Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Module XII Web Application Vulnerabilities
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Hewlett-Packard.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security
EMU/ICT Incident Response Team Firewall Access Session Presenter: IRT TEAM Member.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
SiteLock Internet Security: Big Threats for Small Business.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Testing with AppScan Terry Labach.
CertifiedMail Secure Messaging “Enterprise Encrypted Messaging… Hosted or In House Flexibility” Confidential – for authorized and internal distribution.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Introduction to Application Penetration Testing
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
HTTP and Server Security James Walden Northern Kentucky University.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Watchfire AppScan Web Application Security Software Omen Wild September 2007.
Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Testing Case Study 360logica Software Testing Services.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Creating Data Models and BI Publisher Reports Based on Other Data Sources.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Soroush Dalili 9 Dec Computer Security MSc. of Birmingham University.
Web Applications on the battlefield Alain Abou Tass.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Web Application Security
An Introduction to Web Application Security
SQL Server Security & Intrusion Prevention
TOPIC: Web Security (Part-4)
Cross-Site Scripting Travis Deyarmin.
Web Application Security
IBM Security Access Manager V9.0 Deployment IBM C dumps.html.
K-Plex, Inc. We Develop Technology for… Personalization Integration
HTML Level II (CyberAdvantage)
Security of web applications.
CSC 495/583 Topics of Software Security Intro to Web Security
Security at the Source.
Zach Garcia Keith Reiter
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 2 Introduction Bill Pennington Principal Consultant, Guardent Tested over 300 web applications of the past 3 years

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 3 Dennis Groves Specialty: Enterprise Security, Web Application Security, Pen- Testing & Quality Assurance. Bio: Dennis is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 4 Why is this important?

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 5 Topics This is not new Why your firewall doesnt matter Types of attacks Filter, Filter, Filter Do you know where your data is? Tools to help you

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 6 This is Not New Problems with web applications are the same problems with standalone applications

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 7 Why your Firewall doesnt matter Standard rant

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 8 Top 5 Vulnerabilities SQL insertion XSS Session Hijacking Parameter manipulation Unbounded file calls

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 9 Cross site scripting, Why you should care. XSS is not an attack on the server, it is an attack on the users of your application So what? Identity theft User masquerading Reputation Risk

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 10 SQL Insertion Most common on MS based applications. All SQL apps are vulnerable (Oracle, Sybase, DB2…) Can lead to full compromise of the server (xp_cmdshell) Almost guarantied to lead to data compromise Demo…

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 11 Cross Site Scripting (XSS) Found in 98% of applications I test 2 main types Transient (URL basedP alert("Test"); </SCRIPThttp://badapp.com/error.jsp?msg= alert("Test"); Sticky – Script placed in a static bit of web content

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 12 XSS continued… Transient generally requires user interaction What can happen? Possibilities are only restricted by the client Cookie theft most common example But I filter Jscript entities &{alert(Test')};

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 13 Session Hijacking HTTP is stateless so application designers must build a way to track state Cookies and URL strings are the most common ways to track state Both are easily exploitable

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 14 Session Hijacking continued… Generally the next thing to occur after XSS Please people logout means logout! Examples of common session tracking issues

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 15 Parameter Tampering Programmers will store data anywhere! URL parameters Cookies – Cookie:p=$1.00 Hidden fields – not really hidden

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 16 Unbound File Calls Ye Ole../../ Watch out you dont display important information (global.asa) Most application languages will take URLs as file arguments

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 17 Do you know where your data is? Building an exclusionary filter is difficult because your data is all over the place

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 18 Data Flow example

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 19 Designing a proper filter Make all filters default deny Dont try to exclude bad stuff Try to get a good idea where your data is going Log all filter violations

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 20 Examples ASP PHP Jscript Perl

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Bypassing poorly designed filters All warfare is based on deception…If he is in superior strength, evade him. –Sun Tzu, The Art of War, 500BC

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 22 Evasion is the art of blending in so you will not be noticed; of course this age old technique of survival is still useful today. evade 1.to escape or avoid somebody or something, usually by ingenuity or guile 2.to avoid doing something unpleasant, especially something that is a moral or legal obligation 3.to avoid dealing with or responding directly to something 4.to be difficult or impossible for somebody to find, obtain, or achieve (formal)

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 23 Filter Bypassing is a technique to evade detection by filtering systems. Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system. Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 24 Most filter systems are very simple as the flow chart shows. Seven forms of ingenuity: URL Encoded Strings Double Hex Encoding Unicode Encoded String Long URLs Case Sensitivity XSS Filter-Bypass Manipulation Null Character Injection Evade: 1. to escape or avoid somebody or something, usually by ingenuity or guile…

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 25 The Hex Advantage By URL hex encoding URL strings, it may be possible circumvent filter security systems and IDS. Can become: %2F%70%61%73%73%77%64

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 26 Double Hex Encoding In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability. The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL. An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability. When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL. IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding. This secondary decoding was the source of another Vulnerability.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 27 IIS Double Hex Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = % Character) Round 2 Decoding: scripts/..%5c../winnt becomes: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 28 The Unicode Slash In unicode, %c0%af, is the equivilent to a slash (/). Therefore the common URL IIS exploit: scripts/..%c0%af../winnt becomes: scripts/../../winnt Once again, directory path traversal is now possible using path obfuscation through Unicode.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 29 Double Slash Double Slash using multiple directory slashes in URLs. For example: Can be used to move under the radar of IDS systems and still function properly.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 30 Many system put limits on how much data a variable can store or a system can handle. Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. URLs such as: Replaced with: Long URLs

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 31 Case Sensitivity Case sensitivity may play a roll in many security filtration systems. Alternating case on URL parameters may be used to bypass certain restrictions

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 32 Method Switching Many web applications do not properly perform HTTP Request Method sanity checking. Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms. Most web servers do not log "POST" data and thus forensic analysis is harder to perform. The Request Method: GET /cgi-bin/some.cgi can become: POST /cgi-bin/some.cgi

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 33 The Method token indicates the method to be performed on the resource identified by the Request-URI. HTTP 1.1 Methods OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 34 Using your HEAD The HEAD request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data. Scans and web application attacks can be made to be more effective using this technique.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 35 Null Character Injection Hex encoded null characters can be used to thwart some security mechanisms. This happens because in the C programming language, a null character designates the end of a string. So If a CGI appending a.html to an input parameter: Will cut off appending.html.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 36 Unicode (UTF-8) Encoded Unicode is a universal way to represent characters. However, unicode can also be used to circumvent security mechanisms by representing information in another fashion. Microsoft IIS has had security issues in the past while supporting unicode.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 37 URL Encoded String The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: "...Only alphanumerics [0-9a- zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 38 XSS Filter-Bypass Manipulation This technique is used pass various types of client-side scripting language through implemented security filters. The idea is to be able to achieve client-side execution of a client-side script. There are several techniques used to perform this attack.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 39 Test the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler). This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 40 SRCing the protocol Using the javascript protocol in an HTML source attribute.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 41 Alternate Protocol SRCing Same technique as the previous, however, using the protocol livescript and mocha will yield the same effect.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 42 Decimal HTML Entities Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript. \09 \10 \11 \12 \13 have all been seen to work

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 43 Hex HTML Entities Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 44 Padding HTML Entities Padding HTML entities with 0s may also be used to bypass the filters, yet still execute JavaScript.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 45 STYLE JavaScript Type Changing the MIME-TYPE on a style tag may be used to execute JavaScript. JS EXPRESSION Alert(document.domain);

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 46 STYLE JavaScript X-Type Variation on the previous example, but by using the application/x-javascript MIME- TYPE, the filters may be bypassed. alert('JavaScript has been Executed');

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 47 STYLE JavaScript Import Using feature in CSS may be used to perform JavaScript protocol url(javascript:alert('Javascript is executed'));

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 48 STYLE URL Import Using feature in CSS can also be used to import JavaScript from another HTTP url(

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 49 LINK Style Sheet The LINK tag can be used to import JavaScript from a remote HTTP resource.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 50 Style Left Expression A few CSS features used together to execute JavaScript.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 51 Remote SRCing A few HTML tags, such as LAYER, ILAYER, FRAME, and IFRAME can be used to src in JavaScript from remote resources.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 52 AND CURLY Syntax must be exact.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 53 Dangerous HTML Tags All HTML is to be considered dangerous, but these tags are the most insidious.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 54 Dangerous HTML Attributes (HTML Tags with these attributes.) SRC LOWSRC STYLE HREF

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 55 Why automated tools dont work very well Every programmer does things a little different Authentication schemes are hard to automate Error codes are not standardized Sometimes simple things like SSL get in the way Some good things: Completeness Large knowledge bases (at least possibly)

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 56 Why people are better Recognition of subtle errors We understand the impact and therefore the risk of a vulnerability We can find real bugs, flaws in logic

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 57 One tool to rule them all…

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 58 Conclusion

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman 59 Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.