Jeroen van Beek & Mark Bergman - POEMS project
Transcript of Jeroen van Beek & Mark Bergman - POEMS project
Jeroen van Beek & Mark Bergman
1
Why bother? Causes of data breaches OWASP◦ Top ten attacks
Now what? Now what? Do it yourself Questions?
2
In many cases the web application stores:◦ Credit card details◦ Personal information◦ Passwords that also might be used elsewhere
Media likes hacks Media likes hacks◦ You company doesn’t…
Governments want to enforce data protection◦ USA◦ Europe soon?
3
Your companydoesn’t like that
4
5
In many cases caused by technical issues:◦ Poor/no input filtering◦ Outdated software with known weaknesses◦ Weak passwords
Non-techies are creating technical solutions: Non-techies are creating technical solutions:◦ Click and play enterprise website◦ Not aware of security issues
Techies are also no always aware◦ What about you?
In many cases the issues are quite easy to solve◦ If you know what to do…
6
The same issues keep on coming back◦ People make the same mistakes over and over again…
Open Web Application Security Project (OWASP):◦ Free and open◦ Top ten project◦ Top ten project Documents the 10 most critical webapp security flaws http://www.owasp.org/index.php/Category:OWASP_Top_
Ten_Project Latest version: 2013
◦ Documents solutions For all popular webapp environments
7
8
E.g. contact form forwards you to the home page after submitting your message◦ http://www.example.com/redirect.jsp?url=/home.htm
Malicious URLs might be used◦ http://www.example.com/redirect.jsp?url=malware.com◦ http://www.example.com/redirect.jsp?url=malware.com◦ Download malware from external site after submitting form
9
Keep your software up-to-date◦ Patching doesn’t stop at operating system level! Database Web server Libraries …
Lots of automated tools available◦ Mapping: nmap, masscsan, zmap, …◦ Scanning: Nessus, Nexpose, …◦ Exploiting: Metasploit, , Core Impact, CANVAS, …◦ Script kiddies can and will do this!
10
Cross Site Request Forgery Inject code that:◦ Runs in the victim’s browser◦ Open a session to a vulnerable 3rd party service Using the victim’s credentials Using the victim’s credentials
Example:◦ Insert a money transfer in a page Forum post Email message (phising)
11
Server side authorization checks are not performed on all actions
Attacks:◦ Escalate from anonymous user to authenticated user◦ Escalate for authenticated user to admin◦ Escalate for authenticated user to admin
Examples:◦ If /users/user1/show_accounts/ exists, it might be worth
checking if /users/userN/show_accounts/ also exists
Difficult to identify with automated tools
12
Hidden and unchecked parameter:◦ Add to POST data when updating a user: &ctl00%24ContentPlaceHolder1%24dvUser%24cbxUserAdmin=on
13
Problem can also occur with ‘secret’ files:
14
Secure transport: Sending sensitive information over an
unencrypted link◦ No encryption / obfuscation◦ Weak encryption◦ Weak encryption◦ Downgrade attacks
Check for no encryption / obfuscation◦ Sniff data
GET http://target/INSTALL.pgsql.txt HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: target
Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx=
Connection: Close
Pragma: no-cache
Referer: http://target/robots.txt
15
Secure transport: Weak transport encryption◦ Allowed SSL ciphers Known flaws is SSLv2 SSLv2 still enabled in many cases SSLv2 still enabled in many cases Weak ciphers can be cracked openssl s_client -no_tls1 -no_ssl3
-connect www.google.com:443
◦ Weak algorithms E.g. MD5, SHA-1
16
Secure transport: Downgrade attacks◦ Strip SSL layer: stripssl http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
http://www.youtube.com/watch?v=Dd5qGS-5C0I
◦ Hijack e.g. Facebook and Twitter sessions: Firesheep http://codebutler.github.com/firesheep/ http://www.youtube.com/watch?v=O3NAM8oG1WM
17
Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms
Continued use of proven weak algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, …)
Hard coded keys, and storing keys in unprotected environments
18
Real-life example
19
same passwords
<password>1<password>2…
different lengthpasswords
How to decode the passwords?◦ Create your own account◦ Password = ‘aaaaaaaa’ Store password hash, e.g. \01\02\03\04\05\06\07\08
◦ Password = ‘bbbbbbbb’ Store password hash, e.g. \02\03\04\05\06\07\08\09 Store password hash, e.g. \02\03\04\05\06\07\08\09
◦ Etc.◦ Find the link password ↔ hash◦ Write a decoder
for (i = 0; i < in.length(); i++)
print (alfabet(in.position(i) + i))
◦ Decode all passwords◦ Dump sensitive information
20
21
22
Out of the box installs◦ Next, next, next, finish
Find it using Google:◦ Web front-end for Oracle intitle:iSQL intitle:Release inurl:isqlplus intitle:iSQL intitle:Release inurl:isqlplus
◦ Indexing of sensitive information intitle:"Index of" .mysql_history filetype:pdf paspoortnummer koopcontract filetype:sql "phpMyAdmin SQL Dump”
◦ Many many useful Google Dorks online http://www.hackersforcharity.org/ghdb/
23
Default passwords◦ E.g. https://cirt.net/passwords◦ Check manuals
24
iPhone botnet◦ Default SSH password after jailbreak
Routers
25
User can access andmodify object values
Example:◦ Login using your credentials◦ Link refers to◦ Link refers to
http://app/details?userid=1
◦ Script download of all files userid=[1-9999]
Hashing doesn’t help◦ http://tools.benramsey.com/md5/
26
Cross Site Scripting◦ Execute scripts in the victim’s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user’s browser using scripting malware
◦ In most cases Javascript based Also applicable to other scripting languages
27
Two types:◦ Reflective Code injected by e.g. sending phishing email victim.com/get.php?id=<script>alert(123)</script> E.g. one phishing email per attack
◦ Stored Evil code is stored in the database Store once, run for all users E.g. store <script>alert(123)</script> in record for
welcome message of CMS
28
Advanced tools are out there to abuse flaws◦ Tunnel traffic using XSS http://www.portcullis-
security.com/uplds/whitepapers/XSSTunnelling.pdf http://www.portcullis-
security.com/tools/free/xssshell-xsstunnell.zipsecurity.com/tools/free/xssshell-xsstunnell.zip
29
Broken authentication and session management
30
Predictable sessions IDs allow an attacker to:◦ Disconnect all users◦ Hijack existing sessions
Weak implementations typically use:◦ Sequential numbers◦ Sequential numbers◦ Hash of sequential numbers◦ Time elapsed since starting of server / service
31
C:\tmp>java DateDiffCurrent milliseconds since 13 Oct, 2008 are:1290008271842
32
Current milliseconds since 13 Oct, 2008 are:1290008271842sessionsID part 2: 695042 ms = 695 sec = 11 min = 0 hours = 0 dayssessionsID part 2: 216006786 ms = 216006 sec = 3600 min = 60 hours = 2 dayssessionsID part 2: 218364694 ms = 218364 sec = 3639 min = 60 hours = 2 dayssessionsID part 2: 218708589 ms = 218708 sec = 3645 min = 60 hours = 2 dayssessionsID part 2: 218964423 ms = 218964 sec = 3649 min = 60 hours = 2 dayssessionsID part 2: 219049296 ms = 219049 sec = 3650 min = 60 hours = 2 daysBoot time in ms = 1292191288000sessionsID part 1: 3467281656 ms = 3467281 sec = 57788 min = 963 hours = 40 daysReference time for part 1 = 1286540990186 + ms = date Fri Oct 08 14:29:50 CEST 2010
SQL-injection Also applicable for other languages User input is directly used in a query◦ Manipulation of database query◦ User input ‘search’ = jeroen◦ User input ‘search’ = jeroen◦ Backend uses select details from users where name=‘jeroen’◦ Attacker input ‘search’ = jeroen’ or 1=1--◦ Backend uses select details from users where name=‘jeroen’ or 1=1 Display all records
33
Advanced tools are out there to abuse flaws◦ File upload◦ File download◦ OS command execution◦ …◦ …
sqlmap◦ http://sqlmap.sourceforge.net/◦ http://www.youtube.com/watch?v=ylttGlSkrGU◦ Tunnel shell over http using SQL-injection!
34
35
36
Combination of several OWASP top 10 items Live internet sites Attack tool = internet browser only Only using publicly indexed and accessible
datadata
37
Detection:◦ Detection of well-known attacks using IDS◦ Check web server logs◦ Check network flows◦ Difficult to detect all attacks!
Prevention: Prevention:◦ Use good practices http://www.owasp.org/index.php/Category:OWASP_Guide_Project
◦ Review and/or test the application before going live Source code review
http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Penetration test http://www.owasp.org/index.php/Category:OWASP_Testing_Project
http://www.owasp.org/index.php/Appendix_A:_Testing_Tools
38
Hacking is not allowed◦ “Wet Computer Criminaliteit”◦ Testing without breaking in is also not allowed
If you want to test your (organization’s) apps:◦ Use a letter of authorization◦ Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system’s owner
39
Hands on hacking environment◦ Ten web based levels◦ Six platform based levels◦ In each level you can find a password Password gives access to the next level Password gives access to the next level
◦ You need to exploit a weakness to get the password◦ Most OWASP top ten issues are included◦ We’ll show hints on the screen to help you If needed ;)
Work in teams We explicitly allow you to hack the system
40
More hands on hacking:◦ Hacking Exposed books http://www.webhackingexposed.com/products.html
◦ Certified Ethical Hacker https://www.eccouncil.org/certification/certified_ethic
al_hacker.aspxal_hacker.aspx
41
Jeroen van Beek - jeroen dexlab.nl Mark Bergman – mark bergman.nl
42