Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington.

Similar presentations


Presentation on theme: "Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington."— Presentation transcript:

1 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington

2 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 2 Introduction Bill Pennington Principal Consultant, Guardent Tested over 300 web applications of the past 3 years

3 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 3 Dennis Groves Specialty: Enterprise Security, Web Application Security, Pen- Testing & Quality Assurance. Bio: Dennis is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan.

4 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 4 Why is this important?

5 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 5 Topics This is not new Why your firewall doesnt matter Types of attacks Filter, Filter, Filter Do you know where your data is? Tools to help you

6 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 6 This is Not New Problems with web applications are the same problems with standalone applications

7 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 7 Why your Firewall doesnt matter Standard rant

8 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 8 Top 5 Vulnerabilities SQL insertion XSS Session Hijacking Parameter manipulation Unbounded file calls

9 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 9 Cross site scripting, Why you should care. XSS is not an attack on the server, it is an attack on the users of your application So what? Identity theft User masquerading Reputation Risk

10 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 10 SQL Insertion Most common on MS based applications. All SQL apps are vulnerable (Oracle, Sybase, DB2…) Can lead to full compromise of the server (xp_cmdshell) Almost guarantied to lead to data compromise Demo…

11 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 11 Cross Site Scripting (XSS) Found in 98% of applications I test 2 main types Transient (URL basedP http://badapp.com/error.jsp?msg= alert("Test"); { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/1/248723/slides/slide_11.jpg", "name": "Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 11 Cross Site Scripting (XSS) Found in 98% of applications I test 2 main types Transient (URL basedP http://badapp.com/error.jsp?msg= alert( Test );

12 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 12 XSS continued… Transient generally requires user interaction What can happen? Possibilities are only restricted by the client Cookie theft most common example But I filter Jscript entities &{alert(Test')};

13 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 13 Session Hijacking HTTP is stateless so application designers must build a way to track state Cookies and URL strings are the most common ways to track state Both are easily exploitable

14 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 14 Session Hijacking continued… Generally the next thing to occur after XSS Please people logout means logout! Examples of common session tracking issues

15 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 15 Parameter Tampering Programmers will store data anywhere! URL parameters http://badapp.com/checkout.pl?p=$1.00 Cookies – Cookie:p=$1.00 Hidden fields – not really hidden

16 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 16 Unbound File Calls Ye Ole../../ Watch out you dont display important information (global.asa) Most application languages will take URLs as file arguments

17 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 17 Do you know where your data is? Building an exclusionary filter is difficult because your data is all over the place

18 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 18 Data Flow example

19 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 19 Designing a proper filter Make all filters default deny Dont try to exclude bad stuff Try to get a good idea where your data is going Log all filter violations

20 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 20 Examples ASP PHP Jscript Perl

21 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Bypassing poorly designed filters All warfare is based on deception…If he is in superior strength, evade him. –Sun Tzu, The Art of War, 500BC

22 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 22 Evasion is the art of blending in so you will not be noticed; of course this age old technique of survival is still useful today. evade 1.to escape or avoid somebody or something, usually by ingenuity or guile 2.to avoid doing something unpleasant, especially something that is a moral or legal obligation 3.to avoid dealing with or responding directly to something 4.to be difficult or impossible for somebody to find, obtain, or achieve (formal)

23 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 23 Filter Bypassing is a technique to evade detection by filtering systems. Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system. Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.

24 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 24 Most filter systems are very simple as the flow chart shows. Seven forms of ingenuity: URL Encoded Strings Double Hex Encoding Unicode Encoded String Long URLs Case Sensitivity XSS Filter-Bypass Manipulation Null Character Injection Evade: 1. to escape or avoid somebody or something, usually by ingenuity or guile…

25 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 25 The Hex Advantage By URL hex encoding URL strings, it may be possible circumvent filter security systems and IDS. http://foo.com/cgi?file=/etc/passwd Can become: http://foo.com/cgi?file=/%2F%65%74%63 %2F%70%61%73%73%77%64

26 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 26 Double Hex Encoding In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability. The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL. An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability. When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL. IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding. This secondary decoding was the source of another Vulnerability.

27 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 27 IIS Double Hex Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = % Character) Round 2 Decoding: scripts/..%5c../winnt becomes: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding.

28 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 28 The Unicode Slash In unicode, %c0%af, is the equivilent to a slash (/). Therefore the common URL IIS exploit: scripts/..%c0%af../winnt becomes: scripts/../../winnt Once again, directory path traversal is now possible using path obfuscation through Unicode.

29 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 29 Double Slash Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd. Can be used to move under the radar of IDS systems and still function properly.

30 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 30 Many system put limits on how much data a variable can store or a system can handle. Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. URLs such as: http://www.foo.com/cgi?param=filename Replaced with: http://www.foo.com/cgi?param= { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/1/248723/slides/slide_30.jpg", "name": "Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 30 Many system put limits on how much data a variable can store or a system can handle.", "description": "Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. URLs such as: http://www.foo.com/cgi?param=filename Replaced with: http://www.foo.com/cgi?param=

31 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 31 Case Sensitivity Case sensitivity may play a roll in many security filtration systems. Alternating case on URL parameters may be used to bypass certain restrictions. http://foo.com/cgi?param=bar http://foo.com/cgi?param=BaR http://foo.com/CGI?param=BAR

32 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 32 Method Switching Many web applications do not properly perform HTTP Request Method sanity checking. Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms. Most web servers do not log "POST" data and thus forensic analysis is harder to perform. The Request Method: GET /cgi-bin/some.cgi can become: POST /cgi-bin/some.cgi

33 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 33 The Method token indicates the method to be performed on the resource identified by the Request-URI. HTTP 1.1 Methods OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT

34 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 34 Using your HEAD The HEAD request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data. Scans and web application attacks can be made to be more effective using this technique.

35 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 35 Null Character Injection Hex encoded null characters can be used to thwart some security mechanisms. This happens because in the C programming language, a null character designates the end of a string. So If a CGI appending a.html to an input parameter: http://foo.com/cgi?file=../../etc/passwd%00 Will cut off appending.html.

36 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 36 Unicode (UTF-8) Encoded Unicode is a universal way to represent characters. However, unicode can also be used to circumvent security mechanisms by representing information in another fashion. Microsoft IIS has had security issues in the past while supporting unicode.

37 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 37 URL Encoded String The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: "...Only alphanumerics [0-9a- zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."

38 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 38 XSS Filter-Bypass Manipulation This technique is used pass various types of client-side scripting language through implemented security filters. The idea is to be able to achieve client-side execution of a client-side script. There are several techniques used to perform this attack.

39 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 39 Test the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler). This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.

40 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 40 SRCing the protocol Using the javascript protocol in an HTML source attribute.

41 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 41 Alternate Protocol SRCing Same technique as the previous, however, using the protocol livescript and mocha will yield the same effect.

42 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 42 Decimal HTML Entities Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript. \09 \10 \11 \12 \13 have all been seen to work

43 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 43 Hex HTML Entities Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.

44 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 44 Padding HTML Entities Padding HTML entities with 0s may also be used to bypass the filters, yet still execute JavaScript.

45 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 45 STYLE JavaScript Type Changing the MIME-TYPE on a style tag may be used to execute JavaScript. JS EXPRESSION Alert(document.domain);

46 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 46 STYLE JavaScript X-Type Variation on the previous example, but by using the application/x-javascript MIME- TYPE, the filters may be bypassed. alert('JavaScript has been Executed');

47 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 47 STYLE JavaScript Import Using the @import feature in CSS may be used to perform JavaScript protocol SRCing. @import url(javascript:alert('Javascript is executed'));

48 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 48 STYLE URL Import Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource. @import url(http://www.test.com);

49 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 49 LINK Style Sheet The LINK tag can be used to import JavaScript from a remote HTTP resource.

50 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 50 Style Left Expression A few CSS features used together to execute JavaScript.

51 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 51 Remote SRCing A few HTML tags, such as LAYER, ILAYER, FRAME, and IFRAME can be used to src in JavaScript from remote resources.

52 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 52 AND CURLY Syntax must be exact.

53 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 53 Dangerous HTML Tags All HTML is to be considered dangerous, but these tags are the most insidious.

54 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 54 Dangerous HTML Attributes (HTML Tags with these attributes.) SRC LOWSRC STYLE HREF

55 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 55 Why automated tools dont work very well Every programmer does things a little different Authentication schemes are hard to automate Error codes are not standardized Sometimes simple things like SSL get in the way Some good things: Completeness Large knowledge bases (at least possibly)

56 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 56 Why people are better Recognition of subtle errors We understand the impact and therefore the risk of a vulnerability We can find real bugs, flaws in logic

57 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 57 One tool to rule them all…

58 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 58 Conclusion

59 Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 59 Questions


Download ppt "Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington."

Similar presentations


Ads by Google