Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen.

Published byRudolph Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen."— Presentation transcript:

1 Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen

2 Copyright Security-Assessment.com 2005 Security-Assessment.com – Who We Are NZ’s only pure-play security firm Largest team of security professionals in NZ Offices in Auckland, Wellington and Sydney Specialisation in multiple security fields – Security assessment – Security management – Forensics / incident response – Research and development

3 Copyright Security-Assessment.com 2005 Web Application Trends Still seeing old issues – XSS, SQL injection, parameter manipulation New ways to find and exploit existing issues – Input validation, Google Move to hacking the client – Phishing, man-in-the-middle, trojans

4 Copyright Security-Assessment.com 2005 Examples Of New Attacks Null Byte Upload.Net XSS Filtering Bypass HTTP Header Manipulation

5 Copyright Security-Assessment.com 2005 Null Byte Upload 1 ASP has trouble handling Null bytes when using FileScripting Object Take the following HTML code: Your Picture:

6 Copyright Security-Assessment.com 2005 Null Byte Upload 2 Form posts to the following ASP code: Public Sub Save(Path) Set objFSO = Server.CreateObject("Scripting.FileSystemObject") Set objFSOFile = objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile + ".bmp")) ‘ Write the file contents objFSOFile.Close End Sub

7 Copyright Security-Assessment.com 2005 Null Byte Upload 3 If the POSTED filename contains a NULL byte, the FileSystem object only uses the information up to the NULL byte to create the file nc.exe test.bmp creates nc.exe in file system Must use Proxy to change filename WebScarab Handles Hex natively

8 Copyright Security-Assessment.com 2005

9 .Net XSS Filtering Bypass 1 ASP.Net 1.1 contains request Validation Built-in validators allow out-of-the-box protection for XSS and SQL injection Has a flaw allowing bypass of the filters Validator bans all strings in the form of <letter Close tags are allowed

10 Copyright Security-Assessment.com 2005.Net XSS Filtering Bypass 2 Bypass performed by adding a NULL byte between the < and the letter foo.bar/test.asp?term= alert('Vulnerable') Validator no longer sees this as an invalid tag and allows it through Browsers disregard NULL bytes when parsing so HTML code is still run

11 Copyright Security-Assessment.com 2005 HTTP Header Manipulation 1 HTTP Response headers are set by the server When user input is included in headers then an attacker can control those headers Examples of user input included in headers are: – Cookies – Redirections – Referer

12 Copyright Security-Assessment.com 2005 HTTP Header Manipulation 2 Standard redirect – Request: – www.example.com/redirect.asp?query=test – Response headers: – HTTP/1.1 302 Object moved – Location: /index.html?query=test

13 Copyright Security-Assessment.com 2005 HTTP Header Manipulation 3 Header Insertion – Request: – www.example.com/redirect.asp?query=test%0d%0aNew %20Header:%20blah – Response headers: – HTTP/1.1 302 Object moved – Location: /index.html?query=test – New Header: blah

14 Copyright Security-Assessment.com 2005 HTTP Header Manipulation 4 Malicious Redirect (Mozilla Only) – Request: – www.example.com/redirect.asp?query=test%0d%0aLocati on:%20http://www.google.com Response headers: – HTTP/1.1 302 Object moved – Location: /index.html?query=test – Location: http://www.google.com

15 Copyright Security-Assessment.com 2005 Examples Of Other Recent Issues.Net authentication bypass tag escaping Use of TRACE to capture authentication credentials HTTP response splitting Session riding

16 Copyright Security-Assessment.com 2005.Net Authentication Bypass 1 ASP.Net provides built-in Forms-based authentication Web.config tells server when to require authentication – The following in web.config protects the /secure directory

17 Copyright Security-Assessment.com 2005.Net Authentication Bypass 2 Request to a page redirects to a login page – http://www.example.com/secure/somefile.asp Using Mozilla the page is provided unauthenticated – http:// www.example.com/secure\somefile.asp Using IE the following request also works – http:// www.example.com/secure%5csomefile.asp

18 Copyright Security-Assessment.com 2005 GoogleMonster Using The Google Search Engine For Underhand Purposes

19 Copyright Security-Assessment.com 2005 Google Google is a great search tool – Trolls Internet searching for pages – Finds pages based on links – Finds even those pages you don’t want people to know about – Caches pages

20 Copyright Security-Assessment.com 2005 Simple Start We can use a standard Google search to find interesting pages such as indexes. – "index of /etc" – "index of /etc" passwd – "index of /etc" shadow Lots of irrelevant results

21 Copyright Security-Assessment.com 2005 Advanced Operators Google allows us to do more than just simple searching using advanced operators E.g. – filetype: – inanchor: – intext: – intitle: – inurl: – site: – intitle:index.of./etc passwd – filetype:mdb users.mdb

22 Copyright Security-Assessment.com 2005 Combining Operators We can combine multiple operators to create very specific searches – filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To" – "# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd

23 Copyright Security-Assessment.com 2005 Searching For Vulnerabilities We can use Google to search for specific web vulnerabilities – +"Powered by phpBB 2.0.6..10" -phpbb.com -phpbb.pl – inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

24 Copyright Security-Assessment.com 2005 Enter the GHDB GHDB = Google Hacking Database Over 900 unique search criteria for finding information Created and maintained at johhny.ihackstuff.com

25 Copyright Security-Assessment.com 2005 Targeting Websites We can use the site: operator to restrict queries to a particular domain This allows an attacker to use Google to test a site for vulnerabilities without actually touching that site. Enter Wikto – Web Server Assessment Tool

26 Copyright Security-Assessment.com 2005

27 Protecting Against Client Attacks Will Two-Factor Authentication Help?

28 Copyright Security-Assessment.com 2005 What is Two-Factor Authentication Many different types of two-factor – One-time passwords Password-generating token (SecureID, Vasco) SMS tokens Scratch pads – Client-side Certificates Smart cards USB keys – Biometrics

29 Copyright Security-Assessment.com 2005 The Trouble With Two-Factor Designed for small user base Has a usability cost No clear market leader Potentially large implementation costs Will not stop all attacks – Man-in-the-middle – Intelligent Trojans

30 Copyright Security-Assessment.com 2005 The Weakness Of SSL Relies on trust Tells you that you have a secure session with A website, not THE website Certificates can be faked Root certificates can be installed – MarketScore Allows for Man-in-the-middle and IDN attacks

31 Copyright Security-Assessment.com 2005 MITM vs Two-Factor

32 Copyright Security-Assessment.com 2005 Will Two-Factor Help? Does increase security Makes attacks harder Will require attacks to be more focused Must be a business decision – Amount of security required – Cost vs benefit

33 Copyright Security-Assessment.com 2005 Defence Against Client Attacks Authentication is the key – Client authentication – Server authentication Users must protect themselves – Don’t use public terminals – Anti-virus – Firewall – Automatic updates

34 Copyright Security-Assessment.com 2005 Questions?

Download ppt "Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen."

Similar presentations

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Copyright Security-Assessment.com 2005 From The Trenches (Australia) What We Are Seeing Within Security Today by Peter Benson.

Copyright Security-Assessment.com 2005 From The Trenches (Australia) What We Are Seeing Within Security Today by Peter Benson.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Copyright Security-Assessment.com 2005 From The Trenches What we are seeing within security today by Nick von Dadelszen.

Copyright Security-Assessment.com 2005 From The Trenches What we are seeing within security today by Nick von Dadelszen.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Copyright Security-Assessment.com 2005 Internet Security and Fraud Current Online Trends by Nick von Dadelszen.

Copyright Security-Assessment.com 2005 Internet Security and Fraud Current Online Trends by Nick von Dadelszen.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Similar presentations

Ads by Google