270 likes | 431 Views
COMMON APPLI. CATION FLAWS. Back To Basics. Objective Provide an overview of common application flaws No ‘exploitation’ techniques Discussion based, to provide an understanding To provoke thinking Originally going to provide a Tokemon walkthrough Won’t work over conference call.
E N D
COMMON APPLI CATION FLAWS
Back To Basics Objective • Provide an overview of common application flaws • No ‘exploitation’ techniques • Discussion based, to provide an understanding • To provoke thinking • Originally going to provide a Tokemon walkthrough • Won’t work over conference call
OWASP Top Ten Summary Cross Site Scripting <script>alert()</script> Injection Flaws • SQL, LDAP, XML, etc File Execution • Scripting, RFI, shell execution Direct Object Reference • /access.asp?record=## Cross Site Request Forgery • Session riding, Accessing internal device
OWASP Top Ten Summary Information Leakage and Error Handling • Every bit of information helps an attacker Broken Authentication and Session Management • Login bypass, cookie manipulation Insecure Cryptographic Storage • Static keys, Non seeded encryption Insecure Communications • HTTP, Clear text internal web services Failure to Restrict URL Access • /adminportal/adminfunction?action=adduser&user=me
User Supplied Input Is The Cause Comes from many places • Passed on the URL, or as a parameter • Passed in posted data, hidden fields • Passed in HTTP headers, referer • Cookie data, client certificates, files for import, etc.. THE USER CAN NOT BE TRUSTED... EVER • Validate ALL user input, server side • Cint(), isDate(), len() <= x, isAlphaNumeric() • Whitelist, NOT blacklist • Decode input, in the correct order, and in the right case • Filter Output at use • Different uses of data, require different filters
Faulty Filters Worse Than No Filters function cleanrequest(theID) theID = lcase(theID) if instr(theID,";") > 0 then theID = left(theID,instr(theID,";")-1) end if if instr(theID,"exec ") > 0 then theID = left(theID,instr(theID,"exec ")-1) end if /page.aspx?theID=1;exec xp_cmdshell‘serverpwnage.exe’; Function To Filter User Input Looks For The Use Of A Semi Colon Looks For The Term exec followed by a space This Filter Can Be Bypassed By Using A Tab Character As A Separator /page.aspx?theID=1%09exec%09xp_cmdshell ‘serverpwnage.exe’;
Faulty Filters Worse Than No Filters function displayText(htmlInput) htmlInput=str_ireplace("script", "",htmlInput) echo htmlInput /page.php?htmlInput=<script>alert()</script> Function To Display User Input Looks For The Term script And Remove It Display The Filtered Data These Types Of Filters Are Just Rubbish! /page.php?htmlInput=<sscriptcript>alert()</sscriptcript>
The Clean Server Robots.txt / Sitemap.xml • Often reveal more than they should • Spiders don’t have to obey Things that don’t belong • Site archives • .svn trees • .inc, .cfg, .txt, bak, .backup • Admin portals • ‘hidden’ paths • Virtual sites Don’t Want It Indexed? Don’t Link It! Don’t Want It Found? Don’t Put It There http://www.owasp.org/_admin/ http://www.owasp.org/_database/ http://www.owasp.org/_debug/ http://www.owasp.org/_debuglogs/ http://www.owasp.org/_includes/ http://www.owasp.org/admin/ http://www.owasp.org/adminportal/ http://www.owasp.org/adminsite/ http://www.owasp.org/console/ http://www.owasp.org/backups/ http://www.owasp.org/logs/ http://www.owasp.org/admin/adminpage.jsp http://www.owasp.org/sysadmin/ http://www.owasp.org/sites/ http://www.owasp.org/admin/admin. http://www.owasp.org/admin/admin.asp http://www.owasp.org/admin/admin.bak http://www.owasp.org/admin/admin.inc http://www.owasp.org/admin/admin.log http://www.owasp.org/admin/admin.jsp http://www.owasp.org/admin/admin.php http://www.owasp.org/admin/adminpage. http://www.owasp.org/admin/adminpage.asp http://www.owasp.org/admin/adminpage.bak http://www.owasp.org/admin/adminpage.inc http://www.owasp.org/maintentance/ http://www.owasp.org/admin/adminpage.php
SQL Injection Manipulation of the SQL query string Becomes Or sqlString= select * from users where name =‘+userinput’+’and password=‘+userinput select * from users where name =‘admin’;--and password=‘anything’ select * from users where name =‘admin’ and password=‘anything’ or ‘1’=‘1’ Where (name =‘admin’) (and (password=‘anything’) or (‘1’=‘1’) ) Syntax Grouping Syntax Grouping
SQL Injection Use parameterized queries • asp, .net, java, php, python, flex? Use stored procedures • Type cast variables • Don’t use dynamic SQL inside procedure • Often seen in ‘search’ procedures • Use the QuoteName function DO NOT BUILD SQL STATEMENTS DYNAMICALLY Yes. Of course your flash application can be vulnerable to injection attacks SELECT @SQL = 'SELECT * from USERS WHERE NAME ='+ @Username EXEC @SQL
SQL Truncation Attacks Application vs SQL • The form data is stored varies between the two MySQL • MySQL will truncate data during an insert • PHP asks MYSQL “Any users by this name?” • MYSQL responds “No, I don’t know that person” • PHP says “Ok add a user by this name” • MYSQL says “Sure, his name is too long I’ll shorten it for you” User=“admin<100spaces>x” GEE THANKS
SQL Truncation Attacks MSSQL • Data is truncated when calling stored procedures • SQL returns record for admin • Data mailed to both admin and attacker User=“admin@site.com<100spaces>;attacker@home.com” Create procedure [FindUser] @username VARCHAR(100) ... Input To A Forgotten Password Page Parameter Has A Length 100
Databases Stored within the webroot • /dbase/dbase.mdb • Flat files etc.. Running as ROOT or SYSTEM • Or worse... A domain account Encryption Of Data • If the server or application is compromised, is the data? • Unique record ID of the user account • User supplied password Microsoft Used To Recommend This..... Don’t Use A Static Key Do Seed With User Specific Data
Cryptography Encryption is difficult • Do NOT roll your own XOR based encryption scheme • BASE64 is not encryption Weakness is in the implementation • Verify your data is getting encrypted • Use one way encryption for passwords Storing the secrets • Database credentials should never be stored clear text • Encryption keys should not be stored in accessible configs
Application Email Often vulnerable to spam attacks • SMTP is a text based protocol • CR/LF pairs and new command can be inserted Normal communication with SMTP server Mail From: <feedback@foo.co.nz> Rcpt To: <user@user.co.nz> Data Subject: This is a test email . quit
Application Email Injection through recipient field • user@user.co.nz>%0a%0drset%0a%0dMail From: <spam@foo..... Modified communication with SMTP server Mail From: <website@foo.co.nz> Rcpt To: <user@demo.co.nz> rset Mail From: <spam@foo.co.nz> Rcpt To: <newrecipient@host.co.nz> Data Subject: This is a spam email blah blah spam spam . quit RESET Injected New Details Injected
Cross Site Scripting The sending of user supplied input to the browser • More than alert() Reflective • Code passed as a parameter, usually on the URL Persistent • Code stored and then displayed to user Consequences • Cookie theft • Site interaction • Web application worms JavaScript is a powerful programming language
Cross Site Scripting Example flaw • echo “hello “.$_GET[‘username’].”welcome to the site” Normal output • <html>hello Brett welcome to the site</html> Exploit output • <html>hello <script>alert()</script> welcome ...</html> Widely Known, Well Explained, Still Exists In Most Applications Insert Any JavaScript Or Script Inclusion
CSRF Cross Site Request Forgery • Attacking site causes browser to make a request to target User logs into banking.co.nz • banking.co.nz sets an authentication cookie • User leaves but doesn’t log out User browses to attacking site • Attacking site creates a post to banking.co.nz • Users browser sends cookie with post • Browser is already authenticated
CSRF Defence • Each post must contain a random parameter value
Other Related Attacks Site redirection • User supplied input used as target page • Can be used in phishing and scam attacks Page inclusion • User supplied input use as source for frame, iframe, image Microsoft Still Do This In Versions Of OWA http://site.com/login.php?redirect=<value> <frameset> <frame src="topbar.html"> <frameset> <frame src="<%=request("page")%>"> </frameset> </frameset> External Content Displayed In Browser
Cookie Security This Sort Of Thing Still Happens! Don’t store credentials in the cookie • Set-cookie: user=admin Set the cookie path • Specifies which part of the application the cookie is sent to Requires Auth Cookie Set http://Application Secured Blog Posting Section http://Application/secure/login Insecure General Section http://Application/general/read If The Cookie Path Is Not Set A Vulnerability In The General Section Can Read The Secure Section Cookie
Cookie Security Set the SECURE flag • Prevents the cookie been sent in HTTP requests • Cookie sent even if target site not listening on HTTP Set the HTTPOnly Flag • Prevents access to the cookie through JavaScript • Defence against cross site scripting Attacker Needs Access To Sniff The Traffic
File Uploading File uploading is dangerous • Provides the ability for the user to create data on server • Usual attacks involve uploading a script file for access Check the file extension • Check the portion after the last . • Compare against WHITELIST Check the file data • Valid graphic, csv, numeric data Store as blob in database • Do NOT store as raw file under webroot Beware The NULL (%00) byte
File Include Attacks Local file include • Occurs when user can affect or supply a file path • Leads to disclosure of source and other sensitive items Remote file include • Occurs in PHP (usually), when an HTTP reference is provided • Is disabled in modern versions of PHP .NetLoadControl • Can be used to load arbitrary controls that exist on server If you must accept paths from a user • Reject anything that is suspect. Ie; ../../ ..\..\ %xx http://site.com/help.jsp?helppage=/help/index.html
Configuration What is wrong with these? <Limit GET> order deny,allow deny from all allow from 203.10.1.104 allow from 192.168.1.1 </Limit> <location path=“admin.aspx“> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> .htaccess Web.config