Post on 23-Dec-2015
Windows Security 2002
BlackHat New Orleans
WhiteHat Security
“Web Application Security”and
“Presenting”
Jeremiah Grossman jeremiah@whitehatsec.com
Topics
Web Application Security Landscape
Why is Web Application Security Important
Common Web Application Security Mistakes
Web Application Attack Methodologies
Web Application Security Landscape
Entertainment
Message BoardsWebMail
Guest BooksVoting Polls
E-Commerce
ShoppingAuctionsBanking
Stock Trading
Just Plain Crazy
PrintersPDA’s
Cell PhonesSystem
Configuration.NET/Passport
Web Application The Simple Definition
A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.
Web Application The “EASIER” Definition
If it runs on port 80 or port 443, then is probably a web application.
Why is Web Application Security Important?
Easiest way to compromise hosts, networks and users. Widely deployed. No Logs! (POST Request payload) Incredibly hard to defend against or detect. Most don’t think of locking down web applications. Intrusion detection is a joke. Firewall? What firewall? I don’t see no firewall… Encrypted transport layer does nothing.
How much easier can it get!? Unicode.
Common Web Application Security Mistakes
Trusting Client-Side Data
Unescaped Special Characters
HTML Output Character Filtering
SUID
ActiveX/JavaScript Authentication
Lack of User Authentication before performing critical task.
Trusting Client-Side Data
DO NOT TRUST DO NOT TRUST CLIENT-SIDE DATA!!!CLIENT-SIDE DATA!!!Trusting client-side data is #1 cause of
vulnerabilities.
Identify all input parameters that trust client-side data.
Unescaped Special Characters
The Level of Trust :
Searches/Queries/Templates
Path:
http://foo.com/cgi?val=string&file=/html/name.db
Or better yet…
http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd
Unescaped Special Characters
! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <
Check for:Unescaped special characters
within input strings
HTML Character Filtering
Proper handling of special characters
> => >< => <
" => "& => &
Null characters should all be removed. %00
More mistakes…SUID (Does a web application really need root?)
Authentication mechanisms using technologies suchas JavaScript or ActiveX.
Lack of re-authenticating the user before issuing newpasswords or performing critical tasks.
Hosting of uncontrolled data on a protected domain.
WhiteHat Arsenal
GUI Web-Based Interface Session Based Discovery Utilities Active Assessment Encoding/Decoding Reporting
Web Application Penetration
Methodologies
Information Gathering & Discovery
Input/Output Client-Side Data Manipulation
Information Gathering & Discovery
Spidering /Site Map
Identifiable Characteristics
Error and Response Codes
File / Application Enumeration
Spidering
Spidering/Site Crawling
Site Map Service Map Documentation Hidden Services CGI's and Forms Email addresses
Identifiable Characteristics
Comment LinesURL ExtensionsMeta TagsCookiesClient-Side scripting languages
Enormous wealth of information about process flows, debug command, system types and
configurations.
Error and Response Codes
HTTP Response HeadersServer: IBM/Apache 1.3.19
Cookie Characteristics
Error MessagesException Messages (Java / SQL)
404 Error Pages
Failed Login
Locked Account
Database or file non-existent
File/Application EnumerationCommonly referred to as “forced browsing” or “CGI Scanning”.
File/Application Enumeration
Sample FilesTemplate DirectoriesTemp or Backup files
Hidden FilesVulnerable CGIs
Common Directories
Common Log Files
Common Backup Files
Input/Output Client-Side Data Manipulation
URL Manipulation CGI Parameter Tampering HTTP Client-Header Injection
Filter/Intrusion Detection Evasion
Protocol/Method Manipulation
Overflows
Input Manipulation Parameter Tampering
"Twiddling Bits."
Cross-Site ScriptingFilter-Bypass ManipulationOS CommandsMeta CharactersPath/Directory TraversalHidden Form Field ManipulationHTTP Headers
Cross-Site ScriptingBad name given to a dangerous security issue
Attack targets the user of the system rather than the system itself.
Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site.
Client-Side Scripting Languages
DHTML (HTML, XHTML, HTML x.0)Opens all the doors.
JavaScript (1.x) Browser/DOM ManipulationJava (Applets) Malicious AppletsVBScript Browser/DOM ManipulationFlash Dangerous Third-Party InteractivityActiveX Let me count the ways…XML/XSL Another Door OpenerCSS Browser/DOM Manipulation
The Scenarios
Trick a user to re-login to a spoofed page
Compromise authentication credentials
Load dangerous of malicious ActiveX
Re-Direct a user or ALL users
Crash the machine or the browser
CSS Danger“The Remote Launch Pad.”
Successfully CSS a user via a protected domain.
Utilizing a Client-Side utility (JavaScript, ActiveX,VBScript, etc.), exploit a browser hole to downloada trojan/virus.
User is unknowingly infected/compromised withina single HTTP page load.
ActiveX Netcat Anyone?
2 Types of CSS Click on a link to activate
<A HREF=“http://www.evil_javascript_link”>Click Here</A>
Auto-Execute by viewing HTML
<SCRIPT>run evil JavaScript</SCRIPT>
Dangerous HTML“HTML Bad”
<APPLET> Malicious Java Applications<BODY> Altering HTML Page Characteristics<EMBED> Embedding Third-Party Applications (Flash, etc.)<FRAME> Directly calling in other uncontrolled HTML<FRAMESET> Directly calling in other uncontrolled HTML<HTML> Altering HTML Page Characteristics<IFRAME> Directly calling in other uncontrolled HTML<IMG> SCRing Protocol attacks and other abuses<LAYER> Directly calling in other uncontrolled HTML<ILAYER> Directly calling in other uncontrolled HTML<META> META Refreshes. (Client-Redirects)<OBJECT> ActiveX (Nuff Said)<SCRIPT> JavaScript/VBScript Loading<STYLE> Style Sheet and Scripting Alterations
Dangerous Attributes“Attributes Bad”
ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes)
STYLE SRC
HREF TYPE
Power of the Dots and Slashes
piping input to the command line.
Path Directory Traversalhttp://foo.com/app.cgi?directory=/path/to/data
DotDot Slash:http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
Dot Slash:http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd
Double DotDot Slash:http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd
More Filter Bypassing
Method Alteration (HEAD, PUT, POST, GET, ect.)
URL Encodehttp://www.foo.com/cgi?value=%46%72%68%86
Null Charactershttp://www.foo.com/cgi?value=file%00.html
More…Alternate Case, Unicode, String Length, Multi-Slash, etc.
More Filter Bypassing
Method Alteration (HEAD, PUT, POST, GET, ect.)
URL Encodehttp://www.foo.com/cgi?value=%46%72%68%86
Null Charactershttp://www.foo.com/cgi?value=file%00.html
More…Alternate Case, Unicode, String Length, Multi-Slash, etc.
Authentication & Session Management
Brute/Reverse Force
Session Hi-Jacking
Session Replay
Session Forgoing
Page Sequencing
Reporting
XML/HTML Based
Manual Hack Attack Log w/ Descriptor
Common Directory Force Browsing
Common Log File Force Browsing
Backup File Force Browsing
Spider Log
Spider XML Log
Attempts XML Log
A few quick things to help secure a web application.
Do Not Trust Client-Side Data Escape and filter all input/output data Set-up parameter and request method allow lists. Don’t use what your not expecting to receive.
Thank You!BlackHat and Attendees
Questions?Jeremiah Grossman
jeremiah@whitehatsec.com
WhiteHat Security
All presentation updates will be available on
www.whitehatsec.com
and
community.whitehatsec.com