one way hacking futility of firewalls in web hacking l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
One-Way Hacking: Futility of Firewalls in Web Hacking PowerPoint Presentation
Download Presentation
One-Way Hacking: Futility of Firewalls in Web Hacking

Loading in 2 Seconds...

play fullscreen
1 / 36

One-Way Hacking: Futility of Firewalls in Web Hacking - PowerPoint PPT Presentation


  • 294 Views
  • Uploaded on

One-Way Hacking: Futility of Firewalls in Web Hacking. JD Glaser, Saumil Shah Foundstone Inc. Typical Web Application set-up. SQL Database. HTTP request (cleartext or SSL). Firewall. Web Client. Web Server. Web app. DB. Web app. DB. Web app. Web app. HTTP reply

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'One-Way Hacking: Futility of Firewalls in Web Hacking' - dior


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
one way hacking futility of firewalls in web hacking

One-Way Hacking:Futility of Firewalls in WebHacking

JD Glaser, Saumil Shah

Foundstone Inc.

typical web application set up
Typical Web Application set-up

SQL Database

HTTP

request

(cleartext or SSL)

Firewall

Web

Client

Web

Server

Web app

DB

Web app

DB

Web app

Web app

HTTP reply

(HTML, Javascript, VBscript, etc)

  • Apache
  • IIS
  • Netscape
  • etc…
  • Plugins:
  • Perl
  • C/C++
  • JSP, etc
  • Database connection:
  • ADO,
  • ODBC, etc.
traditional hacking limitations
Traditional Hacking…Limitations
  • Modern network architectures are getting more robust and secure.
  • Firewalls being used in almost all network roll-outs.
  • OS vendors learning from past mistakes (?) and coming out with patches rapidly.
  • Increased maturity in coding practices.
utility of firewalls
Utility of Firewalls
  • Hacks on OS network services prevented by firewalls.

Web

Server

Web app

DB

Web app

DB

Web app

Web app

wu-ftpd

X

Sun RPC

X

NT ipc$

X

utility of firewalls5
Utility of Firewalls
  • Internal back-end application servers are on a non-routable IP network. (private addresses)

Web

Server

Web app

DB

Web app

DB

Web app

Web app

X

utility of firewalls6
Utility of Firewalls
  • Outbound access restricted. Why would a web server telnet out?

Web

Server

Web app

DB

Web app

DB

Web app

Web app

X

futility of firewalls
Futility of Firewalls
  • E-commerce / Web hacking is unfettered.
  • Web traffic is the most commonly allowed of protocols through Internet firewalls.
  • Why fight the wall when you’ve got an open door?
  • HTTP is perceived as “friendly” traffic.
  • Content/Application based attacks are still perceived as rare.
the web hacker s toolbox
The Web Hacker’s Toolbox

Essentially, all a web hacker needs is …

  • a web browser,
  • an Internet connection,
  • … and a clear mind.
firewalls cannot prevent
Firewalls cannot prevent…

Web

Client

Web

Server

  • URL Interpretation Attacks.

web server mis-configuration

firewalls cannot prevent10
Firewalls cannot prevent…

Web

Client

Web

Server

Web app

Web app

Web app

Web app

  • Input Validation attacks.

URL Interpretation attacks

poor checking of user inputs

firewalls cannot prevent11
Firewalls cannot prevent…

Web

Client

Web

Server

Web app

DB

Web app

DB

Web app

Web app

  • SQL Query Poisoning

URL Interpretation attacks

Input Validation attacks

Extend SQL statements

firewalls cannot prevent12
Firewalls cannot prevent…

Reverse-engineering HTTP cookies.

Web

Client

Web

Server

Web app

DB

Web app

DB

Web app

Web app

  • HTTP session hijacking.
  • Impersonation.

URL Interpretation attacks

Input Validation attacks

SQL query poisoning

the url as a cruise missile
The URL as a cruise missile

http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7

Web

Server

Web app

DB

Web app

DB

Web app

Web app

web hacks net effects
Web Hacks - net effects

Web Hacks cause three types of effects:

  • Extra information disclosure. (paths, etc.)
  • Source code and arbitrary file content disclosure.
  • Extra data disclosure (e.g. return all rows)
  • Arbitrary command execution.
the web hacker s toolbox15
The Web Hacker’s Toolbox

Some desired accessories would be …

  • a port scanner,
  • netcat,
  • vulnerability checker (e.g. whisker),
  • OpenSSL, … etc.
hacking over ssl
Hacking over SSL
  • Some SSL Myths:
  • “We are secure because we use SSL!”
  • “Strong 128 bit crypto being used”
  • “We use Digital Certificates signed by VeriSign”
hacking over ssl17
Hacking over SSL
  • Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy!
  • Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL.

SSL

web

server

web

client

nc

openssl

use the source luke
Use the Source, Luke
  • Source code disclosure may reveal any flaws in the application design.
  • Can be used to retrieve application configuraiton files.
  • e.g. global.asa, etc.
source code disclosure
Source Code Disclosure
  • WebLogic / Tomcat example:
source code disclosure20
Source code disclosure
  • IIS +.htr example:
sql query poisoning
SQL Query Poisoning
  • Poor input validation on parameters passed to SQL queries can be disastrous.
  • For example:

Dim sql_con, result, sql_qry

Const CONNECT_STRING =

"Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa;

PWD=xyzzy"

sql_qry = "SELECT * FROM PRODUCT WHERE ID = “ &

Request.QueryString(“ID”)

Set objCon = Server.CreateObject("ADODB.Connection")

objCon.Open CONNECT_STRING

Set objRS = objCon.Execute(strSQL)

sql query poisoning22
SQL Query Poisoning
  • Return all rows:

http://10.0.0.3/showtable.asp?

ID=3+OR+1=1

  • Resultant query:

SELECT * FROM PRODUCT WHERE ID=3

OR 1=1

sql query poisoning23
SQL Query Poisoning
  • Drop Table:

http://10.0.0.3/showtable.asp?

ID=3%01DROP+TABLE+PRODUCT

  • Resultant query:

SELECT * FROM PRODUCT WHERE ID=3

DROP TABLE PRODUCT

sql query poisoning24
SQL Query Poisoning
  • Remote Command Execution!

http://10.0.0.3/showtable.asp?

ID=3%01EXEC+master..xp_cmdshell+

‘copy+\winnt\system32\cmd.exe+

\inetpub\scripts’

  • Command executed:

copy \winnt\system32\cmd.exe

\inetpub\scripts

one way attacks
One-way attacks
  • Assume the tightest firewall configuration.
  • All legal HTTP requests.
  • No outbound traffic from internal network.
  • …yet, total control.
  • Illustrates how the smallest of openings can be big enough to drive a truck through it!
one way attacks entry point
One-way attacks … entry point
  • One entry point required.
  • Arbitrary command execution.
  • Can be achieved in many ways:
    • Known vulnerability (e.g. IIS Unicode / ddecode)
    • Buffer overflow (sometimes kills server!)
    • Fooling the application itself! (metacharacters, SQL query poisoning)
one way attacks uploader
One-way attacks … uploader
  • Create an HTTP multipart-MIME upload mechanism.
  • The same process as sending attachments over web-based mail (yahoo, hotmail).
  • Uploader allows the attacker to plant and execute tools on the server.
  • The hole widens.
one way attacks remote prompt
One-way attacks … remote prompt
  • Install a remote web-based command prompt.
  • HTML form, passes inputs to the command-shell on the server.
  • Semi-interactive.
one way attacks sql prompts
One-way attacks … SQL prompts!
  • A step further, install a SQL query prompt page!
  • Allows attackers to arbitrarily pick and attack back-end SQL servers.
  • Web programming languages such as ASP, PHP allow back-end database interfaces.
  • Pilfering of database credentials from source code disclosure attacks would be useful!
one way attacks getting root
One-way attacks … getting root!
  • Upload your favourite privilege escalation $pl01t!
  • Run it through the web-based command prompt.
  • Get admin/root privileges!
one way attacks going further
One-way attacks … going further
  • Drive through the back-end network.
  • Portscanning
  • Service enumeration
  • Network packet sniffing
  • Recovering passwords / credentials
  • … it’s all open now!
windump
WinDump
  • Loads dynamically – don’t have to reboot box.
  • Works great with MDAC, Unicode, etc…
  • Sniff internal networks after attack.
  • Grep for user/pass – Pipe output.
  • Send results back through nc.
  • Send results back through firewall as an HTML page – ultra cool because it bypasses firewall
root causes of web hacks
Root Causes of Web Hacks
  • Complex web architectures may cause oversight in web server configuration.
  • URL Parsing.
  • File Canonicalization.
  • Combination of underlying operating system and web server may leave holes.
root causes of web hacks34
Root Causes of Web Hacks
  • Untested code used in web applications, to save time.
  • Level of security consciousness low in web application developers.
  • Security vs. convenience.
  • Security vs. time-to-market.
  • Zero knowledge administration breeds zero knowledge administrators.
web security measures
Web Security Measures
  • Heighten security awareness amongst administrators, developers and most important - TOP MANAGEMENT!
  • Firewalls and SSL do not solve all security problems.
  • Keep abreast of latest vendor advisories and patches.
  • Monitor security mailing lists such as BugTraq. :-/
thank you

Thank You!

jd.glaser@foundstone.com saumil.shah@foundstone.com