Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Security 2002 BlackHat New Orleans WhiteHat Security “Web Application Security” and “Presenting” Jeremiah Grossman

Published byGloria Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Security 2002 BlackHat New Orleans WhiteHat Security “Web Application Security” and “Presenting” Jeremiah Grossman"— Presentation transcript:

1 Windows Security 2002 BlackHat New Orleans WhiteHat Security “Web Application Security” and “Presenting” Jeremiah Grossman jeremiah@whitehatsec.com

2 Topics  Web Application Security Landscape  Why is Web Application Security Important  Common Web Application Security Mistakes  Web Application Attack Methodologies

3 Web Application Security Landscape Entertainment Message Boards WebMail Guest Books Voting Polls E-Commerce Shopping Auctions Banking Stock Trading Just Plain Crazy Printers PDA’s Cell Phones System Configuration.NET/Passport

4 Web Application The Simple Definition A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.

5 Web Application The “EASIER” Definition If it runs on port 80 or port 443, then is probably a web application.

6

7

8

9 Why is Web Application Security Important? Easiest way to compromise hosts, networks and users. Widely deployed. No Logs! (POST Request payload) Incredibly hard to defend against or detect. Most don’t think of locking down web applications. Intrusion detection is a joke. Firewall? What firewall? I don’t see no firewall… Encrypted transport layer does nothing. How much easier can it get!? Unicode.

10 Common Web Application Security Mistakes Trusting Client-Side Data Unescaped Special Characters HTML Output Character Filtering SUID ActiveX/JavaScript Authentication Lack of User Authentication before performing critical task.

11 Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA!!! Trusting client-side data is #1 cause of vulnerabilities. Identify all input parameters that trust client-side data.

12 Unescaped Special Characters The Level of Trust : Searches/Queries/Templates Path: http://foo.com/cgi?val=string&file=/html/name.db Or better yet… http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd

13 Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? /,. > < Check for: Unescaped special characters within input strings

14 HTML Character Filtering Proper handling of special characters > =>> < "=>" & =>& Null characters should all be removed. %00

15 More mistakes… SUID (Does a web application really need root?) Authentication mechanisms using technologies such as JavaScript or ActiveX. Lack of re-authenticating the user before issuing new passwords or performing critical tasks. Hosting of uncontrolled data on a protected domain.

16 WhiteHat Arsenal GUI Web-Based Interface Session Based Discovery Utilities Active Assessment Encoding/Decoding Reporting

17 Web Application Penetration Methodologies Information Gathering & Discovery Input/Output Client-Side Data Manipulation

18 Information Gathering & Discovery  Spidering /Site Map  Identifiable Characteristics  Error and Response Codes  File / Application Enumeration

19 Spidering

20 Spidering/Site Crawling Site Map Service Map Documentation Hidden Services CGI's and Forms Email addresses

21 Identifiable Characteristics Comment Lines URL Extensions Meta Tags Cookies Client-Side scripting languages Enormous wealth of information about process flows, debug command, system types and configurations.

22 Error and Response Codes HTTP Response Headers Server: IBM/Apache 1.3.19 Cookie Characteristics Error Messages Exception Messages (Java / SQL) 404 Error Pages Failed Login Locked Account Database or file non-existent

23 File/Application Enumeration Commonly referred to as “forced browsing” or “CGI Scanning”.

24 File/Application Enumeration Sample Files Template Directories Temp or Backup files Hidden Files Vulnerable CGIs

25 Common Directories

26 Common Log Files

27 Common Backup Files

28 Input/Output Client-Side Data Manipulation URL Manipulation CGI Parameter Tampering HTTP Client-Header Injection Filter/Intrusion Detection Evasion Protocol/Method Manipulation Overflows

29 Input Manipulation Parameter Tampering "Twiddling Bits." " Cross-Site Scripting " Filter-Bypass Manipulation " OS Commands " Meta Characters " Path/Directory Traversal " Hidden Form Field Manipulation " HTTP Headers

30 Cross-Site Scripting Bad name given to a dangerous security issue Attack targets the user of the system rather than the system itself. Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site.

31 Client-Side Scripting Languages DHTML (HTML, XHTML, HTML x.0) Opens all the doors. " JavaScript (1.x)Browser/DOM Manipulation " Java (Applets)Malicious Applets " VBScriptBrowser/DOM Manipulation " FlashDangerous Third-Party Interactivity " ActiveXLet me count the ways… " XML/XSLAnother Door Opener " CSSBrowser/DOM Manipulation

32 The Scenarios " Trick a user to re-login to a spoofed page " Compromise authentication credentials " Load dangerous of malicious ActiveX " Re-Direct a user or ALL users " Crash the machine or the browser

33 CSS Danger “The Remote Launch Pad.” " Successfully CSS a user via a protected domain. " Utilizing a Client-Side utility (JavaScript, ActiveX, " VBScript, etc.), exploit a browser hole to download " a trojan/virus. " User is unknowingly infected/compromised within " a single HTTP page load. " ActiveX Netcat Anyone?

34 2 Types of CSS  Click on a link to activate Click Here  Auto-Execute by viewing HTML run evil JavaScript

35 Dangerous HTML “HTML Bad” " Malicious Java Applications " Altering HTML Page Characteristics " Embedding Third-Party Applications (Flash, etc.) " Directly calling in other uncontrolled HTML " Altering HTML Page Characteristics " Directly calling in other uncontrolled HTML " SCRing Protocol attacks and other abuses " Directly calling in other uncontrolled HTML " META Refreshes. (Client-Redirects) " ActiveX (Nuff Said) " JavaScript/VBScript Loading " Style Sheet and Scripting Alterations

36 Dangerous Attributes “Attributes Bad” " ATTRIBUTE DANGER LIST " (Any HTML Tag that has these attributes) " STYLE " SRC " HREF " TYPE

37 Power of the Dots and Slashes piping input to the command line. " Path Directory Traversal " http://foo.com/app.cgi?directory=/path/to/data " DotDot Slash: " http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd " Dot Slash: " http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd " Double DotDot Slash: " http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd

38 More Filter Bypassing " Method Alteration(HEAD, PUT, POST, GET, ect.) " URL Encode " http://www.foo.com/cgi?value=%46%72%68%86 " Null Characters " http://www.foo.com/cgi?value=file%00.html " More… " Alternate Case, Unicode, String Length, Multi-Slash, etc.

39 More Filter Bypassing " Method Alteration(HEAD, PUT, POST, GET, ect.) " URL Encode " http://www.foo.com/cgi?value=%46%72%68%86 " Null Characters " http://www.foo.com/cgi?value=file%00.html " More… " Alternate Case, Unicode, String Length, Multi-Slash, etc.

40 Authentication & Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forgoing Page Sequencing

41 Reporting XML/HTML Based Manual Hack Attack Log w/ Descriptor Common Directory Force Browsing Common Log File Force Browsing Backup File Force Browsing Spider Log

42 Spider XML Log

43 Attempts XML Log

44 A few quick things to help secure a web application. Do Not Trust Client-Side Data Escape and filter all input/output data Set-up parameter and request method allow lists. Don’t use what your not expecting to receive.

45 Thank You! BlackHat and Attendees Questions? Jeremiah Grossman jeremiah@whitehatsec.com WhiteHat Security All presentation updates will be available on www.whitehatsec.com and community.whitehatsec.com

Download ppt "Windows Security 2002 BlackHat New Orleans WhiteHat Security “Web Application Security” and “Presenting” Jeremiah Grossman"

Similar presentations

Module XII Web Application Vulnerabilities

Module XII Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Web Application Security The Land that Information Security Forgot. BlackHat Europe 2001 Jeremiah Grossman WhiteHat Security.

Web Application Security "The Land that Information Security Forgot." BlackHat Europe 2001 Jeremiah Grossman WhiteHat Security.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Similar presentations

Ads by Google