Computer Science and Engineering 1 Web Application Hacker’s Toolkit.

Slides:



Advertisements
Similar presentations
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Advertisements

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Server-Side vs. Client-Side Scripting Languages
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Linux Operations and Administration
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
INTRODUCTION TO WEB DATABASE PROGRAMMING
Computer Concepts 2014 Chapter 7 The Web and .
Workshop 3 Web Application Security Li Weichao March
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Prevent Cross-Site Scripting (XSS) attack
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Penetration Testing James Walden Northern Kentucky University.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
JavaScript, Fourth Edition
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
1 Welcome to CSC 301 Web Programming Charles Frank.
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
ICM – API Server & Forms Gary Ratcliffe.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
MIS Week 5 Site:
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
ArcGIS for Server Security: Advanced
Web Application Hacker’s Toolkit
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
PHP / MySQL Introduction
Cross-Site Request Forgeries: Exploitation and Prevention
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Computer Science and Engineering 1 Web Application Hacker’s Toolkit

Review Web Applications characteristics Computer Science and Engineering 2

Functionality Server side technologies: –Scripting languages –Web application platform –Web server software –Databases –Back-end components Client-side technologies: –Browser Extension technologies Computer Science and Engineering 3

Application Characteristics Understand what application does and how it behaves –Content –Functionality Find out: –Application behavior –Core security mechanisms –Technologies being used Computer Science and Engineering 4

Enumerating Content and Functionality Manual vs. automated browsing –Walk through the application –Follow every link –Navigate through multistage functions Web spidering –Tools to follow all links until no new content is found –Can parse static HTML, multi-stage functionality, form-based navigation, client-side JavaScript Computer Science and Engineering 5

Automated Spidering E.g., Burp Spider, WebScarab General limitations: –Cannot handle dynamically created menus –Limited depth to find links –May fail input validation for multistage functionality –Unique content is identified by URL  not good for form-based navigation –May fail authentication session Computer Science and Engineering 6

User Directed Spidering User walks through the application and uses a spider to collect and analyze findings Good for –Unusual or complex navigation needs –User control of input data –User can login to application and pass authentication –User can decide on requested functions Computer Science and Engineering 7

APPLICATION HACKING Computer Science and Engineering 8

Hacking Steps 1. Configure browser to use spider Browse the application normally –Visit every link –Proceed through multi-stage functions –JavaScrip enabled/disabled; cookies enabled/disabled Review site map to identify non-visited content Do an automated spidering Computer Science and Engineering 9

Discovering Hidden Content Not directly linked to or reachable from the main page –E.g., testing and debugging content, different functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc. Added attack points, sensitive content, etc. Automated, brute-force attack: Burp Intruder –Burp Suite Tutorial – The Intruder Tool, the-intruder-tool/ the-intruder-tool/ Computer Science and Engineering 10

Hacking Steps 2 Make unusual requests and identify response Use site map to identify hidden content Use brute-force attacks to identify how application handles requests Manually review responses Inferencing from published content (e.g., naming) –Compile list of names of subdirectories –Identify naming schemes, file extensions –Review all client side code –Look at temporary files Computer Science and Engineering 11

Use Public Information Find old resources Search Engines: –Advanced Search: resource, login, links, related –Google domains –Omitted results –Cashed versions –Other domains of the same organization Web archives, e.g., WayBack Machine Computer Science and Engineering 12

Web Server Vulnerabilities Web server software vulnerability –Default content –Sample and diagnostic scripts –Standard functionality Wikto: a tool that checks for flaws in web servers – Nikto: checks for potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems, configuration issues, etc. Computer Science and Engineering 13

Additional Mappings Functional paths –URL query parameters Discovering Hidden Parameters –Try default parameter names, e.g, debug, test, hide, etc. –Monitor responses to identify anomalies Analyzing Applications –Functionality, behavior, security Server side functionality Computer Science and Engineering 14

Mapping the Attack Surface Use the results of the analysis to find vulnerabilities Computer Science and Engineering 15

Easy Hidden symbol in URL Change IP address (only the info to the right is used) Browser vulnerability –“You are about to log in to the site “cse.sc.edu” with the username “farkas”, but the website does not require authentication. This may be an attempt to trick you.” Twitter – executable JavaScript 16

Who is at risk? Client: browsers –Complex systems –Plug-ins, extensions –Server authentication JavaScript and paid ads  ease of propagating malicious code Never trust a client on the server side Never trust a browser on the client side 17

Improve client security Install patches to the browser Update commonly used plug-ins Eliminate unused plug-ins Heed your browser warnings Make antivirus software watch browser and downloads Clear history, stored files, and cookies If a file is not signed and trusted, don’t download it 18

Improve server side security Never execute client input as code Never allow client input to pass into the system without validating it internally Scrub client input for any known exploits and suspect characters Keep a layer of indirection between client input received and the system Manage sessions from inside the trust boundary and not on the client side Never encode secrets of functional variables in information sent to the clies. 19

Web Application Vulnerabilities Computer Science and Engineering 20

Biggest Threats to Web Applications Cross-site scripting (XSS) Cross-site request forgeries (CSRF) Remote file uploads, (buffer overflow, SQL injection, etc.) Trust between the client’s machine and the web applications. 21

XSS Inject client-side script into Web pages Client views web page  download script Used for bypass access controls such as the same origin policy –Permits scripts running on pages originating from the same site ( scheme, hostname, and port number) to access each other's Document Object Model with no specific restrictions XMLHttpRequest and Robots.txt Computer Science and Engineering 22

How to avoid XSS? Scrub all input Escape output for display Use trusted solutions when available Use separate variables for scrubbed input 23

Cross-site request forgery Exploits the trust between server and client machine Mostly http requests and responses Based on how web pages are delivered along with images and other web content

Prevent CSRF Require verification and stages for sensitive applications Use anti-CSRF tokens in your forms and processing Use post as the mean of taking form input –Get: encodes the data of the form into the url of the recipient, appending it to the query string of the request –Post: encodes it as a message

Unrestricted file upload Users may upload malicious files Uploaded files can be called by a url (if stored on the web server) Example: php –Embedded in image files –Compile php code 26

Avoid file upload problems System should determine file name Do not allow users to access the folders where content is uploaded Parse file extensions carefully or set your own file parser White list extensions Be secure with the.htaccess file (controls accesses to the files on the server 27

Adobe Flash 99% of all internet connected machines use AdobeFlesh No internal automated update capability Flash security policy: Same Origin –Can be modified by XML cross-domain policy declaration Can facilitate XSS, CSRF, DNS rebiding 28

Ways of Attacking Applications Use of a web browser only Use of an intercepting web proxy Use of a standalone application scanner Computer Science and Engineering 29

Web Browsers Choice of web browser impacts the effectiveness of the attack Most popular browsers: –Internet Explorer –Firefox –Chrome Extensions: additional web browser functionalities Computer Science and Engineering 30

IE Declining number of users but still the leader Native support for ActiveX control Must work with Windows platform Anti-XSS filter with IE 8 Extensions: –HttpWatch: analyzes HTTP requests and responses, details of headers, cookies, URLs, request parameters, HTTP status codes, and redirect Computer Science and Engineering 31

Integrated Testing Suits Intercepting proxy Achilles proxy: early, basic proxy, standalone application, displayed each request and response for editing Modern proxies: –Highly functional tool suits –Several interconnected tools to facilitate common tasks of attacks –Useful for both defense and offense Computer Science and Engineering 32

Some of the Tools Differ widely in their functionalities The best one: Burp Suite Others: –WebScarab –Paros –Zed Attack Proxy –Andiparos –Fiddler –Etc. Computer Science and Engineering 33

How the Tools Work Several complementary tools that share information about the target application Computer Science and Engineering 34 IE Attacker Target application Toolkit: monitors interaction between the attacker and the target application. Stores all requests and responses and all details about the target application.

Toolkit Elements 1.An intercepting proxy 2.A web application spider 3.A customizable web application fuzzer 4.A vulnerability scanner 5.A manual request tool 6.Functions for analyzing session cookies and tokens 7.Other functions and utilities Computer Science and Engineering 35

1. Intercepting Proxies Must configure the attacker’s browser to use an intercepting proxy (listen at a specified port) –Can be easily configured for the 3 most popular browsers If you are using a thick client and cannot configure a proxy you need to modify the OS files to resolve the hostname used by the application to allow the proxy to listen on this communication Computer Science and Engineering 36

1. Intercepting Proxies Basic HTTP messages: Intercepting proxy acts as a normal web proxy Computer Science and Engineering 37 IE Attacker The web browser send the hostname of the application. The proxy resolves the corresponding IP address and converts the request to a non-proxy equivalent message. Proxy CONNECT

Computer Science and Engineering Normal Web Proxy HTTPS messages Computer Science and Engineering 38 IE Client Proxy After the connection was established, the proxy acts as a TCP-level relay between the client and the application. CONNECT SSL handshake

Computer Science and Engineering 39 Computer Science and Engineering Intercepting Proxy HTTPS messages Computer Science and Engineering 39 IE Attacker Proxy After the connection was established, the proxy acts as a TCP-level relay between the client and the application. CONNECT SSL handshake

Computer Science and Engineering 40 SSL Handshake 1.C  S: C LIENT H ELLO 2.S  C: S ERVER H ELLO [ C ERTIFICATE] [ S ERVER K EY E XCHANGE] [ C ERTIFICATE R EQUEST] S ERVER H ELLO D ONE 3.C  S:[ C ERTIFICATE] C LIENT K EY E XCHANGE [ C ERTIFICATE V ERIFY] C HANGE C IPHER S PEC F INISH 4.S  C: C HANGE C IPHER S PEC F INISH Phase 1 Phase 2 Phase 3 Phase 4 Security capabilities Optional server messages Client key exchange Change cipher suite

Fake Certificates Proxies certificate may not be accepted –Cross-domain requests –Users’ trust Burp Suite: generates a unique CA certificate for the current user. Use this to generate new certificates for the proxy. Computer Science and Engineering 41

Common features of the Intercepting Proxies Fine-grained intercepting rules Detailed history of all requests and responses Automated match and replace rules for dynamic modification of the requests and responses Access to proxy’s functionality within the web browser Utilities Computer Science and Engineering 42

2. Web Application Spider Share data with intercepting proxies Manual spidering followed by automated spidering Challenges: –Form-based navigation –JavaScript enabled navigation –Multistage functions –Authentication and sessions –Parameter-based identifications –Tokens and cookies Computer Science and Engineering 43

Common Functionalities of Web Spiders Automatic update or the site map based on data supplied by the proxy Parsing proxy data for links Fine-grained control over the scope of spidering Automatic parsing and analysis of HTML forms, scripts, comments, images Automated and user-guided submission of forms Automatic retrieval of the root of all enumerated directories Computer Science and Engineering 44

3. Web Application Fuzzers Use automation to perform common attack tasks Common features: –Manually configured probing for common vulnerabilities –A set of built-in payload and functions to generate arbitrary payload –Save attack results and response data –Customizable functions for viewing and analyzing responses –Functions tor extracting useful data from the applications Computer Science and Engineering 45

4. Web Application Vulnerability Scanners Passive scanning: monitoring the requests and responses passing through the local proxy –Detect vulnerabilities: clear text password, incorrect cookie, etc –Non-invasive, often used for penetration testing Active scanning: sending new requests to the target application –To tests for XSS vulnerability, HTTP header injection, etc. –Can be potentially dangerous Computer Science and Engineering 46

5. Manual request Tools Functionality to issue a single request and view its response Can be very useful when need slight modification of the request based on the responses Can be both standalone tool and web browser-based Common features: –Integration with other suit components –Keep record on all requests and responses –Multitabbed interface: handle multiple items Computer Science and Engineering 47

6. Session Token Analyzer Randomness of session cookies Burp Sequencer: standard statistical tests Computer Science and Engineering 48

Testing Workflow Computer Science and Engineering 49 Browser Interc. Proxy Spider Content Disc. ScannerRepeaterFuzzer Token analyzer P. historySite map Vulnerabilities Recon and analysis Vulnerability detection and exploitation active passivePassive scanning Confirm vulnerabilities

Alternatives to Intercepting Proxies Non-traditional applications –Cannot use proxy Browser extensions –Extend functionality –Does not interfere with the network-layer communication between the server and the browser –Allows to submit arbitrary request to the application Computer Science and Engineering 50

Methodology 1.Recon and analysis –Map application content –Analyze application 2.Analysis –Application logic: test client side controls and for logic flaws –Access handling: test authentication, session management, access control –Input handling: fuzz all parameters, test specific functionalities –Application hosting: test for shared hosting issues, test the web server –Miscellaneous checks –Information leakage Computer Science and Engineering 51

Next Class Buffer overflow and application software insecurity Computer Science and Engineering 52