Beruflich Dokumente
Kultur Dokumente
Scott Stender
Vice President, iSEC Partners
https://www.isecpartners.com
Application Security
What are application attacks?
Attacks on applications that communicate at the upper
Injection
Common class of vulnerabilities
Many languages mix code and data
SQL
XPath
XQuery
XML
XSLT
LDAP
Perl, Python, PHP, ASP
Vulnerability comes from dynamically creating
references instead.
10
11
Security Misconfiguration
Its not just your code, think of the entire stack
For Windows Web App:
C# Code, .Net CLR, ASP.Net ISAPI, IIS 6 Worker Process,
HTTP.SYS, Kernel TCP Stack
Configuration of complicated app servers is a difficult
specialty
Too often left to the SysAdmin that thinks Java is an island that
grows coffee
impossible
The entire idea is information on tap
Any magic encryption is useless
Example: Why do hard drive encryption when an
13
browser?
Also are URLs protected only by being secret?
/admin
/debug
14
15
stack
User may trust where they get sent
payload
Use a whitelist, dont let the attacker control this
16
OWASP Wrap Up
Know a little bit about all of these issues
17
Code Injection
Code Injection
Web App
Username
Password
Database Server
HTTP
Command
Attacker
well
An error response often indicates an invalid SQL string
A valid return means that some level of protection is in
place
20
SQL Statement
Username
test_user
Password
test_password
and password =
' test_password '
21
SQL Statement
Username
test_user
Password
' or 1=1--
and password =
' ' or 1=1-- '
22
messages
UNION SELECT operations can access all tables
column names
23
Verification
Every field in a web app should receive every special
character
Review code and stored procedures for dynamic SQL
Static analysis tools are effective for straightforward
injection attacks
24
25
What is XPath?
XPath is a simple language to locate information in an
XML document
SQL
XPath always returns a set of results
XPath against a simple example:
<car>
<manufacturer>Toyota</manufacturer>
<name>Corolla</name>
<year>2001</year>
<color>blue</color>
<description>Excellent condition, 100K miles</description>
</car>
car returns all children of car node
/car returns the root car element
//car returns all car elements in the document
car//color returns all colors under car element
//car/[color=blue] returns all cars that have a color child equal to blue
26
28
LDAP Injection
Company Directory
(cn=Steve)(|Office=*)(|Ext=*)
Username
Steve
Users Info
Steve
Steve Jones
Office: 43-153B
Ext. 3-1337
LDAP Server
User
LDAP Injection
SSN
Salary
Home Address
(cn=Steve)(|SSN=*)(|Office=*)(|Ext=*)
( or )
| (this is an OR function)
& (this is an AND function)
30
Response Splitting
HTTP/1.1 200 OK
Cookie: Foo=Bar;
Content-Length: 10
Content-Type: text/html; charset=UTF-8
<HTML></HTML>
HTTP/1.1 200 OK
Cookie: Foo=Bar;
Content-Length: 54
<HTML><BODY><SCRIPT>alert(XSS)</SCRIPT><BODY>
</HTML>
HTTP/1.1 200 OK
X-NULL: ;
Content-Length: 10
Content-Type: text/html; charset=UTF-8
<HTML></HTML>
When using attacker-supplied input in headers strip the Return Character (\r) and
the NewLine character (\n)
31
32
34
} same origin
35
Same-Origin Policy
Applies to cookies
This is why one site cant read your authentication
domain.
Well talk about this more in the AJAX module
36
Same-Origin Policy
Adopted by other common browser add-ins
Java, Flash, Silverlight
37
security.
What keeps ads.untrusted.com from reading data or
sending transactions to your session to
secure.mybank.com in another frame or tab
The fundamental trust boundary in the browser.
38
Site
Script Executed
Script
Attacker
Target
Key Question:
What does this accomplish that cannot be
by hosting script on a malicious web site?
41
shell
42
</script>
43
</SCRIPT>
Move mouse over
<a href="URL" onMouseOver="winopen();return true;">Security</a>
44
Common sources
Bulletin board pages
Personal information profile pages
Message boards
Calendars
Link content
45
<script>alert(1)</script>
<script src= " http://foo.com/bad.js " />
<a href= " javascript:alert(1) " >
<a href= ' javascript:alert(1) ' >
<a href= "http://www.foo.com " onmouseover="javascript:alert(1)" >
function foo()
{var a = 'benign ';alert(1); ' '}
document.write('<a href= "http://www.foo.com " onmouseover="" >')
See http://ha.ckers.org/xss.html for more details
46
Output Validation
Encode text to context-suitable format
Hello <script> Goodbye -> Hello <script> Goodbye
var foo='bar';alert(1)'; -> var foo='bar\x27\x3balert\x281\x29';
47
Best practice
Use a library specifically for anti-XSS encoding
Introduction
But I already know all about cookies
Maybe you do, but the developers of applications we test tend not to!
The attacks against cookies, and the number of things that can go
To network administrators
50
Introduction
Most web applications use client-side cookies to index a
51
Introduction
These applications usually do have some state, but it is stored in the cookie, rather
than the cookie being a reference.
Drawbacks:
The confidentiality and integrity problems are rarely handled well
There is a limit on the size of cookies
Replay attacks (!)
Benefits:
Easy load-balancing and HA
Small server memory footprint
Perhaps lower latency (fewer wacky network appliances)
I wont talk about these applications today, since they are rare and hairy.
52
Cookie Attributes
Each of these attributes has a security function, and they can interact in
sometimes surprising ways. More on that later.
Ill use the term scope to refer to the combination of Domain, Port, and Path.
53
Setting Cookies
The server sets the cookie by putting a Set-Cookie header in the response.
HTTP/1.1 200 OK
Date: Sat, 14 Jan 2017 20:24:31 GMT
54
Sending Cookies
The client sends the cookie by putting a Cookie header in the request.
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: www.example.com
Cookie: JSESSIONID=3E880015CF879C5014FEAB04C6623203
55
victims session.
The victim may become annoyed
56
57
58
59
If the cookie is not well protected from eavesdroppers, malicious script in the browser
(XSS), or scope tricks, the attacker wins.
Attackers can use passive network eavesdropping (sniffing) to read cookie values
(and, of course, entire requests and responses) when the application does not use
HTTPS.
Attackers can trick the browser into handing them the cookie.
DNS poisoning
Anti-DNS pinning
Setting up a malicious server in the domain
Active network attacks
60
session!
61
63
64
/>
66
The browser really wants to send the cookie over a plaintext connection the attacker just
has to ask it nicely.
Since the server is not listening on port 80, the client cannot create a TCP connection to it,
and thus cannot send the cookie.
67
Additional Discussion
What about load balancers and other network devices that
68
Additional Discussion
1. Since the attacker owns the network, how do we ever
trust an endpoint?
69
Conclusions
Assume the attacker owns the network.
Every aspect of the cookie must be solid, or you have no
vulnerable.
Youll want source code, or many samples and the NIST test suite
70
form posts
Session Riding
Descriptive name, used by Martin Johns at informatik.uni-
hamburg.de
CSRF
Cross Site Request Forgeries common abbreviation used
by CVE
CSRF Explained
Story
An innocent victim was monitoring his net worth with a stock ticker
CSRF Explained
7. Gets his monthly statement from his stock broker, and
So what happened?
CSRF Explained
Web applications with predictable Actions are
susceptible
For example this simple HTML form:
<form action="transfer_money.cgi">
Account to transfer into <input type="text" name="account">
<input type="text"name="amount">
CSRF Explained
Internet Exploder
CyberVillians.com
GET news.html
www.cybervillians.com/news.html
B er n an k e R eal l y an A l i en ?
HTML and JS
script
ticker.stockbroker.com
Java
StockBroker.com
CSRF Explained
Applications are vulnerable to CSRF when:
AND
Detection
Discovering CSRF vulnerabilities is simple:
Look at the POSTs or GETs that cause a change
Eliminate unpredictable components
See if the change still works
There are often no unpredictable components!
In this case assuming susceptibility is reasonable
GET
http://www.vulnerable.com:80/createUser?name=Bob&level=
Admin&password=pass
HTTP/1.1
GET
http://www.vulnerable.com:80/editUser?newPassword=goof&new
Password2=goof&CSRF_Token=7a6287d13f3919e4557a3d88b12a0
0a1927163831199
HTTP/1.1
safe.
<script>document.evil.submit()</script>
too.
attacks
BUT
can help you isnt a reasonable standard for security
The exact mechanism used is undocumented
Suggested values include the users name, and session ID.
AJAX Attacks
Asynchronous JavaScript And XML
89
AJAX Intro
Common AJAX Mechanism:
1. Download HTML and Framework Script
2. Upstream XML, JSON or JavaScript Arrays
3. Downstream eval-able Javascript
1. HTTP GET
2. HTML and JS
AJAX Vulnerabilities
XSS
How many ways to break out when your code is already inside of JavaScript?
XML Injection
In situations where response is full XML
<downstreamInfo>
<item>foo</item><dangerousItem>bar</dangerousItem><item></item>
</downstreamInfo>
91
92
AJAX Vulns
AJAX XSRF
iFRAME method
4. iFRAME does XMLHTTP request to stocktrader.com, browser automatically
appends cookie
Bottom Line:
All AJAX apps that only rely on cookies are vulnerable
Solution: In-band state management
Generate a token, include with requests
*Google for XMLHTTP Cross-Domain
93
Directory Traversal
Directory Traversal
Directory traversal has plagued many commercial web servers for several
users, including IIS and Apache
This is a classic attack that affects more than just web servers
Anybody who uses operating system file I/O libraries is vulnerable!
Can result in
fopen()
ReadFile()
CreateFile()
WriteFile()
Enumeration of information
Exposure of sensitive files
Arbitrary System Control
Examples
Directory Traversal
../../..
..%c0%af..%c0%af..
/~root
/icons/
95
Directory Traversal
Breaking out of the web root
/ can be re-encoded to %c0%af in order to bypass web server filters
/../.. is equal to ..%c0%af..%c0%af..
%255c also
\..\.. is equal to ..%255c..%255c..
http://127.0.0.1/index.html
Change directories (cd ..) back to / and then on to /etc/passwd
https://127.0.0.1/index.html/../../../etc/passwd
Chroot jails are often used to lock Apache to its own section of the file
system
96
Directory Traversal
Directory Traversal
IIS
http://<testsite>/scripts/..%255c..%255c../winnt/system32/cmd.exe?/c
+dir
Apache
http://<testsite>/icons/
97
Information Disclosure
For this reason, GET requests should not include any sensitive data that would
allow an attacker to either learn secret information or to replay transactions.
99
Never mixing HTTP with HTTPS pages avoids many common scenarios of data
disclosure.
If HTTP and HTTPS are mixed, loading off-site content may send the Referer
header over the network in the clear, and on-site content will cause the browser
to send session cookies in the clear.
Additionally, this introduces the possibility for an attacker with control over the
network to modify server responses, causing the user to execute JavaScript and
granting the attacker control over the users browser.
For these reasons, all content delivered to a user from a HTTPS web page should
be encapsulated by SSL.
100
The Referer HTTP header is sent to a server when a user loads content from a
domain different than that of the previous query. This can either be a link to
another website, or an image loaded from another server.
The Referer contains the full GET content of the previous request. The Referer is
not sent to a non-secure page if the referring page was viewed over a secure
connection. However, if both the referring page and the referred page are loaded
over a secure connection, the Referer header is still sent.
This means that when loading a page over a secure HTTPS connection which
includes images delivered from a remote site, also over HTTPS, the content of the
last GET request is sent to the third party.
Security Testing
Tool Classes
Attack Proxies
Intercept, display, and modify requests
Key benefits profiling, directed testing
Passive Proxies
Keep an eye out, note security flaws
Key benefits simple flaws and configuration issues
103
Attack Proxies
Key Features
Intercept and display web requests and responses
Modify and replay requests
Automated analysis
Examples
Fiddler
Good for Windows-based work, bad for heavy testing
WebScarab
Good for multi-platform use, ugly and not user-friendly
104
Passive Proxies
Key features
Intercept and analyze web requests
Identify those flaws that do not require testing
Good for configuration settings, cookie properties,
etc.
Examples
Watcher - Fiddler plugin
Proxmon - Webscarab log analyzer
105
page
Provide automated testing for common flaws
Examples
WhiteHat
WebInspect
106
107
Test Methodology
No Silver Bullet!
Use the best tool for the specific job at hand
necessary
108
Cryptographic Foibles
Common Scenarios
State-filled cookies
Encrypted URL Parameters
110
Integrity != Privacy
111
The Details
Encryption provides privacy of data
HMAC or Digital Signatures provide for its integrity
112
Examples of Failure
Stream ciphertext bit flipping
CBC IV/Block bitflipping
Padding Oracle
Block reordering
113
In short
Hash or sign data you want to protect from
tampering
Encrypt data you want to keep people from knowing
Encrypt, then sign the ciphertext, if you need both
114
Authentication Patterns
Patterns
Forms-based authentication
Integrated HTTP Authentication
116
Benefits
Simple, ubiquitous
Flexible
Risks
Passwords Leak!
117
Benefits
Session cookie may not be required
Can eliminate direct password use
Risks
Most options provide little or no protection to the
password
Not tied to outer SSL channel
118
Benefits
Simple, distributed authentication for Windows clients
and servers
Risks
Transparent authentication without binding is
dangerous!
119
Federated Identity
Hook multiple domains of authentication together
Technology varies
Key concern: trusted counterparty vouches for
Risks
Unconstrained claims
Certificate Authentication
An optional exchange in SSL/TLS that provides client
identity
Server maps certificate details to known principal
TCP socket mapped to principal for duration
Benefits
No need for session cookie
Guaranteed to be bound to a secure channel
Risks
Can be expensive/painful to manage
Potential for leaking private details in certificate
121
Thank You!
scott@isecpartners.com
122