310 likes | 2.08k Views
Top Ten Web Hacking Techniques of 2010. Ivan Markovi ć Senior Security Consultant Network Security Solutions , Serbia http://netsec.rs /. About us.
E N D
Top Ten Web Hacking Techniques of 2010 Ivan Marković Senior Security Consultant Network Security Solutions, Serbia http://netsec.rs/
About us • Network Security Solutions is one of only a handful of companies in South East Europe whose primary business focus is security of information systems. Companies such as Microsoft have recognised the value of our experience and results, and have developed a partnership with us. • Research and Training • Tools recognized by OWASP and Backtrack
About presentation • Why this theme ? • Awarenes and ideas • Selection metodology • Creativity and simplicity • Experience and research
Summary • EverCookie • CSS History hack • New DDoSTricks • Click Jacking • Browser Auto Complete • Plugins (Browser and Web apps) • XSS in IE XSS filter • CSRF (Cross Site Request Forgery) • HPP (HTTP Parameter Polluting) • Intranet hacking
EverCookie • Virtually irrevocable persistent cookies- SamyKamkar, http://samy.pl/evercookie/ • Storage mechanisms:- Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage, Local Storage, Global Storage, Database Storage via SQLite - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
CSS History Hack • I know where you've been- Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html • Cascading Style Sheets • document.defaultView.getComputedStyle
New DDoS tricks • Slowloris- Robert Hansen, http://ha.ckers.org/slowloris/- Keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing • Slow HTTP POST Attack- OnnChee Wong, http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf - OSI Layer 7- Content-Length: 1000 (bytes) / but send it 1 byte per 110 seconds
New DDoS tricks • Javascript LOIC- Low Orbit Ion Cannon - an open source network attack application, written in C# • HTML 5 WebWorkers and Cross Origin Requests- LavakumarKuppan, http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html
Click Jacking • also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level pagehttp://www.owasp.org/index.php/Clickjacking
Click Jacking • http://www.sectheory.com/clickjacking.htm
Browser Auto Complete • I want to know your name, who you work for, where you live, your email address ... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html • Safari Address Book Autofill • Internet Explorer stealing previously entered data • Writing to auto complete • Read remembered passwords
Browser Auto Complete • Safari Address Book Autofill
Browser Auto Complete • Safari Address Book Autofill
Browser Auto Complete • Safari Address Book Autofill<form> Name: <input type="text" name="name"> Company: <input type="text" name="company"> City: <input type="text" name="city">State: <input type="text" name="state"> Country: <input type="text" name="country"> Email: <input type="text" name="email"> </form>
Browser Auto Complete • I want to know your name, who you work for, where you live, your email address ... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html • Safari Address Book Autofill • Internet Explorer stealing previously entered data • Writing to auto complete • Read remembered passwords with XSS
Browser and Web app plugins • Browser plugins, http://research.zscaler.com/2011/02/browser-plugins-and-security.html • Security considerations:- see login/password credentials in clear text - send back the credentials to any website - modify the web pages seen by the user- add/delete/modify files on the computer - run executables
Browser plugins • Malicious browser plugins examples:2007: Firebug goes evil: http://www.gnucitizen.org/blog/firebug-goes-evil/console.log({'<script>alert("bing!")</script>':'exploit'})2009: NoScriptvsAdblock: http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=217700105
Browser plugins • Malicious browser plugins examples:2010: TROJAN: http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/ - Sothink Web Video Downloader / Win32.LdPinch.gen- Master Filer / Win32.Bifrose.32.BifroseBtw, how is situation in the wild ?
Web app plugins • Web application plugins - Wordpress, Joomla, …http://secunia.com/advisories/search/?search=wordpress
Web app plugins • Web application plugins - Wordpress, Joomla, … http://secunia.com/advisories/search/?search=joomla
XSS in IE XSS Filter • Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Internet Explorer 8 implements an anti Cross-site Scripting (XSS) mechanism to detect certain types of XSS attacks. This feature can be abused by attackers in order to enable XSS on web sites and web pages that would otherwise be immune to XSS. For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occuring. However, altering a server's response before it gets rendered by the browser may have unintended consequences.
XSS in IE XSS Filter • Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Example: <img alt="[injection here]" src="x.png"> Injection string: x onload=alert(0) x <img alt="x onload=alert(0) x" src="x.png"> - will not execute the alert <img alt#"x onload=alert(0) x" src="x.png"> - will execute the alert
Cross Site Request Forgery • CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticatedhttp://secunia.com/advisories/search/?search=Cross+Site+Request+Forgery&sort_by=date
Cross Site Request Forgery • Facebook: http://www.john-jean.com/blog/advisories/facebook-csrf-and-xss-vulnerabilities-destructive-worms-on-a-social-network-350 • Twitter: http://techcrunch.com/2010/09/26/dont-click-the-wtf-link-on-twitter-unless-you-do-like-sex-with-goats
HTTP Parameter Pollution • Stefano di Paola and Luca Carettoni, http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf • How does your application respond if it receives multiple parameters all with the same name ? • Bypass firewall, Change application behaviour, …
INTRANET Hacking • From Website to LAN • Browser plugins • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/ • CSS History Hack for Port Scanning (with and without Java Script): http://ha.ckers.org/blog/20100125/css-history-hack-in-firefox-without-javascript-for-intranet-portscanning/
INTRANET Hacking • From Website to LAN • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/
INTRANET Hacking • From Website to LAN • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/ .: POC (CSRF / Change password)http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD .: POC (CSRF / DoS)http://PUBLIC_IP_OF_USER/rebootinfo.cgi