370 likes | 397 Views
Web Application Exploits. Reading. Required: Stuttard and Pinto: Chapter 3 Review: OWASP: 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10 Recommended: cool tutorials
E N D
Web Application Exploits Computer Science and Engineering
Reading • Required: • Stuttard and Pinto: Chapter 3 • Review: OWASP: 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10 • Recommended: cool tutorials • Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre, and Parisa Tabriz, http://google-gruyere.appspot.com/part1#1__setup • How To Break Web Software - A look at security vulnerabilities in web software, http://www.youtube.com/watch?v=jXP7b-xby6U • DEFCON 19: Web Application Analysis With Owasp Hatkit, http://www.youtube.com/watch?v=JjJQ9b80xsE&feature=relmfu Computer Science and Engineering
Web security: primary target to attacks • Web Application technologies • Client side • Server side • Application • Transfer protocol • Common vulnerabilities Computer Science and Engineering
Web Application Architecture XSS Malware Session hijack Redirection … Web service Injection attacks Information leakage DOS Unauth. modification Communication security Database Web server Auth. service Access control client Forged credentials Unauthorized access Computer Science and Engineering
Client Side • Request resources – http requests • Technologies to support functionality • Browser • HTML • Hyperlinks • Forms • Scripts • Custom client components Computer Science and Engineering
Server side • Receive client request, URL query string, HTTP cookies, or in request body • Technologies to supply functionality: • Scripting languages: PHP, VBScript, Perl • Web application platform: ASP.NET, Java • Web Servers: Apache, IIS, Netscape Enterprise • DBMS: Oracle, MySQL, SQL-Server, • Back-end components Computer Science and Engineering
The HTTP Protocol • Hyper Text Transfer Protocol • Stateless • Application layer protocol -- Layered on top of TCP • Client Server Model • Request-response communication • Originally developed to retrieve static text-based resources Computer Science and Engineering
HTTP Request • Request line • HTTP method • Requested URL • HTTP version • Header lines • Host, Referer, Cookie, User-Agent, Connection, etc. • Request body Computer Science and Engineering
GET • Passes all request data in the URL query line • GET /search?q= Web+Technologies HTTP/1.1 • Host: www.cse.edu… Computer Science and Engineering
Post • Passes all data in the HTTP request body • POST /search?HTTP/1.1 • Host: www.cse.edu… • q= Web+Technologies Computer Science and Engineering
HTTP Response • Status line • HTTP version • Numeric status call indicating the result of the request • Txt reason phrase describing the status of the response • Header lines • Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length • Response body Computer Science and Engineering
Status Codes • 1xx – Informational • 2xx – the request was successful • 3xx – the client is redirected to a different resource • 4xx – the request contains an error of some kinds • 5xx – the server encountered an error fulfilling the request Computer Science and Engineering
Commons Status Codes • 200: OK • 302: Location redirection • 401: client is unauthorized for the resource • 403: forbidden even if the client has the credentials • 404: not found • 500: internal server error caused by the request Computer Science and Engineering
Issues for HTTP Methods • GET – retrieves a resources • Send parameters to the requested resource • Be Aware! URLs are stored and displayed -> do not include sensitive data in the query string • POST – performs an action • Request parameters sent in the URL query string or in message body • Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc. Computer Science and Engineering
HTTPS • HTTP tunneled through SSL • HTTP Proxies • Using HTTP • Using HTTPS • Proxy is a man-in-the-middle • Pure TCP level relay Computer Science and Engineering
HTTP Authentication • Basic: sends user credentials as a Base64-encoded string in a request header • NTLM: Challenge-response using Windows NTLM protocol • Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials Computer Science and Engineering
State and Session • Client and server exchange and process data • Application needs to maintain the state of each user interactions • Server side structure: session • Client side: sent by the server and protected from tampering • Stateless HTTP token to identify user sessions Computer Science and Engineering
HTTP Vulnerabilities • Header-based attacks: not very common • Headers are simple • Any command or response that is not valid, ignored • Header are free form several options on how to interpret data • Buffer overflow may occur • Client- and server side executables : data may be passed to other applications Computer Science and Engineering
HTTP Vulnerabilities 2. • Protocol-based attacks: most common • Incorrect authentication • Access directories (username/password) by stolen credentials • Authentication travels as clear text • Challenge response • Cookes • Spoofing attacks Computer Science and Engineering
HTTP Vulnerabilities 3. • Traffic-based attacks • Denial of Service attacks • Traffic privacy violations Computer Science and Engineering
Web Application Characteristics Computer Science and Engineering
Functionality • Server side technologies: • Scripting languages • Web application platform • Web server software • Databases • Back-end components • Client-side technologies: • Browser Extension technologies Computer Science and Engineering
Application Characteristics • Understand what application does and how it behaves • Content • Functionality • Find out: • Application behavior • Core security mechanisms • Technologies being used • Client side • Server side Computer Science and Engineering
Enumerating Content and Functionality • Manual vs. automated browsing • Walk through the application • Follow every link • Navigate through multistage functions • Web spidering • Tools to follow all links until no new content is found • Can parse static HTML, multi-stage functionality, form-based navigation, client-side JavaScript Computer Science and Engineering
Robots.txt • Web servers maintain in root • Contains list of URLs not available for web spiders • Can be used by spiders as the seed • References to sensitive functionality Computer Science and Engineering
Automated Spidering • E.g., Burp Spider, WebScarab • General limitations: • Cannot handle dynamically created menus • Limited depth to find links • May fail input validation for multistage functionality • Unique content is identified by URL not good for form-based navigation • May fail authentication session Computer Science and Engineering
User Directed Spidering • User walks through the application and uses a spider to collect and analyze findings • Good for • Unusual or complex navigation needs • User control of input data • User can login to application and pass authentication • User can decide on requested functions Computer Science and Engineering
Hacking Steps 1. • Configure browser to use spider • Browse the application normally • Visit every link • Proceed through multi-stage functions • JavaScrip enabled/disabled; cookies enabled/disabled • Review site map to identify non-visited content • Do an automated spidering Computer Science and Engineering
Discovering Hidden Content • Not directly linked to or reachable from the main page • E.g., testing and debugging content, different functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc. • Added attack points, sensitive content, etc. • Automated, brute-force attack: Burp Intruder Computer Science and Engineering
Hacking Steps 2 • Make unusual requests and identify response • Use site map to identify hidden content • Use brute-force attacks to identify how application handles requests • Manually review responses • Inferencing from published content (e.g., naming) • Compile list of names of subdirectories • Identify naming schemes, file extensions • Review all client side code • Look at temporary files • Burp: Content Discovery – automate attack Computer Science and Engineering
Use Public Information • Find old resources • Search Engines: • Advanced Search: resource, login, links, related • Google domains • Omitted results • Cashed versions • Other domains of the same organization • Web archives, e.g., WayBack Machine Computer Science and Engineering
Web Server Vulnerabilities • Web server software vulnerability • Default content • Sample and diagnostic scripts • Standard functionality • Wikto: a tool that checks for flaws in web servers • http://sectools.org/tool/wikto/ Computer Science and Engineering
Additional Mappings • Functional paths • URL query parameters, REST-style URLs • Discovering Hidden Parameters • Try default parameter names, e.g, debug, test, hide, etc. • Monitor responses to identify anomalies • Analyzing Applications • Functionality, behavior, security • Server side functionality Computer Science and Engineering
Mapping the Attack Surface • Use the results of the analysis to find vulnerabilities Computer Science and Engineering
SOA Service Communication • Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer) • Communication over HHTP Computer Science and Engineering
Industry standards • XML • XML encryption • XML Signature • Canonical XML • Decryption Transformation for XML Signature • WS-Security • Security Assertion Markup Language (SAML) Computer Science and Engineering
Next Class • XML, RDF, Web application security Computer Science and Engineering