Renaud Bido & Mohammad Shams - Hijacking web servers & clients
-
Upload
nooralmousa -
Category
Technology
-
view
1.062 -
download
0
description
Transcript of Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Hijacking Web Servers & Clients
New generation threats and mitigation
Renaud Bidou - CTOMohammad ShAms – Director, ME
Operations
)Deny All -) Securing and Optimizing your Applications
DenyAll & RECRO-NET
French WAF vendor pioneer since 2001
Headquarter – Paris
More than 200+ large clients all over the World- 40% of EurostoXX 50- 35% CAC40
Partnership with major players- RECRO-NET (Middle-East, Central Europe)- HP (Iberia, South America)- British Telecom, Orange Business Services (Western Europe, North America,
APAC)
Recently listed as prime European WAF player by Forrester “Web Application Firewall : 2010 And Beyond’’ - Chenxi Wang – februrary 2010
)Deny All -) Securing and Optimizing your Applications
DenyAll WorldWide
DIRF – SOCIETE GENERALE – EGE - CNSS – etc.
DIRF – SOCIETE GENERALE – EGE - CNSS – etc.
SOCIETE GENERALE
SOCIETE GENERALE
ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc.
ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc.
SOCIETE GENERALE, etc.
SOCIETE GENERALE, etc.
SH&Co, etc.SH&Co, etc.
BNPP, etc.BNPP, etc.
SOCIETE GENERALE, etc.
SOCIETE GENERALE, etc.
ACCOR - SOCIETE GENERALE - AREVA – etc.
ACCOR - SOCIETE GENERALE - AREVA – etc.
Accor, etc.Accor, etc.
BNP PARIBAS INSURANCE - ACCOR – etc.
BNP PARIBAS INSURANCE - ACCOR – etc.
BNPP Insurance, etc.
BNPP Insurance, etc.
BNPP Insurance, etc.BNPP Insurance, etc.
BNPP Insurance, etc.BNPP Insurance, etc.
BNPP, etc.BNPP, etc.
IP LIMITED, etc.IP LIMITED, etc.
SOCIETE GENERALE LUX – EBRC - CACEIS – etc.
SOCIETE GENERALE LUX – EBRC - CACEIS – etc.
DANSKE BANK – KOPENHAGEN-FUR – etc.DANSKE BANK – KOPENHAGEN-FUR – etc.
AKTIA BANK, etc.
AKTIA BANK, etc.
SENTOR – SVERIGE – etc
SENTOR – SVERIGE – etc
TOYOTA BANK – etc.TOYOTA BANK – etc.SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc.
SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc.
GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc.
GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc.
ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc.
ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc.
BNP PARIBAS UK - ARVAL UK – etc..BNP PARIBAS UK - ARVAL UK – etc..
LA POSTE – DZ BANK – PETERCAM -etc
LA POSTE – DZ BANK – PETERCAM -etc
INPS, etcINPS, etc
)Deny All -) Securing and Optimizing your Applications
ThreatsOverview
)Deny All -) Securing and Optimizing your Applications
Why Application Security ?
75% of all attacks are directed to the Web applications layer2/3 of all Web applications are vulnerable
In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported.
Most web site owners fail to scan effectively for the common flaws.Application patching is much slower than Operating System patching.
)Deny All -) Securing and Optimizing your Applications
Web Attacks Targets & Impacts
Information LeakCredentials Theft
Identity TheftAuthorization Abuses
Transaction Compromise
DefacementMalware PlantingSession HijackingDenial of Service
BouncePassword GuessRemote Control
Data TheftData CorruptionData Deletion
Remote ControlPersistent Injections
Processes CorruptionData InterceptionDenial of Service
Client Web Server Database Server Application Servers / Web Services
)Deny All -) Securing and Optimizing your Applications
Hijacking Servers & Clients
Information LeakCredentials Theft
Identity TheftAuthorization Abuses
Transaction Compromise
DefacementMalware PlantingSession Hijacking
Denial of ServiceBounce
Password GuessRemote Control
Data TheftData CorruptionData Deletion
Remote ControlPersistent Injections
Processes CorruptionData InterceptionDenial of Service
Client Web Server Database Server Application Servers / Web Services
)Deny All -) Securing and Optimizing your Applications
ThreatsKeyloggers
)Deny All -) Securing and Optimizing your Applications
What is a keylogger
Program reporting every keystroke– Can be stored on a file– Can be sent over the network
Recent Keyloggers add many more features– Window names and field values– Mouse activity reports– Screenshots and “video”-like records
Operating from the compromised computer– Encryption is inefficient– No detection possible from the server-side– Applications can be seamlessly compromised
)Deny All -) Securing and Optimizing your Applications
Example : A simple keylogger
Really simple– ~100 lines (including comments)– Based on common windows techniques
• SetWindowsHookEx(WH_KEYBOARD_LL,…)
– Public• Code at : http://batcheur.tuxfamily.org/?p=16
Really efficient– Runs fine on windows 7 (with UAC)– Undetected by anti-viruses
)Deny All -) Securing and Optimizing your Applications
Example : A simple keylogger
)Deny All -) Securing and Optimizing your Applications
ThreatsBrowsers Compromise
)Deny All -) Securing and Optimizing your Applications
Code Injection
Makes a process execute arbitrary code– This process may be your browser
Most common techniques– SetWindowsHookEx
• Seen before, undetected
– CreateRemoteThreadEx & (LoadLibrary | WriteProcessMemory)• The most basic, detected and blocked
– SetThreadContext • Relies on the DebugActiveProcess API• Undetected, requires debug rights
Widely documented… and used.
)Deny All -) Securing and Optimizing your Applications
Browser Internals
NTDLL.DLL
KERNEL32.DLL USER32.DLL
WININET.DLL
URLMON.DLL
MSHTML.DLL
SHDOCVW.DLL BROWSEUI.DLL
IEXPLORE.EXETab 1 Tab n
IE user interfaceBars, menus etc.
Browser ControlNavigation, historyExposes ActiveX interface
Rendering
MIME handlingCode downloadSecurity
IP HandlerHTTP & FTP
Windows UIHandles components
Base APICalls NTDLL API
Native APIOS user-mode components
~200.000 function calls at IE launchYou cannot monitor everything
)Deny All -) Securing and Optimizing your Applications
Browser Attack Surface
WININET.DLL
URLMON.DLL
MSHTML.DLL
SHDOCVW.DLL BROWSEUI.DLL
IEXPLORE.EXETab 1 Tab n
Control navigation
Control display
Alter security policy
Communicate…
)Deny All -) Securing and Optimizing your Applications
An example
Legitimate action– Bank client JV (account 5204320422040001)– Transfer 100 $ to bank client JM
(5204320422040003)
Malware injected into the browser– Modifies content– Founds transferred to bank user JC
(5204320422040005)
)Deny All -) Securing and Optimizing your Applications
Example : A simple keylogger
)Deny All -) Securing and Optimizing your Applications
ThreatsServers Compromise
)Deny All -) Securing and Optimizing your Applications
What is Cross-Site Scripting
Client-Side executed code injection– A variant of HTML injections– Based on Javascript code execution
Two possible vectors– Volatile XSS: generated through a malicious link– Persistent XSS: malicious code is stored on the server
Oldy but goody– In the wild for more than 10 years– Improved together with browser & Javascript capabilties
)Deny All -) Securing and Optimizing your Applications
Impacts of XSS
Full control of compromised browser through Javascript– Cookie theft– Information gathering regarding the client browser– Redirection to alternate/concurrent/malicious site– Portscan from the client– Proxy on client’s network– Flashmob DDoS
Exploitation of Javascript capabilities– Propagation thanks to Javascript web transactions
capabilities– Dynamic/Polymorphic code generation
)Deny All -) Securing and Optimizing your Applications
Dangers of XSS
Hard to detect– Volatile XSS can only be detected through log file analysis– Persitent XSS tracking getting more complicated with
polymorphic code– Numerous advanced Javascript obfuscation techniques
More and more powerful– Complete control of remote browsers– Networking operations (see CSRF)– Next generation of botnets– Considered as the buffer overflow of the beginning of teh 21st
century
Unrecognized– Most people think XSS is limited to cookie theft– Bang. You’re dead.
)Deny All -) Securing and Optimizing your Applications
101 XSS exploitation
Usual PoC– Inject <script>alert(‘XSS’)</script>– Volatile and harmless XSS– Used in most pentest– Generates a popup in the « compromised » browser
)Deny All -) Securing and Optimizing your Applications
Real XSS Exploitation Method
Up to 4 players game– The Hacker : the very bad guy– The Goat : XSS vulnerable website– The Victim : innocent user which browser will be compromised– The Relay : a compromised or malicious website (optional)
3 players games rules1. The Hacker finds an XSS vulnerability on The Goat and exploits
it– Designs a script which will be executed on The Victim
2. The Victim goes to the compromised page in The Goat– Via malicious link (volatile)– Directly on the page (persistent)
3. The script is executed by The Victim– Script may enforce the connection to The Relay to send back
information
)Deny All -) Securing and Optimizing your Applications
4 players game schema
1. Hacker compromises Relay
2. Hacker exploits XSS vulnerability
3. Victim goes on compromised page
4. Malicious Javascript is loaded on Victim
6. Victim sends information to Relay
7. Information sent back to Hacker
5. Victim executes Javascript
8. Relay sends new commands to Victim
)Deny All -) Securing and Optimizing your Applications
PoC – The XSS Popup
Command sent to the client:– alert(« Gotcha »)
)Deny All -) Securing and Optimizing your Applications
Portscan
A Javascript Porstcanner is loaded in an invisible iFrame Victim performs the scan Results are sent through a request
– Made in the invisible iFrame– Collected on the malicious server
Victims sees nothing Portscan victim doesn’t have any clue regarding the real
attacker
)Deny All -) Securing and Optimizing your Applications
Redirection
The victim is silently redirected to another web page Could be a similar page
– Used to steal authentication credentials Could be a competitve
– Made in the invisible iFrame– Collected on the malicious server
Victims sees nothing Portscan victim doesn’t have any clue regarding the real
attacker
)Deny All -) Securing and Optimizing your Applications
Thank you for your valuable time
Q&A
)Deny All -) Securing and Optimizing your Applications
(Distributor for Middle East & SE Europe )2702A Business Central TowersDubai Internet City,PO. Box: 503012 Dubai, United Arab EmiratesTel: 04-3754306E-mail: [email protected]