Presentation is loading. Please wait.

Presentation is loading. Please wait.

One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc.

Published byTy Trillo Modified over 9 years ago

Similar presentations

Presentation on theme: "One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc."— Presentation transcript:

1 One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc.

2 Typical Web Application set-up Web Server DB Web app Web Client Web app HTTP request (cleartext or SSL) HTTP reply (HTML, Javascript, VBscript, etc) Plugins: Perl C/C++ JSP, etc Database connection: ADO, ODBC, etc. SQL Database Apache IIS Netscape etc… Firewall

3 Traditional Hacking…Limitations Modern network architectures are getting more robust and secure. Firewalls being used in almost all network roll-outs. OS vendors learning from past mistakes (?) and coming out with patches rapidly. Increased maturity in coding practices.

4 Utility of Firewalls Web Server DB Web app Sun RPC NT ipc$ wu-ftpd X X X Hacks on OS network services prevented by firewalls.

5 Utility of Firewalls Web Server DB Web app X Internal back-end application servers are on a non- routable IP network. (private addresses)

6 Utility of Firewalls Web Server DB Web app X Outbound access restricted. Why would a web server telnet out?

7 Futility of Firewalls E-commerce / Web hacking is unfettered. Web traffic is the most commonly allowed of protocols through Internet firewalls. Why fight the wall when you’ve got an open door? HTTP is perceived as “friendly” traffic. Content/Application based attacks are still perceived as rare.

8 The Web Hacker’s Toolbox Essentially, all a web hacker needs is … a web browser, an Internet connection, … and a clear mind.

9 Firewalls cannot prevent… Web Server Web Client web server mis- configuration URL Interpretation Attacks.

10 Firewalls cannot prevent… Web Server Web app Web Client Web app poor checking of user inputs URL Interpretation attacks Input Validation attacks.

11 Firewalls cannot prevent… Web Server DB Web app Web Client Web app Input Validation attacks Extend SQL statements URL Interpretation attacks SQL Query Poisoning

12 Firewalls cannot prevent… Web Server DB Web app Web Client Web app Reverse- engineering HTTP cookies. Input Validation attacks SQL query poisoning URL Interpretation attacks HTTP session hijacking. Impersonation.

13 The URL as a cruise missile Web Server DB Web app http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7

14 Web Hacks - net effects Web Hacks cause three types of effects: Extra information disclosure. (paths, etc.) Source code and arbitrary file content disclosure. Extra data disclosure (e.g. return all rows) Arbitrary command execution.

15 The Web Hacker’s Toolbox Some desired accessories would be … a port scanner, netcat, vulnerability checker (e.g. whisker), OpenSSL, … etc.

16 Hacking over SSL Some SSL Myths: “We are secure because we use SSL!” “Strong 128 bit crypto being used” “We use Digital Certificates signed by VeriSign”

17 Hacking over SSL Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy! Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL. SSL web server web client openssl nc

18 Use the Source, Luke Source code disclosure may reveal any flaws in the application design. Can be used to retrieve application configuraiton files. e.g. global.asa, etc.

19 Source Code Disclosure WebLogic / Tomcat example:

20 Source code disclosure IIS +.htr example:

21 SQL Query Poisoning Poor input validation on parameters passed to SQL queries can be disastrous. For example: Dim sql_con, result, sql_qry Const CONNECT_STRING = "Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa; PWD=xyzzy" sql_qry = "SELECT * FROM PRODUCT WHERE ID = “ & Request.QueryString(“ID”) Set objCon = Server.CreateObject("ADODB.Connection") objCon.Open CONNECT_STRING Set objRS = objCon.Execute(strSQL)

22 SQL Query Poisoning Return all rows: http://10.0.0.3/showtable.asp? ID=3+OR+1=1 Resultant query: SELECT * FROM PRODUCT WHERE ID=3 OR 1=1

23 SQL Query Poisoning Drop Table: http://10.0.0.3/showtable.asp? ID=3%01DROP+TABLE+PRODUCT Resultant query: SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT

24 SQL Query Poisoning Remote Command Execution! http://10.0.0.3/showtable.asp? ID=3%01EXEC+master..xp_cmdshell+ ‘copy+\winnt\system32\cmd.exe+ \inetpub\scripts’ Command executed: copy \winnt\system32\cmd.exe \inetpub\scripts

25 One-way attacks Assume the tightest firewall configuration. All legal HTTP requests. No outbound traffic from internal network. …yet, total control. Illustrates how the smallest of openings can be big enough to drive a truck through it!

26 One-way attacks … entry point One entry point required. Arbitrary command execution. Can be achieved in many ways: Known vulnerability (e.g. IIS Unicode / ddecode) Buffer overflow (sometimes kills server!) Fooling the application itself! (metacharacters, SQL query poisoning)

27 One-way attacks … uploader Create an HTTP multipart-MIME upload mechanism. The same process as sending attachments over web-based mail (yahoo, hotmail). Uploader allows the attacker to plant and execute tools on the server. The hole widens.

28 One-way attacks … remote prompt Install a remote web-based command prompt. HTML form, passes inputs to the command- shell on the server. Semi-interactive.

29 One-way attacks … SQL prompts! A step further, install a SQL query prompt page! Allows attackers to arbitrarily pick and attack back-end SQL servers. Web programming languages such as ASP, PHP allow back-end database interfaces. Pilfering of database credentials from source code disclosure attacks would be useful!

30 One-way attacks … getting root! Upload your favourite privilege escalation $pl01t! Run it through the web-based command prompt. Get admin/root privileges!

31 One-way attacks … going further Drive through the back-end network. Portscanning Service enumeration Network packet sniffing Recovering passwords / credentials … it’s all open now!

32 WinDump Loads dynamically – don’t have to reboot box. Works great with MDAC, Unicode, etc… Sniff internal networks after attack. Grep for user/pass – Pipe output. Send results back through nc. Send results back through firewall as an HTML page – ultra cool because it bypasses firewall

33 Root Causes of Web Hacks Complex web architectures may cause oversight in web server configuration. URL Parsing. File Canonicalization. Combination of underlying operating system and web server may leave holes.

34 Root Causes of Web Hacks Untested code used in web applications, to save time. Level of security consciousness low in web application developers. Security vs. convenience. Security vs. time-to-market. Zero knowledge administration breeds zero knowledge administrators.

35 Web Security Measures Heighten security awareness amongst administrators, developers and most important - TOP MANAGEMENT! Firewalls and SSL do not solve all security problems. Keep abreast of latest vendor advisories and patches. Monitor security mailing lists such as BugTraq. :-/

36 Thank You! jd.glaser@foundstone.com saumil.shah@foundstone.com

Download ppt "One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc."

Similar presentations

Company LOGO WEB SYSTEM. Components of a Generic Web Application System.

Company LOGO WEB SYSTEM. Components of a Generic Web Application System.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.

Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Introduction to ASP.NET. 2 © UW Business School, University of Washington 2004 Outline Static vs. Dynamic Web Pages.NET Framework Installing ASP.NET First.

Introduction to ASP.NET. 2 © UW Business School, University of Washington 2004 Outline Static vs. Dynamic Web Pages.NET Framework Installing ASP.NET First.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Introduction to Web Database Processing

Introduction to Web Database Processing
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
Apache Tomcat Server Typical html Request/Response cycle

Apache Tomcat Server Typical html Request/Response cycle
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
159.339 Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Similar presentations

Ads by Google