1 / 36

Web application security High tech threats

Web application security High tech threats. Ivan Marković IT Security Consultant. Reference. Web aplikacije. Šta su web aplikacije i web tehnologije ? Klijent Server. Web aplikacije. Zašto su web aplikacije u većini slučajeva prva meta zlonamernih korisnika ?

dick
Download Presentation

Web application security High tech threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web application security High tech threats Ivan MarkovićIT Security Consultant

  2. Reference

  3. Web aplikacije • Šta su web aplikacijei web tehnologije? • Klijent • Server

  4. Web aplikacije • Zašto su web aplikacije u većini slučajeva prva meta zlonamernih korisnika? • Dostupnost, održavanje, ...

  5. Web aplikacije • Kako web aplikacije i propusti u njima ugrožavaju online i offline sisteme? • Kakozaobilazeuobičajne metode zaštite?

  6. Web aplikacije / Top Threats • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object ReferencesA • 5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards

  7. High Tech Vulnerabilities • Kakokombinacijauobičajnih propusta niskog rizika postaje ulaz za hakere?

  8. EverCookie • Virtually irrevocable persistent cookies- SamyKamkar, http://samy.pl/evercookie/ • Storage mechanisms:- Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage, Local Storage, Global Storage, Database Storage via SQLite - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

  9. Fun with Cookies • Visitor Tracking Without Cookies (or How To Abuse HTTP 301s) http://www.scatmania.org/2012/04/24/visitor-tracking-without-cookies/ • XSS: Gaining access to HttpOnly Cookie in 2012 http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html

  10. New DDoS tricks • Slowloris- Robert Hansen, http://ha.ckers.org/slowloris/- Keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing • Slow HTTP POST Attack- OnnChee Wong, http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf - OSI Layer 7- Content-Length: 1000 (bytes) / but send it 1 byte per 110 seconds

  11. New DDoS tricks • Javascript LOIC- Low Orbit Ion Cannon - an open source network attack application, written in C# • HTML 5 WebWorkers and Cross Origin Requests- LavakumarKuppan, http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html

  12. Click Jacking • also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level pagehttp://www.owasp.org/index.php/Clickjacking

  13. Click Jacking • http://www.sectheory.com/clickjacking.htm

  14. Browser Auto Complete • I want to know your name, who you work for, where you live, your email address ... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html • Safari Address Book Autofill • Internet Explorer stealing previously entered data • Writing to auto complete • Read remembered passwords

  15. Browser Auto Complete • Safari Address Book Autofill

  16. Browser Auto Complete • Safari Address Book Autofill

  17. Browser Auto Complete • Safari Address Book Autofill<form> Name: <input type="text" name="name"> Company: <input type="text" name="company"> City: <input type="text" name="city">State: <input type="text" name="state"> Country: <input type="text" name="country"> Email: <input type="text" name="email"> </form>

  18. Browser Auto Complete • I want to know your name, who you work for, where you live, your email address ... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html • Safari Address Book Autofill • Internet Explorer stealing previously entered data • Writing to auto complete • Read remembered passwords with XSS

  19. Browser and Web app plugins • Browser plugins, http://research.zscaler.com/2011/02/browser-plugins-and-security.html • Security considerations:- see login/password credentials in clear text - send back the credentials to any website - modify the web pages seen by the user- add/delete/modify files on the computer - run executables

  20. Browser plugins • Malicious browser plugins examples:2007: Firebug goes evil: http://www.gnucitizen.org/blog/firebug-goes-evil/console.log({'<script>alert("bing!")</script>':'exploit'})2009: NoScriptvsAdblock: http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=217700105

  21. Browser plugins • Malicious browser plugins examples:2010: TROJAN: http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/ - Sothink Web Video Downloader / Win32.LdPinch.gen- Master Filer / Win32.Bifrose.32.BifroseBtw, how is situation in the wild ?

  22. Web app plugins • Web application plugins - Wordpress, Joomla, …http://secunia.com/advisories/search/?search=wordpress

  23. Web app plugins • Web application plugins - Wordpress, Joomla, … http://secunia.com/advisories/search/?search=joomla

  24. XSS in IE XSS Filter • Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Internet Explorer 8 implements an anti Cross-site Scripting (XSS) mechanism to detect certain types of XSS attacks. This feature can be abused by attackers in order to enable XSS on web sites and web pages that would otherwise be immune to XSS. For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occuring. However, altering a server's response before it gets rendered by the browser may have unintended consequences.

  25. XSS in IE XSS Filter • Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Example: <img alt="[injection here]" src="x.png"> Injection string: x onload=alert(0) x <img alt="x onload=alert(0) x" src="x.png"> - will not execute the alert <img alt#"x onload=alert(0) x" src="x.png"> - will execute the alert

  26. Cross Site Request Forgery • CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticatedhttp://secunia.com/advisories/search/?search=Cross+Site+Request+Forgery&sort_by=date

  27. Cross Site Request Forgery • Facebook: http://www.john-jean.com/blog/advisories/facebook-csrf-and-xss-vulnerabilities-destructive-worms-on-a-social-network-350 • Twitter: http://techcrunch.com/2010/09/26/dont-click-the-wtf-link-on-twitter-unless-you-do-like-sex-with-goats

  28. HTTP Parameter Pollution • Stefano di Paola and Luca Carettoni, http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf • How does your application respond if it receives multiple parameters all with the same name ? • Bypass firewall, Change application behaviour, …

  29. HTTP Parameter Pollution

  30. HTTP Parameter Contamination HTTP PARAMETER CONTAMINATION (HPC) original idea comes from the innovative approach found in HPP research by exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string parameter contamination with reserved or non expected characters. Some facts: - The term Query String is commonly used to refer to the part between the “?” and the end of the URI - As defined in the RFC 3986, it is a series of field-value pairs - Pairs are separated by “&” or “;” - RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( ) Reserved: ; / ? : @ & = + $ , Unwise: { } | \ ^ [ ] `

  31. INTRANET Hacking • From Website to LAN • Browser plugins • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/ • CSS History Hack for Port Scanning (with and without Java Script): http://ha.ckers.org/blog/20100125/css-history-hack-in-firefox-without-javascript-for-intranet-portscanning/

  32. INTRANET Hacking • From Website to LAN • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/

  33. INTRANET Hacking • From Website to LAN • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/ .: POC (CSRF / Change password)http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD .: POC (CSRF / DoS)http://PUBLIC_IP_OF_USER/rebootinfo.cgi

  34. Exotic threats in 2012 • White Hat Security Exotic Threats http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/

  35. Playground • Demo okruženje za analizu bezbednosti • BackTrack Linux • Metasploit

  36. PITANJA

More Related