCWE-79: Mitigation34 of 59

100. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: MitigationThe changes of StringUtil.javaclass:CWE-79: Mitigation35 of 59

101. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: MitigationThe changes of ModelScreenWidget.javaclass:CWE-79: Mitigation36 of 59

102. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: MitigationValidate every parameter/cookie/header/input that can be manipulated by a potential attacker and then displayed on the page

103. Do not create your own filters: you’ll probably miss some attack vectors or encodings

104. Use well known Encoding/Validation frameworks such as ESAPI,PHPIDS,Microsoft Anti-XSS (yes, Microsoft, don’t laugh please :-))CWE-79: Mitigation37 of 59

105. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Advanced conceptsBypassing anti-XSS filters

106. As we said many times before, we don’t recommend to write an anti-XSS filter from scratch

107. At CERN they usually develop application from scratch, like Indico (http://indico.cern.ch). Indico is the main solution used by the EGEE partners around Europe (many thousand of users)

108. We found a way to bypass a basic anti-XSS filter implemented in the application

109. Bracelets () are correctly escaped with < and >, thus preventing almost all the attack vectors……CWE-79: Advanced concepts38 of 59

111. ….. We said almost because we can create attack vectors even without bracelets:http://indico.cern.ch/search.py?categId=0&p=cloud&f=title%22&collections=&startDate=&endDate=&sortOrder=dThe rendered HTML after processing the request is the following:<form id="NextFormEvents" method="GET" action="http://indico.cern.ch/search.py"> <input type="hidden" name="startDate" value=""/> <input type="hidden" name="endDate" value=""/> <input type="hidden" name="p" value="cloud"/> <input type="hidden" name="f" value="title""/>  <input type="hidden" name="collections" value="Events"/> <input type="hidden" name="categId" value="0" /></form>CWE-79: Advanced concepts39 of 59

113. The following is working on Microsoft Internet Explorer 6 and 7:

114. "style%3d"width: expression(alert('XSS'));"

115. The malicious code will add to the "input" element a "style" attribute: note that expression is understood only by IE.The rendered HTML after processing the request is the following:<form id="NextFormEvents" method="GET" action="http://indico.cern.ch/search.py"> <input type="hidden" name="startDate" value=""/> <input type="hidden" name="endDate" value=""/> <input type="hidden" name="p" value="cloud"/> <input type="hidden" name="f" value="title” style=“width: expression(alert('XSS'));”/> <input type="hidden" name="collections" value="Events"/> <input type="hidden" name="categId" value="0" /></form>CWE-79: Advanced concepts40 of 59

116. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Advanced conceptsXSS proxiesForcing the victim to load a malicious Javascript code (with XSS/social engineering), we can open an AJAX communication that can talk cross-domainCWE-79: Advanced conceptsImage Copyright: FerruhMavituna41 of 59

117. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Advanced conceptsCWE-79: Advanced concepts42 of 59XSS tunnelingHaving an Inter-protocol communication channel (such as in the example before) we can basically tunnel HTTP traffic into it.Applications that supports HTTP proxies (vulnerability scanners for example) can be proxified… Thanks to tunneling the attacks made with a proxified vulnerability scanner will be generated in fact by the victim browser

118. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Advanced conceptsXSS tunnels: tunneling a vulnerability scannerCWE-79: Advanced conceptsImage Copyright: FerruhMavituna43 of 59

119. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Example1. KonaKartCredits: antisnatchor

120. KonaKart is a free Java based web application to manage e-commerce websites (www.konakart.com)

121. Stored XSS has been found and verified in the backend

122. More info here: http://antisnatchor.com/2008/12/22/konakart-2260-responsible-disclosure/

123. Let see how we can exploit themCWE-79: KonaKart44 of 59

124. http://www.integratingweb.comhttp://antisnatchor.comScreen-CastKonaKartCWE-79: KonaKart45 of 59

125. http://www.integratingweb.comhttp://antisnatchor.comCWE-79: Examples2. WMSmonitorCredits: antisnatchor

126. Internal Penetration Test at INFN (National Institute of Nuclear Physics)

127. Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor

128. Some serious flows have been identified

129. Unsecure handling of X.509 client certificates

130. Reflected XSS

131. TRACE method enabled

132. Let see how can we take full control of the victim browser CWE-79: WMSmonitor46 of 59

133. http://www.integratingweb.comhttp://antisnatchor.comScreen-CastWMSmonitorCWE-79: WMSmonitor47 of 59

134. http://www.integratingweb.comhttp://antisnatchor.comLinksWade Alcorn’s works:

135. BeEF: http://www.bindshell.net/tools/beef/

136. Inter-Protocol Exploitation: http://www.bindshell.net/papers/ipe

137. The Advanced Cross-Site Scripting Virus: http://www.bindshell.net/papers/axssv

138. Rsnake & al. works:

139. XSS cheat sheet: http://ha.ckers.org/xss.html

140. XSS proxies:

141. http://ha.ckers.org/blog/20060718/attacking-applications-via-xss-proxies/

142. http://xss-proxy.sourceforge.net/shmoocon-XSS-Proxy.ppt

143. XSS tunneling: http://www.portcullis-security.com/uplds/whitepapers/XSSTunnelling.pdf

144. XSS worm context: http://ha.ckers.org/blog/20080106/diminutive-xss-worm-contest-drama-and-status-update/

145. AntiSnatcOr works research:

146. Advisories on SecurityFocus: http://antisnatchor.com/2009/10/14/finally-on-bugtraq/CWE-79: Links48 of 59

147. http://www.integratingweb.comhttp://antisnatchor.comLinksGood books:

148. http://www.amazon.co.uk/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8-1

149. http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8-4

150. http://www.amazon.com/Web-Security-Testing-Cookbook-Systematic/dp/0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8-3

151. http://www.amazon.com/Hacking-Next-Generation-Animal-Guide/dp/0596154577/ref=sr_1_1?ie=UTF8&s=books&qid=1263982791&sr=8-1 CWE-79: Links49 of 59

152. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: Cross Site Request ForgeryIt exploits the trust that a website has for the currently authenticated user and executes unwanted actions on a web application on his behalf

153. Once the request gets to the application, it looks as if it came from the user, not the attacker

154. If the victim has admin privileges on the application: GAME OVERCWE-352: Cross Site Request Forgery50 of 59

155. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRF Concrete ConsequencesPerforming illegal actions such as using victim's shopping cart, executing stock trades

156. Changing DNS settings of home routers (thanks pdp & GNUCITIZEN)

157. Performing a Denial Of Service attack on the application

158. Combining it with XSS to build WORMSCWE-352: XSRF Concrete Consequences51 of 59

159. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRF Concrete Consequences (I)1. Find a page with a lost-password form inside and find out which fields would be updated

160. 2. Trick the administrator to load the hacker page with a malicious request on it that submits a new email

161. 3. Administrator's e-mail is now changed to the email submitted by hacker

162. 4. The hacker performs a lost-password request and receives a new passwordCWE-352: XSRF Concrete Consequences52 of 59

163. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRF Concrete Consequences (II)1. Find a router that doesn’t use cookies or URL tokens to identify the user session on the web management interface (most of them)Ex.: http://192.168.1.1/changeDNS?dns=1.2.3.42. Just send the link to the victim with a bit of social engineering (or embedding it for auto-execution in places you know the victim will access)

164. 3 The victim is now using your chosen DNS, where you probably altered her common used domains with your phishing ones CWE-352: XSRF Concrete Consequences53 of 59

165. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRFWho has been vulnerable?ING direct [We discovered CSRF vulnerabilities in ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user's account to the attacker's account.]

166. Youtube

167. New York Times

168. Gmail [http://directwebremoting.org/blog/joe/2007/01/01/csrf_attacks_or_how_to_avoid_exposing_your_gmail_contacts.html]CWE-352: XSRF Who has been vulnerable?54 of 59

169. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRF1. Apache OFBizRead my advisory here: https://issues.apache.org/jira/browse/OFBIZ-1959

170. We can create a malicious form that will add a product (eventually with some JS inside) to the Catalog

171. If the victim is already authenticated she will not even realize what she did CWE-352: Apache OFBiz55 of 59

172. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRF1. Apache OFBiz<form method="POST" id="xsrf" name="xsrf"action="https://127.0.0.1:8443/catalog/control/createProduct"><input type=hidden name="isCreate" value="true"><input type=hidden name="productId" value="hack02"><input type=hidden name="productTypeId" value="DIGITAL_GOOD"><input type=hidden name="internalName" value="hack02<script>alert(document.cookie)</script>"></form><script>document.xsrf.submit(); </script>CWE-352: Apache OFBiz56 of 59

173. http://www.integratingweb.comhttp://antisnatchor.comCWE-352: XSRFMitigationAdd a unique randomly-generated token to each request (maybe as an hidden form value): this n bit token is changed for every request and is verified by the application<input id="fkey" name="fkey" type="hidden" value="df8652852f139" />Use a secure framework such as ESAPI to add random token to your requests

174. Implement AJAX functionalities with secure libraries such as DWR-2.0 (Direct Web Remoting) that automatically prevents XSRFCWE-352: XSRF Mitigation57 of 59

175. http://www.integratingweb.comhttp://antisnatchor.comBrowser Exploitation discussion1. Google and China, Internet Explorer bugs2. ScreenCast: Browser Exploitationwith BeEF and MetasploitBrowser Exploitation58 of 59

176. http://www.integratingweb.comhttp://antisnatchor.comThanks for your attention!Take a look at: http://antisnatchor.comQuestions?59 of 59

Web Insecurity And Browser Exploitation

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to Web Insecurity And Browser Exploitation (20)

Recently uploaded (20)

Web Insecurity And Browser Exploitation