Web Application Brute Forcing 101 – “Enemy of the State (Mechanism)” David Endler Michael...
-
Upload
henry-hanny -
Category
Documents
-
view
216 -
download
1
Transcript of Web Application Brute Forcing 101 – “Enemy of the State (Mechanism)” David Endler Michael...
Web Application Brute Web Application Brute Forcing 101 – “Enemy of Forcing 101 – “Enemy of the State (Mechanism)”the State (Mechanism)”
David EndlerMichael Sutton
iiDEFENSDEFENSEEThe Power of Intelligence
®
SM
• Copyright © 2002 iDEFENSE Inc.
OutlineOutline What are Session IDs? Security Problems with Session IDs An Emerging Threat - Brute Forcing Web
Session ID’s Notable News Items Fun Exploitation Examples 6 Common Problems General Protection Measures
Users Vendors Developers
Resources
• Copyright © 2002 iDEFENSE Inc.
Web Applications LoginsWeb Applications Logins
• Copyright © 2002 iDEFENSE Inc.
Traditional Brute ForceTraditional Brute Forceguest
Admin
123123
Password
Etc.
• Copyright © 2002 iDEFENSE Inc.
Session ID OverviewSession ID Overview HTTP is stateless protocolHTTP is stateless protocol Rather than make a user Rather than make a user authenticate upon each click in a authenticate upon each click in a web application, a sense of “state” web application, a sense of “state” is createdis created
In order to maintain state, a shared In order to maintain state, a shared string, token, or secret between string, token, or secret between HTTP client and server is usually HTTP client and server is usually used by developersused by developers
Essentially, authentication data Essentially, authentication data (username/password) exchanged (username/password) exchanged for “Session ID”for “Session ID”
• Copyright © 2002 iDEFENSE Inc.
Web State AttacksWeb State Attacks Session ReplaySession Replay
A traditional replay attack in the cryptography sense is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it.
Session HijackingSession Hijacking Seizing control of a legitimate user's web
application session while that user is “logged in” to the application
• Copyright © 2002 iDEFENSE Inc.
Session IDSession ID Session ID should IN THEORY be Session ID should IN THEORY be just as secure as just as secure as username/passwordusername/password
• Copyright © 2002 iDEFENSE Inc.
Session ID OverviewSession ID Overview While it is generally clear that While it is generally clear that username/password pairs are username/password pairs are indeed authentication data and indeed authentication data and therefore sensitive, it is not therefore sensitive, it is not generally understood that session generally understood that session IDs are also just as sensitive IDs are also just as sensitive because of their frequent use for because of their frequent use for authentication. authentication. See See RFC 2964 RFC 2964 ((Use Use of HTTP State Management).of HTTP State Management).
• Copyright © 2002 iDEFENSE Inc.
Session ID OverviewSession ID Overview Session IDs are commonly stored in Session IDs are commonly stored in cookies and/or URLs, and hidden cookies and/or URLs, and hidden fields of web pages (or some fields of web pages (or some combination)combination)
Session ID generated by WEB Session ID generated by WEB SERVER (IIS, etc.) when the user SERVER (IIS, etc.) when the user first hits the site or by WEB first hits the site or by WEB APPLICATION (ATG dynamo, Apache APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs inperl, etc.) when the user logs in
• Copyright © 2002 iDEFENSE Inc.
Cookie RefresherCookie Refresher Sometimes the cookies are set to expire Sometimes the cookies are set to expire
(i.e., be deleted) upon closing the browser; (i.e., be deleted) upon closing the browser; these are typically called “session these are typically called “session cookies” or “non-persistent” cookies cookies” or “non-persistent” cookies
Persistent cookies last beyond a user’s Persistent cookies last beyond a user’s session (i.e. “Remember Me” option) session (i.e. “Remember Me” option)
Persistent cookies are usually stored on Persistent cookies are usually stored on the user’s hard drive in a location the user’s hard drive in a location according to the particular operating according to the particular operating system and browser (e.g. , C:\Program system and browser (e.g. , C:\Program files\netscape \users\files\netscape \users\usernameusername\cookies.txt \cookies.txt for Netscape and C:\Documents and for Netscape and C:\Documents and Settings \Settings \usernameusername\Cookies for IE on \Cookies for IE on Win2K).Win2K).
• Copyright © 2002 iDEFENSE Inc.
Cookie RefresherCookie Refresher Cookie Refresher Cookie Refresher ((RFC 2965RFC 2965))
1.) domain: The website domain that created and that can read the variable. 1.) domain: The website domain that created and that can read the variable. 2.) flag: A TRUE/FALSE value indicating whether all machines within a given 2.) flag: A TRUE/FALSE value indicating whether all machines within a given
domain can access the variable.domain can access the variable.3.) path: Pathname of the URL(s) capable of accessing the cookie from the 3.) path: Pathname of the URL(s) capable of accessing the cookie from the
domain.domain.4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is 4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is
needed to access the variable. needed to access the variable. 5.) expiration: The Unix time that the variable will expire on. Unix time is defined 5.) expiration: The Unix time that the variable will expire on. Unix time is defined
as the number of seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the as the number of seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the expiration date signals to the browser to store the cookie only in memory; it will expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006)be erased when the browser is closed. (expires July 27, 2006)
6.) name: The name of the Session ID variable (in this case Apache). 6.) name: The name of the Session ID variable (in this case Apache).
7.) value: The value of the Session ID variable (in this case 7.) value: The value of the Session ID variable (in this case 64.3.40.151.16018996349247480 ) . 64.3.40.151.16018996349247480 ) .
www.redhat.com FALSEFALSE // FALSEFALSE 11540294901154029490 ApacheApache 64.3.40.151.1601899634924748064.3.40.151.16018996349247480
1 22 33 44 55 66 77
• Copyright © 2002 iDEFENSE Inc.
Cookie Stored Session ID Cookie Stored Session ID ExamplesExamples
.www.ibm.com TRUETRUE /rc/rc FALSEFALSE 12937681001293768100 sauidpsauidp p0010000000006DCC10255298230p0010000000006DCC10255298230000591992.003F75FEF2000591992.003F75FEF2
.yahoo.com TRUETRUE // FALSEFALSE 12713616121271361612 BB 3qpaarsu48dai&b=23qpaarsu48dai&b=2
.amazon.com FALSEFALSE // FALSEFALSE 10261152991026115299 session-session-idid
103-1456769-7895034103-1456769-7895034
.ebay.com TRUETRUE // FALSEFALSE 11832968241183296824 lucky8lucky8 694036694036
.starwars.com TRUETRUE // FALSEFALSE 13417537781341753778 Wookie-Wookie-CookieCookie
13fe8fff4799f27dcf19c959dafa84313fe8fff4799f27dcf19c959dafa84377
.yahoo.com TRUETRUE // FALSEFALSE 11540294901154029490 II ir=9p&in=4aweec66&i1=AFABClir=9p&in=4aweec66&i1=AFABCl
.yahoo.com TRUETRUE // FALSEFALSE 11540294901154029490 PUPU t=1t=1
• Copyright © 2002 iDEFENSE Inc.
URL Stored Session IDURL Stored Session ID http://www.123greetings.com/view/http://www.123greetings.com/view/
7AD30725122120803 7AD30725122120803 http://evite.citysearch.com/r?http://evite.citysearch.com/r?
iid=KVIJBUFDLPVMIVLXYUKBiid=KVIJBUFDLPVMIVLXYUKB http://view.greetings.yahoo.com/greet/http://view.greetings.yahoo.com/greet/
view?FXA96K95JAEJSview?FXA96K95JAEJS http://www.atg.com/en/http://www.atg.com/en/
index.jhtml;jsessionid=HYMJK3PJUSJ4CCQindex.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122CQBJCGWQKAKAFUIV0?_requestid=21122
http://www.amazon.com/exec/obidos/http://www.amazon.com/exec/obidos/subst/home/home.html/102-4524380-subst/home/home.html/102-4524380-39233443923344
• Copyright © 2002 iDEFENSE Inc.
Session IDs in HTML Session IDs in HTML Hidden FieldsHidden Fields<FORM METHOD=POST ACTION="/cgi-bin/bankonline.cgi">
<input type="hidden" name="sessionID" value=”abcde1234”>
<input type="hidden" name="useraccount" value=”673-12745”>
<input type="submit" name="Access My Bank Information"></form>
• Copyright © 2002 iDEFENSE Inc.
Session ID Session ID SecuritySecurity Overview Overview
Session ID security is a microcosm of Web Application Security.
Web Application Security cuts through many different aspects of an organization’s information security infrastructure
• Copyright © 2002 iDEFENSE Inc.
An Example: Brute Forcing Session ID’s An Example: Brute Forcing Session ID’s in URLSin URLS
Dear David Endler, An Anonymous Admirer has sent you a greeting card from 123Greetings.com, a FREE service committed to keep people in touch. To see your greeting card, choose from any of the following options which works best for you. --------Method 1-------- Just click on the following Internet address (if that doesn't work for you, copy & paste the address onto your browser's address box.)
http://www30.123greetings.com/card/08/01/05/20/BG20801052002282.html
• Copyright © 2002 iDEFENSE Inc.
An Example: Brute Forcing Session ID’s An Example: Brute Forcing Session ID’s in URLSin URLS
http://www.123greetings.com/view/AD30725122116211http://www.123greetings.com/view/AD30725122118909http://www.123greetings.com/view/AD30725122120803http://www.123greetings.com/view/AD30725122122507http://www.123greetings.com/view/AD30725122124100
As we start to associate that the date we sent these electronic cards on was July 25 at 12:21 PST, we can start to eliminate some more entropy out of this session ID (07251221). Notice then that we’re left with five incrementing “random” digits at the end of the URL. http://www.123greetings.com/view/AD30725122116211http://www.123greetings.com/view/AD30725122118909http://www.123greetings.com/view/AD30725122120803http://www.123greetings.com/view/AD30725122122507http://www.123greetings.com/view/AD30725122124100
• Copyright © 2002 iDEFENSE Inc.
An Example: Brute Forcing Session ID’s An Example: Brute Forcing Session ID’s in URLS AUTOMATED DEMO!in URLS AUTOMATED DEMO!
• Copyright © 2002 iDEFENSE Inc.
Why Brute Forcing Web Why Brute Forcing Web Session ID’s is BadSession ID’s is Bad Can result in an online user’s web application
account being hijacked or loss of privacy Easy to exploit Unlike typical login scenario, no failed login
lockout Prevalent disclosure among security mailing
lists Typical security solutions (firewalls, IDS, etc.)
do nothing to detect attacks Log data is usually not that detailed IDS is not well developed for Web Application
attacks SSL (Server side) does nothing to protect
against these attacks
• Copyright © 2002 iDEFENSE Inc.
In the NewsIn the News “Privacy hole found in Verizon
Wireless Web site “ Computerworld, Sept 6, 2001.http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.htmlhttp://online.securityfocus.com/archive/1/211520
https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION
• Copyright © 2002 iDEFENSE Inc.
URL Example: Brute Forcing URL Example: Brute Forcing Register.comRegister.com
Thank you for using register.com's Domain Manager. To change or re-enter your password, please copy and paste the URL below into the "Location" or "Address" field of your web browser and hit the 'Enter' key on your keyboard. Note: If your e-mail program supports HTML, you may be able to click on the link below. http://mydomain.register.com/change_password.cgi?155218782787 Note: Above link will be expire within three days
• Copyright © 2002 iDEFENSE Inc.
Example 2: Brute Forcing Web Example 2: Brute Forcing Web Session ID’sSession ID’s
http://mydomain.register.com/change_password.cgi?486218782865http://mydomain.register.com/change_password.cgi?440218782891 http://mydomain.register.com/change_password.cgi?685218782917 http://mydomain.register.com/change_password.cgi?505218782956 http://mydomain.register.com/change_password.cgi?435218782969
http://mydomain.register.com/change_password.cgi?486218782865 http://mydomain.register.com/change_password.cgi?440218782891http://mydomain.register.com/change_password.cgi?685218782917http://mydomain.register.com/change_password.cgi?505218782956http://mydomain.register.com/change_password.cgi?435218782969
• Copyright © 2002 iDEFENSE Inc.
URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, July 01, 2002 1:38 PM
Subject: D.FILM Digital Movie for Dave
Dave created a digital movie for you!
You can view it at the following URL:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
Cheers,
Dave and DFILM.
Be sure to check out the web site at http://www.dfilm.com
• Copyright © 2002 iDEFENSE Inc.
URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com
No privacy of other user’s creations:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
http://mm.dfilm.com/mm2s/mm_route.php?id=110531
http://mm.dfilm.com/mm2s/mm_route.php?id=110530
http://mm.dfilm.com/mm2s/mm_route.php?id=110529
http://mm.dfilm.com/mm2s/mm_route.php?id=110528
http://mm.dfilm.com/mm2s/mm_route.php?id=110527
http://mm.dfilm.com/mm2s/mm_route.php?id=110526
http://mm.dfilm.com/mm2s/mm_route.php?id=…
• Copyright © 2002 iDEFENSE Inc.
URL Example – Sendomatic.comURL Example – Sendomatic.com
http://www.sendomatic.com/servlets/http://www.sendomatic.com/servlets/servlets/mysendo?uId=servlets/mysendo?uId=7633076330
• Copyright © 2002 iDEFENSE Inc.
URL Example – Sendomatic.comURL Example – Sendomatic.com
View other people’s events. Crash a party, edit an event, cancel and event, etc.
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330http://www.sendomatic.com/servlets/servlets/mysendo?uId=76331http://www.sendomatic.com/servlets/servlets/mysendo?uId=76332http://www.sendomatic.com/servlets/servlets/mysendo?uId=76333http://www.sendomatic.com/servlets/servlets/mysendo?uId=76334http://www.sendomatic.com/servlets/servlets/mysendo?uId=76335http://www.sendomatic.com/servlets/servlets/mysendo?uId=76336http://www.sendomatic.com/servlets/servlets/mysendo?uId=…
• Copyright © 2002 iDEFENSE Inc.
Cookie Example – Freeservers.comCookie Example – Freeservers.com
• Copyright © 2002 iDEFENSE Inc.
Cookie Example – Freeservers.comCookie Example – Freeservers.com
LOGIN=dGVzdGluZzEyMy5pdGdvLLOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;mNvbToxMjMxMjM0;
Base 64 decode the string: Base 64 decode the string: http://www.securitystats.com/tools/base64.asp
testing123.itgo.com:1231234 testing123.itgo.com:1231234
username:passwordusername:password
Next, automate it with a perl exploit by Next, automate it with a perl exploit by feeding encoded strings in to the feeding encoded strings in to the cookiecookie
• Copyright © 2002 iDEFENSE Inc.
Cookie Example – Freeservers.comCookie Example – Freeservers.com
%perl freeservershack.pltrying testtrying test123trying 123123trying 1231234 Cracked it! The password to testing123.itgo.com is 1231234
GET http://testing123.itgo.com/cgi-bin/util/my_member_area
User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U)Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2: $Version=1 %%
• Copyright © 2002 iDEFENSE Inc.
Cookie Example – Freeservers.comCookie Example – Freeservers.com
Or a much longer way: use the Or a much longer way: use the brute forcer on every single brute forcer on every single cookie character combinationcookie character combination
• Copyright © 2002 iDEFENSE Inc.
Cookie/URL Example – Amazon.comCookie/URL Example – Amazon.com
Some sites use the URL AND Some sites use the URL AND Cookie for authentication:Cookie for authentication:
• Copyright © 2002 iDEFENSE Inc.
6 Common Problems6 Common Problems
Weak AlgorithmWeak Algorithm – Many of the most popular web – Many of the most popular web sites today are currently using linear algorithms sites today are currently using linear algorithms based on easily predictable variables such as time based on easily predictable variables such as time or IP address. or IP address.
No Form of Account LockoutNo Form of Account Lockout – With regard to – With regard to Session ID brute force attacks, an attacker can Session ID brute force attacks, an attacker can probably try hundreds or thousands of Session IDs probably try hundreds or thousands of Session IDs embedded in a legitimate URL without a single embedded in a legitimate URL without a single complaint from the web server. complaint from the web server.
Short Key SpaceShort Key Space – Even the most – Even the most cryptographically strong algorithm still allows an cryptographically strong algorithm still allows an active Session ID to be easily determined if the size active Session ID to be easily determined if the size of the string’s key space is not sufficiently large.of the string’s key space is not sufficiently large.
• Copyright © 2002 iDEFENSE Inc.
6 Common Problems – Continued6 Common Problems – Continued
Indefinite Expiration on Server– – Session IDs that do not expire on the web server can allow an attacker unlimited time to guess a valid Session ID.
Transmitted in the Clear – Assuming SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work away for a miscreant. This is still a problem with proxy servers.
Insecure Retrieval – By tricking the user’s browser into visiting another site, an attacker can retrieve stored Session ID information and quickly exploit this information before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc.
• Copyright © 2002 iDEFENSE Inc.
ToolsTools
Sessions Auditorwww.idefense.com/idtools/Session_Auditor.zip
Visual Testing – WebSleuthwww.geocities.com/dzzie/sleuth
WebProxy -www.atstake.com/research/tools/index.html
HTTPush - httpush.sourceforge.net
Achilles - www.digizen-security.com/downloads.html
MiniBrowser - aignes.com/download.htm
• Copyright © 2002 iDEFENSE Inc.
What Can I Do As a User?What Can I Do As a User?
Logout of all sessions when done
Do not select the “Remember me” Option
Protect your cookies! Desktop Security
Ensure you use SSL – when given choice of standard / secure login
Patch your browser to be safe from some nasty Cross-site Scripting attacks
Treat emails with Session ID info in URL’s just as securely as username/passwords
• Copyright © 2002 iDEFENSE Inc.
What can I do as a Software What can I do as a Software Vendor?Vendor? Build and require SSL (or other
encryption) into the web application so that the authentication token can not be easily sniffed in transit between browser and server;
Ensure that all cookies enable the "secure" field
Provide a logout function that expires all cookies and other authentication tokens
Re-authenticate the user before critical actions are performed (i.e. a purchase, money transfer, etc.)
• Copyright © 2002 iDEFENSE Inc.
What can I do as a Software What can I do as a Software Vendor?Vendor? Regenerate the Session ID after
certain intervals (30, 15 min. ,etc.) Create “booby-trapped” Session IDs
to detect brute forcing attempts When practical, limit successful
sessions to specific IP addresses. Only works in intranet setting where ranges are predictable and finite.
Auto-expire sessions after 15 minutes of inactivity
Enforce a “nonce” on previous pages
• Copyright © 2002 iDEFENSE Inc.
What can I do as a Software What can I do as a Software Vendor? – Vendor? – AND MOST IMPORTANT!!
Ensure through a good algorithm (MD5, SHA-1, etc.) that a cryptographically strong enough session ID with a large key space is transmitted to the user over an SSL/TLS connection.
DO NOT derive the algorithm inputs from guessable personal or login information (name, birthday, user id, etc.)
• Copyright © 2002 iDEFENSE Inc.
What can I do as a What can I do as a Developer/Administrator?Developer/Administrator? Many application servers out of Many application servers out of the box have low session ID the box have low session ID strengthstrengthUsually an easy config file edit
Use third party “Session Proxy”Use third party “Session Proxy” TEST TEST TEST TEST!!TEST TEST TEST TEST!!
• Copyright © 2002 iDEFENSE Inc.
ResourcesResources Open Web Application Security Project
(OWASP) (OWASP) http://www.owasp.orghttp://www.owasp.org OWASP is an open source community project staffed
entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services.
The OWASP Guide to Building Secure Web Applications and Web Serviceshttp://www.owasp.org/guide/http://www.owasp.org/guide/OWASPBuildingSecureWebApplicationsAndWebServices-OWASPBuildingSecureWebApplicationsAndWebServices-V1.0.pdfV1.0.pdf
The OWASP Security Testing Frameworkhttp://www.owasp.org/testinghttp://www.owasp.org/testing
• Copyright © 2002 iDEFENSE Inc.
ConclusionConclusionUsers: AwarenessUsers: Awareness
Developers/Administrators: Developers/Administrators: Configuration and TestingConfiguration and Testing
Software Vendors: !@#$!Software Vendors: !@#$!
• Copyright © 2002 iDEFENSE Inc.
ResourcesResources iDEFENSE paper on Brute Forcing Session
ID’s, http://www.idefense.com -> whitepapers
CGI SECURITY, http://www.cgisecurity.net WhiteHat Security,
http://community.whitehatsec.com Web Application Security Mailing List,
http://online.securityfocus.com/archive/107 MIT Cookie EATERS
http://pdos.lcs.mit.edu/cookies/pubs.html“Dos and Don'ts of Client Authentication on the Web”
• Copyright © 2002 iDEFENSE Inc.
QuestionsQuestions
[email protected]@idefense.com
http://www.idefense.com