"The Web Is Broken" by Bipin Upadhyay
-
Upload
bipin-upadhyay -
Category
Technology
-
view
5.181 -
download
2
description
Transcript of "The Web Is Broken" by Bipin Upadhyay
The Web Is BrokenWhy every feature is, in fact, a loophole!
Bipin Upadhyay http://projectbee.org
The first matrix I designed was quite
naturally, perfect. It was a work of art.
Flawless. Sublime. A triumph only equaled by
its monumental failure.
Bipin Upadhyay http://projectbee.org
RoadMap
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
Bipin Upadhyay http://projectbee.org
Who Am I?
• I am SpiderMan
• Apart from that, I:– am a part of ADMS
– work on WebAppSec
– am co-author of a yet to be released book
• I can be pinged @:– http://blog.projectbee.org
– Om-[AT]-PROJectBee-[DOT]-org
Bipin Upadhyay http://projectbee.org
Web 1.0 versus Web 2.0
Bipin Upadhyay http://projectbee.org
Technologies Involved
Bipin Upadhyay http://projectbee.org
Fundamentals
Fundamentals,
less or more, still the same
Bipin Upadhyay http://projectbee.org
Fundamentals…
Database
Web server(Server side scripts like
PHP, ASP, JSP etc.)
Database
User User
Firewall / IDSFirewall / IDS
Bipin Upadhyay http://projectbee.org
Network Sec. versus Web Sec.
Ports
Firewall/IDS/IPS
80
443
0
65535
Web ServerAttacker
Bipin Upadhyay http://projectbee.org
Network Sec. versus Web Sec…
Ports
Firewall/NATed IP
0
65535Malicious OR Compromised Web Server
Victim
Bipin Upadhyay http://projectbee.org
How serious is the matter!
• 90% of web applications have serious vulnerabilities –Gartner Group
• 78% of attacks are at the web application level –Symantec
• XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre
• Every 8-9/10 sites vulnerable to XSS –WASC
Bipin Upadhyay http://projectbee.org
How serious is the matter!...
Bipin Upadhyay http://projectbee.org
How serious is the matter!...
Bipin Upadhyay http://projectbee.org
What’s @ Stake
• Money
• Data
• Reputation
• Faith/Trust
• and…
Bipin Upadhyay http://projectbee.org
What’s @ Stake…
• …
Bipin Upadhyay http://projectbee.org
It’s a Mythical World out there…
• Myths often prevail rationality.
• Myths often are the cause of devastation.
Bipin Upadhyay http://projectbee.org
Myth Buster
• Myth:– My developers have implemented security
• Reality:– Security ain’t no feature dude! It’s a metrics.
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Security is a non-functional requirement
• Reality:– By definition, Yes!
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– We use blah-blah framework. We’re safe
• Reality:– Frameworks are encouraged. Human brain isn’t.
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Java is secure by design
• Reality:– May be! But web isn’t… nor is human brain.
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– SSL is secure from sniffing
• Reality:– Far from it. It’s difficult for sure, though
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Procedures means no SQL Injection
• Reality:– Not always.
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– I use firewall. I am safe.
• Reality:– So what? Your browser ports are open.
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– I use latest antivirus and my system is patched.
• Reality:– Big Deal!!!
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– I browse net from inside a LAN.
• Reality:– Urghhh! Browser dude, browser!
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Human stupidity is infinite
• Reality:– There you go! ☺
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
Bipin Upadhyay http://projectbee.org
Injection Attacks
• A form of attack where the user input manipulates the underlying platform in an undesired way.
• Several variants:-– SQL Injection
– Command Injection
– LDAP Injection
– XPATH Injection
– XML Injection
– JSON Injection
Bipin Upadhyay http://projectbee.org
SQL Injections
Bipin Upadhyay http://projectbee.org
XSS
• OWASP Top - 10 2007 #1
• Any type of user input that is reflected back to the user without being purified.
• Input can be HTML, CSS, or Javascript
• Two kinds --Persistent & Non-Persistent XSS
Bipin Upadhyay http://projectbee.org
XSS…
• XSS attacks include, but not limited to:– Cookie Theft & Session Hijacking
– Site Defacement & Phishing
– Key logging
– History Theft
– Port Scanning
– CSRF & Web Worms
– DoS-ing
– … limited only by imagination
Bipin Upadhyay http://projectbee.org
CSRF
• Also called Unauthorized Requests.
• The server is punished/exploited for trusting the user.
• CSRF is, arguably, more dangerous than XSS.
• Doesn’t necessarily require javascript.
• OWASP Top - 10 2007 #5, (also called the Sleeping Giant)
Bipin Upadhyay http://projectbee.org
Cookie Poisoning
• Cookies sometimes store confidential data
• This information can be manipulated for fun and profit.e.g., price of a product on an ecommerce site
Bipin Upadhyay http://projectbee.org
HTTP Response Splitting
• Attacker splits Http Response into two.
• Watch out for redirection scripts using user input in response headers
• CR-LF (0x0d & 0x0a) is the key to response splitting
• Web/browser cache poisoning, XSS etc. attacks possible
Bipin Upadhyay http://projectbee.org
Google Hacking
• Search engines index all permissibledocuments inside the web tree
• These data can be recovered using special queries:– site:<sitename>
– inurl:<string>
– intitle:<string>
– filetype:<string>
Bipin Upadhyay http://projectbee.org
Scary Cracks
• Credit Cards & Google
• Google.com UTF-7 XSS Vulnerability
• Yamanner
• “Samy is my Hero” OR Samy Worm
• Bank Of India Hack
• GMail CSRF Vulnerability
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
Bipin Upadhyay http://projectbee.org
The Arsenal
• A Web browser
• Textbox/Textarea
• Iframe
• TamperData/TamperIE
• WebScarab
• Fuzzer (Crowbar)
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
Bipin Upadhyay http://projectbee.org
Google Hacking
• Search engines index anything and everything
• Demo
Bipin Upadhyay http://projectbee.org
Exploiting Mistakes
• Client side validation isn’t enough
• Demo
• “Clues in Codes/Comments”
• Demo
• Insecure implementation of “Forgot Password” feature
• Demo
Bipin Upadhyay http://projectbee.org
Exploiting Mistakes…
• Too verbose error messages
• Demo
• Cookie Isn’t for sensitive data
• Demo
• Brute forcing Session id
• Demo
Bipin Upadhyay http://projectbee.org
Exploiting Zero Days
• URI Vulnerabilities
• Demo
Bipin Upadhyay http://projectbee.org
Injection Attacks
• SQL Injections
• Demo
• Command Injection
• Demo
• XPATH Injection
• Demo
Bipin Upadhyay http://projectbee.org
XSS Family
• XSS (Cross Site Scripting)
• Demo
• XSS and encoding mistakes
• Demo
• CSRF, the sleeping Giant
• Demo
Bipin Upadhyay http://projectbee.org
Http Response Splitting
• Why user is evil?
• Demo
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
Bipin Upadhyay http://projectbee.org
SDLC
• Integrate security into SDLC
DesignDesign
CodingCoding
TestingTesting
DeploymentDeployment
Bipin Upadhyay http://projectbee.org
Design Phase
• Stick to standards
• Encourage usage of well-proven frameworks
• Prefer Whitelisting over Blacklisting
• Prefer Onion Model over Garlic Model
Bipin Upadhyay http://projectbee.org
Coding Phase
• Do NOT trust the user.
• Do NOT rely on Client side validation.
• Prefer HttpOnly Cookie to avoid cookie theft
• Use nonces to prevent CSRF
• Don’t just hash passwords, salt them too
• Avoid too verbose/meaningful error messages
Bipin Upadhyay http://projectbee.org
Coding Phase…
• Proper encoding can avoid most problems
• Input Encoding– prefer UTF-8 and ISO-8859-1
– refer http://ha.ckers.org/charsets.html
• Output Encoding– avoid rich html input from user
– decimal encode input before displaying
– refer OWASP_Encoding_Project
Bipin Upadhyay http://projectbee.org
Coding Phase…
• Sanitize anything that comes from the user.
Bipin Upadhyay http://projectbee.org
Coding Phase…
• Filter Metacharacters:• < %3c > %3e• | %7c ‘ %60• & %26 ( %28• %od %0a ..• / %2f \ %5c
• RegEx are your friend
• Use Stored Procedures
• Prefer usage of bind variables in SQL statement
Bipin Upadhyay http://projectbee.org
Testing Phase
• Code Auditing:– OWASP – LAPSE plugin (Java)
– SPI Dynamics’ DevInspect (Java & .NET), etc.
• Web Application Scanners– w3af
– Watchfire AppScan
– SPI Dynamics’ WebInspect, etc.
• No substitute for an experienced human eye
Bipin Upadhyay http://projectbee.org
Deployment Phase
• Keep out of the Web Tree; use robots.txt
• Set minimal permissions
• Keep the system patched & patched
• Use Web Application Firewall– urlScan
– ModSecurity
– SecureIIS, etc.…but, most importantly
Bipin Upadhyay http://projectbee.org
Education
Educate your developers.
Bipin Upadhyay http://projectbee.org
Final Words
• www was designed for information exchange
• Today, too much is at stake
• Ignorance, no longer a bliss
• Take responsibility and…
Bipin Upadhyay http://projectbee.org
Final Words…
…be prepared.
“Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…”
–Ronald van den Heetkamp
Bipin Upadhyay http://projectbee.org
…and Finally,
String.fromCharCode(84,104,97,110,107,32,89,111,117,33)
i.e., Thank You! ☺
Bipin Upadhyay http://projectbee.org
Acknowledgements
• Lalit Patel (http://lalit.org) & Lucky (http://reboot.in)• http://flickr.com• http://flickr.com/photos/jeanetteb1/1400824517• http://flickr.com/photos/jbhalper/334521840• http://flickr.com/photos/hondawang/566041603• http://flickr.com/photos/14018070@N08/1438910620• http://flickr.com/photos/44368636@N00/76684587• http://www.cyberpunkreview.com/images/matrixreloaded63.jpg• www.flickr.com/photos/johnengler/211482969• http://www.flickr.com/photos/lamkevin/458083458• http://www.flickr.com/photos/beavis/459281241• http://flickr.com/photos/briansolis/326278887• http://www.flickr.com/photos/focus2capture/297232107• http://flickr.com/photos/complexify/97303317• http://flickr.com/photos/amyking/142161588• http://xkcd.com/327/
Bipin Upadhyay http://projectbee.org
References
• http://search.yahoo.com (To be safer)• http://0x000000.com• http://ha.ckers.org• http://sla.ckers.org• http://gnucitizen.com• XSS Attacks (Syngress Publications)• PenTesting for Web Applications (Wrox)• Hacking Exposed (Tata McGraw Hill)• 19 Deadly Sins of Sotware Security (Tata McGraw Hill)• OWASP & WASC• David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes,
Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,….
……………………………. a lot many
Bipin Upadhyay http://projectbee.org
Got Questions???
Shoot them