Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12
Overview Think like a hacker SQL injection Cross-site scripting (XSS) Doupé - 4/23/12
Me 7 years as UCSB student –2 nd year PhD student ~ 1 year at Microsoft as Software Dev Research securing web applications Professional pentester Doupé - 4/23/12
Web Hacks LulzSec – 2011 –Hacked into Arizona law enforcement UCLA – 2006 –800,000 identities stolen University of Texas, Austin – 2006 –197,000 student records stolen Doupé - 4/23/12
UCSB Hacks 2005 – 30/altered-grades-lead-to-students-arrest/ 30/altered-grades-lead-to-students-arrest/ 2000 – mhttp://news.bbc.co.uk/2/hi/business/ st m Doupé - 4/23/12
Definitions Security Vulnerability Exploit Hacker Doupé - 4/23/12
Ethics Only hack into sites you own –Or you have permission You will get caught Doupé - 4/23/12
Hacker Mindset Motivation –Fame –Money –Lulz Understand the application –Build mental model Only need to find one flaw Doupé - 4/23/12
Injection Vectors User input to the application Web application –Query parameters –POST parameters –Cookies –Referer header –Files Doupé - 4/23/12
Burp Proxy Intercepts traffic between you and website –Can manipulate the request directly Industry quality –I use the full version professionally Demo Doupé - 4/23/12
WackoPicko Background Added functionality –Reset Self-guided exploration Doupé - 4/23/12
SQL Injection Allows attacker to alter semantics of SQL query Consequences –Steal database –Alter database –Bypass login Doupé - 4/23/12
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “10” select * from `users` where `id` = ‘10’; Doupé - 4/23/12
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1 or 1=1” select * from `users` where `id` = ‘-1 or 1=1’; Doupé - 4/23/12
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’ or 1=1” select * from `users` where `id` = ‘-1’ or 1=1’; Doupé - 4/23/12
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’ or 1=1; #” select * from `users` where `id` = ‘-1’ or 1=1; #’; Doupé - 4/23/12
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’; drop table `users`;#” select * from `users` where `id` = ‘-1’; drop table `users`;#’; Doupé - 4/23/12
SQL Injection – Examples “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#” select * from `users` where `id` = ‘- 1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#’; Doupé - 4/23/12
SQL Injection – Detection Passive – Look for success – 1+2 – (select 2) Active – Look for errors – O’Malley – < 10 Doupé - 4/23/12
SQL Injection – WackoPicko Where is it possible? –Imagine how the application works Guided exploration Doupé - 4/23/12
SQL Injection – WackoPicko login.php –What is the error message? –What does the query look like? Guided attacking Demo! Doupé - 4/23/12
SQL Injection – Second Order Result of query used unsanitized in another query $location = “select location from pizza where id = 1;” $vuln = “select name from pizza where location = $location” Where in WackoPicko? Self-guided exploration Doupé - 4/23/12
SQL Injection – Second Order register.php Self-guided attacking Completed exploit –Create user with firstname of ‘ or 1=1# –Then visit similar names page –See all users Doupé - 4/23/12
SQL Injection – Prevention Prepared statements –Specify structure of query then provide arguments Prepared statements – example $stmt = $db->prepare(“select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;”); $stmt->bindParam(':name', $name); $stmt->bindParam(':pass', $pass); Sanitize inputs Doupé - 4/23/12
XSS Malicious JavaScript running in the context of your web application Consequences –Steal cookies –Perform actions as the user –Present fake login form Doupé - 4/23/12
XSS – Examples Hello Doupé - 4/23/12
XSS – Examples $name = “adam”; Hello adam Doupé - 4/23/12
XSS – Examples $name = “ alert(‘xss’); ”; Hello alert(‘xss’); Doupé - 4/23/12
XSS – Detection Understand how input is used in HTML source Input “forbidden” characters – –‘ “ ; / Understand what sanitized is performed Doupé - 4/23/12
XSS – WackoPicko Where might there be a XSS? Guided exploration Doupé - 4/23/12
XSS – WackoPicko search.php Self-guided attacking –Can you get alert box to appear? Demo – Fake login form Doupé - 4/23/12
XSS – WackoPicko Where does WackoPicko store data? Where is this echoed to the user? Self-guided exploration Doupé - 4/23/12
XSS – WackoPicko guestbook.php –Can you get an alert box to appear? Demo – stealing cookies HttpOnly for cookies! Doupé - 4/23/12
XSS – Prevention Sanitize all user inputs using known sanitization routine Depends on context – necessary in HTML –Only need ‘ in JavaScript Doupé - 4/23/12
Review Hacker mindset –Understand the application –Build a mental model –Break the mental model Generalize to your applications Doupé - 4/23/12
Tools Wireshark Burp Proxy SQLMap WackoPicko OWASP Broken Web Apps Project Google Gruyere Doupé - 4/23/12
Questions? Go forth and hack! (ethically, of course) Doupé - 4/23/12