1 / 33

SecuBat

SecuBat. A Web Vulnerability Scanner . Group: Dao Trong Diep: 51000686 Nguyen Minh Khoi: 51001583. content. INTRODUCTION TYPICAL WEB ATTACK AUTOMATED VULNERABILITY DETECTION ATTACK AND ANALYSIS CONCEPTS SECUBAT IMPLEMENTATION EVALUATION CONCLUSION DEMO. 1 . INTRODUCTION.

dakota
Download Presentation

SecuBat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecuBat A Web Vulnerability Scanner Group: Dao Trong Diep: 51000686 Nguyen Minh Khoi: 51001583

  2. content • INTRODUCTION • TYPICAL WEB ATTACK • AUTOMATED VULNERABILITY DETECTION • ATTACK AND ANALYSIS CONCEPTS • SECUBAT IMPLEMENTATION • EVALUATION • CONCLUSION • DEMO

  3. 1. INTRODUCTION White-box and Black-box testing

  4. white-box testing • In white-box testing, the source code of the application is analyzed in an attempt to track down defective or vulnerable lines of code.

  5. Black-box testing • In black-box testing, the source code is not examined directly. Instead, special input test cases are generated and sent to the application. Then, the results returned by the application are analyzed for unexpected behavior that indicate errors or vulnerabilities.

  6. Secubat • An open-source web vulnerability scanner that uses a black-box approach to crawl and scan web sites for the presence of exploitable SQL injection and XSS vulnerabilities.

  7. Comparision

  8. 2. TYPICAL WEB ATTACK • 2.1 SQL Injection • 2.2 Cross-site Scripting

  9. 2.1 SQL INJECTION SQL injection attacks are based on injecting strings into database queries that alter their intended use.

  10. 2.2 CROSS-SITE SCRIPTING Cross Site Scripting (XSS, sometimes also abbreviated as CSS) refers to a range of attacks in which the attacker injects malicious JavaScript into a web application • Reflect XSS • Stored XSS

  11. 3. AUTOMATED VULNERABILITYDETECTION 3.1 Crawling Component 3.2 Attack Component 3.3 Analysis Modules

  12. 3.1 Crawling Component

  13. 3.2 Attack Component • Processing the list of target pages. • In particular, the attack component scans each page for the presence of web forms. • For each web form, we extract the action (or target) address and the method (i.e., GET or POST) used to submit the form content. • Then, depending on the actual attack that is launched, appropriate values for the form fields are chosen. • The form content is uploaded to the server specified by the action address (using either a GET or POST request)

  14. 3.3 Analysis Modules An analysis module uses attack-specific response criteria and keywords to calculate a confidence value to decide if the attack was successful.

  15. 4. ATTACK AND ANALYSIS CONCEPTS 4.1 SQL Injection Attack 4.2 Simple Reflected XSS Attack 4.3 Encoded Reflected XSS Attack 4.4 Form-Redirecting XSS Attack

  16. 4.1 SQL Injection attack • Attack module prepares new attack & sends it to server (e.g. single quote) • Server sends back a response page • Analysis module parses response for keywords, builds summary confidence factor q = “select * from user where mail=‘ ‘ ‘ “

  17. Determine if an SQL Injection is Successfull • List of weighted key phrases that indicate an SQL error • Derived this list by analyzing response pages of web sites that are vulnerable to SQL injection. • Each Keyword in the list was associated with its own confidence factor, which numerically describes the gain in confidence that the attacked web form is vulnerable.

  18. Determine if an SQL Injection is Successfull • The response code is a good indicator for SQL injection vulnerabilities. • This response is generated when the application server crashes. For example: Many sites return a 500 Internal Server Errorresponse when a single quote is entered.

  19. 4.2 Simple Reflected XSS Attack • Attack module prepares new attack & sends it to server (e.g. Javascript to show a message box) • Server sends back a response page • Analysis module parses response checking for the occurrence of the injected string (and the executability)

  20. Problems in Simple XSS • The required characters for scripting (such as quotes or brackets) could be filtered or escaped by the target web application. • The importance of the location of an injected script within the web page. The application is vulnerable The application is not reported as vulnerable

  21. 4.3 Encoded Reflected XSS Attack • Most web applications employ some easy input sanitization. • Filtering routines applied by the developers • Automatic filtering performed by programming language • Attacker attempts to bypass simple input filtering by using HTML encodings. • It also uses a mix of uppercase and lowercase letters to further camouflage the keywordscript. • One disadvantage of using encoded characters is that not all browsers interpret them in the same way. HTML Character Encodings Table

  22. 4.4 Form-Redirecting XSS Attack • Checks for potential assets (sensitive information). • Check for password field • Check for account field • Uses an encoded injection string redirecting the found login form to the “attacker‘s server”.

  23. Form Index • A web page may contain multiple, independent web forms that possess different form targets. • Each form can be uniquely identified by its form index. • In order for the form-redirecting attack to succeed, it is only need for any of the web forms on a page to be vulnerable. • Suppose that a web page contains two separate forms: one search form and one login form. • The developers of the login form were aware of common security issues. But the search form is not. • Every search query that is entered into the search form is reflected back to the user in the browser.

  24. 5. SecuBat Implementation • Implementation Details • C# • Data Store: MS SQL Database • Requirements • MS Windows 2000, XP, 2003 • MS .NET Framework 2.0 • MS SQL Server 2000/2005 or MSDE/SQL Express 2005

  25. 5. SecuBat Implementation SecuBat Attacking Architecture

  26. 6. Evaluation • Evaluation Run Results (Google search for “login”): • 25.064 crawled pages • 21.627 web forms • 4 attack types • SQL Injection: 6,63% • Simple XSS: 4,30% • Enhanced XSS: 5,60% • Form-Red. XSS: 5,52%

  27. Findings • Critical XSS Vulnerabilities (assets) • eBay (Auction access) • Austrian Finance Ministry (E-Government access) • Geizhals (Price management) • Crit.org (Security associated content) • Apple (Developer access) • …

  28. Notifications • Query recipients using WhoIs service • 591 Mails sent • 306 “recipient unknown” • 52 detail inquiries after 1 week

  29. Proof-of-Concept Real World • Well-known and popular Austrian price comparison web portal: www.geizhals.at • Geizhals was vulnerable to Form-Redirecting XSS attacks. • It is easy to reconstruct what steps were performed in this automated attack Geizhals General Analysis Results Geizhals Exploit Url Geizhals Analysis Text

  30. Proof-of-Concept Real World www.geizhals.at login page • Using the automatically generated URL: • The attack can be re-executed manually by pasting this URL into the location field of a web browser. • When the browser requests the URL, malicious JavaScript is injected into a vulnerable form field, and reflected back from the server. • The browser then displays the login page, which appears innocuous to an unsuspecting user. • In an actual attack, the attacker could have easily copy-pasted this URL into a phishing e-mail with the text “Please click on the link and update your information” and sent it to thousands of users. Successful form-redirection attack to a non-existing URL

  31. 7. Conclusion • Increasing use of web technology needs increasing security effort. • Simple attacks (SQL Injection, XSS Attack) but many vulnerable web sites. • An automated detection approach can increase your site’s security. • Implementation of an extensible (pluggable) analysis framework (“SecuBat”) • First results of a prototype version show proof of concept.

  32. DEMO

  33. THANK FOR LISTENING

More Related