1 / 37

Web Application Exploits

Web Application Exploits. Reading. Required: Stuttard and Pinto: Chapter 3 Review: OWASP: 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10 Recommended: cool tutorials

mthies
Download Presentation

Web Application Exploits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Exploits Computer Science and Engineering

  2. Reading • Required: • Stuttard and Pinto: Chapter 3 • Review: OWASP: 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10 • Recommended: cool tutorials • Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre, and Parisa Tabriz, http://google-gruyere.appspot.com/part1#1__setup • How To Break Web Software - A look at security vulnerabilities in web software, http://www.youtube.com/watch?v=jXP7b-xby6U • DEFCON 19: Web Application Analysis With Owasp Hatkit, http://www.youtube.com/watch?v=JjJQ9b80xsE&feature=relmfu Computer Science and Engineering

  3. Web security: primary target to attacks • Web Application technologies • Client side • Server side • Application • Transfer protocol • Common vulnerabilities Computer Science and Engineering

  4. Web Application Architecture XSS Malware Session hijack Redirection … Web service Injection attacks Information leakage DOS Unauth. modification Communication security Database Web server Auth. service Access control client Forged credentials Unauthorized access Computer Science and Engineering

  5. Client Side • Request resources – http requests • Technologies to support functionality • Browser • HTML • Hyperlinks • Forms • Scripts • Custom client components Computer Science and Engineering

  6. Server side • Receive client request, URL query string, HTTP cookies, or in request body • Technologies to supply functionality: • Scripting languages: PHP, VBScript, Perl • Web application platform: ASP.NET, Java • Web Servers: Apache, IIS, Netscape Enterprise • DBMS: Oracle, MySQL, SQL-Server, • Back-end components Computer Science and Engineering

  7. The HTTP Protocol • Hyper Text Transfer Protocol • Stateless • Application layer protocol -- Layered on top of TCP • Client Server Model • Request-response communication • Originally developed to retrieve static text-based resources Computer Science and Engineering

  8. HTTP Request • Request line • HTTP method • Requested URL • HTTP version • Header lines • Host, Referer, Cookie, User-Agent, Connection, etc. • Request body Computer Science and Engineering

  9. GET • Passes all request data in the URL query line • GET /search?q= Web+Technologies HTTP/1.1 • Host: www.cse.edu… Computer Science and Engineering

  10. Post • Passes all data in the HTTP request body • POST /search?HTTP/1.1 • Host: www.cse.edu… • q= Web+Technologies Computer Science and Engineering

  11. HTTP Response • Status line • HTTP version • Numeric status call indicating the result of the request • Txt reason phrase describing the status of the response • Header lines • Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length • Response body Computer Science and Engineering

  12. Status Codes • 1xx – Informational • 2xx – the request was successful • 3xx – the client is redirected to a different resource • 4xx – the request contains an error of some kinds • 5xx – the server encountered an error fulfilling the request Computer Science and Engineering

  13. Commons Status Codes • 200: OK • 302: Location redirection • 401: client is unauthorized for the resource • 403: forbidden even if the client has the credentials • 404: not found • 500: internal server error caused by the request Computer Science and Engineering

  14. Issues for HTTP Methods • GET – retrieves a resources • Send parameters to the requested resource • Be Aware! URLs are stored and displayed -> do not include sensitive data in the query string • POST – performs an action • Request parameters sent in the URL query string or in message body • Be Aware! Back button use  warning • Other methods: Head, Trace, Put, etc. Computer Science and Engineering

  15. HTTPS • HTTP tunneled through SSL • HTTP Proxies • Using HTTP • Using HTTPS • Proxy is a man-in-the-middle • Pure TCP level relay Computer Science and Engineering

  16. HTTP Authentication • Basic: sends user credentials as a Base64-encoded string in a request header • NTLM: Challenge-response using Windows NTLM protocol • Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials Computer Science and Engineering

  17. State and Session • Client and server exchange and process data • Application needs to maintain the state of each user interactions • Server side structure: session • Client side: sent by the server and protected from tampering • Stateless HTTP  token to identify user sessions Computer Science and Engineering

  18. HTTP Vulnerabilities • Header-based attacks: not very common • Headers are simple • Any command or response that is not valid, ignored • Header are free form  several options on how to interpret data • Buffer overflow may occur • Client- and server side executables : data may be passed to other applications Computer Science and Engineering

  19. HTTP Vulnerabilities 2. • Protocol-based attacks: most common • Incorrect authentication • Access directories (username/password) by stolen credentials • Authentication travels as clear text • Challenge response • Cookes • Spoofing attacks Computer Science and Engineering

  20. HTTP Vulnerabilities 3. • Traffic-based attacks • Denial of Service attacks • Traffic privacy violations Computer Science and Engineering

  21. Web Application Characteristics Computer Science and Engineering

  22. Functionality • Server side technologies: • Scripting languages • Web application platform • Web server software • Databases • Back-end components • Client-side technologies: • Browser Extension technologies Computer Science and Engineering

  23. Application Characteristics • Understand what application does and how it behaves • Content • Functionality • Find out: • Application behavior • Core security mechanisms • Technologies being used • Client side • Server side Computer Science and Engineering

  24. Enumerating Content and Functionality • Manual vs. automated browsing • Walk through the application • Follow every link • Navigate through multistage functions • Web spidering • Tools to follow all links until no new content is found • Can parse static HTML, multi-stage functionality, form-based navigation, client-side JavaScript Computer Science and Engineering

  25. Robots.txt • Web servers maintain in root • Contains list of URLs not available for web spiders • Can be used by spiders as the seed • References to sensitive functionality Computer Science and Engineering

  26. Automated Spidering • E.g., Burp Spider, WebScarab • General limitations: • Cannot handle dynamically created menus • Limited depth to find links • May fail input validation for multistage functionality • Unique content is identified by URL  not good for form-based navigation • May fail authentication session Computer Science and Engineering

  27. User Directed Spidering • User walks through the application and uses a spider to collect and analyze findings • Good for • Unusual or complex navigation needs • User control of input data • User can login to application and pass authentication • User can decide on requested functions Computer Science and Engineering

  28. Hacking Steps 1. • Configure browser to use spider • Browse the application normally • Visit every link • Proceed through multi-stage functions • JavaScrip enabled/disabled; cookies enabled/disabled • Review site map to identify non-visited content • Do an automated spidering Computer Science and Engineering

  29. Discovering Hidden Content • Not directly linked to or reachable from the main page • E.g., testing and debugging content, different functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc. • Added attack points, sensitive content, etc. • Automated, brute-force attack: Burp Intruder Computer Science and Engineering

  30. Hacking Steps 2 • Make unusual requests and identify response • Use site map to identify hidden content • Use brute-force attacks to identify how application handles requests • Manually review responses • Inferencing from published content (e.g., naming) • Compile list of names of subdirectories • Identify naming schemes, file extensions • Review all client side code • Look at temporary files • Burp: Content Discovery – automate attack Computer Science and Engineering

  31. Use Public Information • Find old resources • Search Engines: • Advanced Search: resource, login, links, related • Google domains • Omitted results • Cashed versions • Other domains of the same organization • Web archives, e.g., WayBack Machine Computer Science and Engineering

  32. Web Server Vulnerabilities • Web server software vulnerability • Default content • Sample and diagnostic scripts • Standard functionality • Wikto: a tool that checks for flaws in web servers • http://sectools.org/tool/wikto/ Computer Science and Engineering

  33. Additional Mappings • Functional paths • URL query parameters, REST-style URLs • Discovering Hidden Parameters • Try default parameter names, e.g, debug, test, hide, etc. • Monitor responses to identify anomalies • Analyzing Applications • Functionality, behavior, security • Server side functionality Computer Science and Engineering

  34. Mapping the Attack Surface • Use the results of the analysis to find vulnerabilities Computer Science and Engineering

  35. SOA Service Communication • Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer) • Communication over HHTP Computer Science and Engineering

  36. Industry standards • XML • XML encryption • XML Signature • Canonical XML • Decryption Transformation for XML Signature • WS-Security • Security Assertion Markup Language (SAML) Computer Science and Engineering

  37. Next Class • XML, RDF, Web application security Computer Science and Engineering

More Related