Embed Size (px)
Citation preview
Application Attacks
Table of Contents
Types of Application Attacks ........................................................................................................... 3
Cross Site Scripting (XSS) ................................................................................................................. 4
XSS Example -1 ................................................................................................................................ 6
XSS Example -2 ................................................................................................................................ 7
Javascript ......................................................................................................................................... 8
ActiveX .......................................................................................................................................... 10
Javascript ....................................................................................................................................... 12
ActiveX .......................................................................................................................................... 13
SQL Injection Attacks -1 ................................................................................................................ 14
SQL Injection Attacks -2 ................................................................................................................ 15
SQL Injection Attacks -3 ................................................................................................................ 16
XML Injection ................................................................................................................................ 18
LDAP Vulnerabilities ...................................................................................................................... 19
Directory Traversal Attacks ........................................................................................................... 21
Arbitrary / Remote Code Execution .............................................................................................. 23
Buffer Overflows ........................................................................................................................... 24
Integer Overflows ......................................................................................................................... 27
Zero Day Exploits........................................................................................................................... 28
Cookies .......................................................................................................................................... 30
Cookie / Session Poisoning ........................................................................................................... 31
Local Shared Objects (LSO) ........................................................................................................... 32
Page 1 of 36
Session Hijacking ........................................................................................................................... 33
SMTP Relay.................................................................................................................................... 34
Notices .......................................................................................................................................... 36
Page 2 of 36
Types of Application Attacks
98
Types of Application Attacks
Cross-site scripting Cross-site request forgerySQL injection XML injection LDAP injection Directory traversal/command injection Arbitrary code execution / Remote code executionBuffer overflow Integer overflow
Locally shared objects (LSO)Zero day Cookies and attachments Malicious add-ons Session hijacking SMTP Relays
**098 I think for most of the application attacks that we're concerned with here, they focus in on the Web. The place to go to learn a lot of detail on each one of these application attacks is going to the owasp.org, O-W-A-S-P.org. And they have what are called their top ten list. They also have a tool. This tool is a downloadable, executable, inside of a virtual machine that is called Web Goat. Web Goat is a punching bag. It walks you through every single step of how to attack most of what we see here, most of this list. The only one on the list-- there are three things that it doesn't do: locally
Page 3 of 36
shared objects, Zero day, and SMTP Relays. And we'll talk about why SMTP Relays are dead in very short order. So we're going to look at each one of these.
Cross Site Scripting (XSS)
99
Cross Site Scripting (XSS)An attack that leverages scripts, served by a malicious or compromised server or web application, to access the site visitor’s computer
Stored XSS attacks occur when the malicious code is stored on the server or web application itself.
Reflected XSS attacks occur when the malicious code is injected into the server or web application by the user (e.g., through an email)
Can be used to (among other things)• Disclose user session cookies (for session hijacking – more later!)• Disclose information on user’s computer• Install malware• Redirect users to another server or application
**099 Cross site scripting. So where does the attack sit? Well the attack sits not on the client and not the attacker going to the client, but the attacker going to a place where the client is going to be. A website. That website has to take programming code or upload of either files or posting in a web 2.0 world what happens is we're allowed to write things to those locations and one of
Page 4 of 36
them would be "Hey, look at this cool thing here." Describe, describe, describe, describe, link. That website is trusted by this user. This user views that website and as part of the viewing and rendering of this website here, they are redirected to the evil. That's cross site scripting in a nutshell. What happens when they get there? Some sort of payload or evil that happens. The trust was between this user and this site and that was appropriate. Where it was broken was the attacker was allowed to upload something to this site that should not have been there. This can disclose anything. Most of the time we talk about session cookies, computer information, installed malware. The best way to protect against this is from the client side web reputation filtering to allow you to get to this site, but then that piece that was supposed to be rendered that goes to another location, that piece would be washed away. Common browsers today look for that cross site scripting flaw and try to protect users against it.
Page 5 of 36
XSS Example -1
100
XSS Example -1
Client Web App Serverhttp://server/app?name=Joe
A web application in normal operation. The user browses to a URL containing his username. The web application responds to the name parameter in the URL by building a dynamic HTML page with his username, “Hello Joe!”
Hello Joe!
Browser
**100 So here's a general example. The client goes to this web application. Something was set up and sends back an answer to "Hello Joel".
Page 6 of 36
XSS Example -2
101
A web application under XSS attack. The user is tricked into clicking a link containing a malicious script in place of his username in the URL to access the site. The server, in turn, sends this script to the user’s browser, which processes it, thinking it came from the trusted server.
XSS Example -2
Client Web App Serverhttp://server/app?name=<script>BadJuJu()</script>
Hello
BrowserAttacker
badJuJu()
**101 Well what the attacker does is they know about this script and they install that on the web application server and it gets passed back through this browser to this client. The web application is under attack. The victim is the client trying to get to that web application.
Page 7 of 36
Javascript
102
Self-contained program that can be downloaded and executed to control or manipulate browser settings
Compiled and executed in the client environment
The client OS and browser version must be considered with vulnerability risks
Javascript vulnerabilitiesinclude unauthorized file access,cache access, uploads, andpotential for email exposure.
Javascript
**102 Java, Javascript is not bad. It's not evil. It helps us to do things. It makes the web feel better. Well how does it do what it does? Well we create and write a program that when the client arrives they can download this program and things can get done more easily and more wonderful for them. It allows them to not be relying on the communication back and forth for the website, but now what it's doing is when it's delivered to this host right here, it could under the context of this user in the browser, either break out of the browser and do activities on the local machine or it could grab files.
Page 8 of 36
It could access the cache of this particular browser to see where they've been. It could allow for uploads and even expose email. So Javascript is not bad. It's just programmers program it to do things and take advantage of the fact that the end user is allowed to do a lot on their local machine. How do we stop Javascript? Well what we're going to do is we're going to break the web so let's be clear about that. We're going to break the web. We're going to say we don't allow Java. Sorry, no Javascript need apply here. And we will break that site. End users will be mad at us but we're saying we're trying to protect you. Now there are signed-- there's code signing for Java that will help it make that particular application the person who wrote it more responsible for it but Java signing of applications also can be spoofed.
Page 9 of 36
ActiveX
103
ActiveX
Pre-compiled executables implemented by Microsoft to customize client usability
Can be embedded in web pages
Executes with permissions of logged on user
Settings in the client’s browser determines if the user is prompted to approve
Execution is restricted by whether it is signed
Uses technology Authenticode to validate certificate
Auto-accepting ActiveX components may cause malicious code to be executed or other system vulnerability exploitation.
**103 Okay if we can't use Javascript what other programming language can we use to make the web richer and better and more fun for the end user? How about Microsoft's Active X? Almost exactly the same concept, this time what we do is we embed this. We mix Active X. We mix our programming with our HTML to make it a rich experience. Active X executes with permissions of the logged on users so any kind of programming here, if this end user has let's say they have administrative privileges. Well now this Active X component has administrative privileges. Could
Page 10 of 36
that be to install? Absolutely. This is why I say that any time we have an administrator account, we only use that for doing administrative functions and we do separate accounts. So in Active X remember whatever the user has as permissions, so does the Active X component. We could use something called Authenticode that is signed application. The Active X application is signed using PKI And that PKI is then also known about by the browser and the by the operating system. But again the potential for spoofing the valid certificate is there. We're not saying it's easy. We're saying that it's possible. A lot of times browsers are configured.
Page 11 of 36
Javascript
102
Self-contained program that can be downloaded and executed to control or manipulate browser settings
Compiled and executed in the client environment
The client OS and browser version must be considered with vulnerability risks
Javascript vulnerabilitiesinclude unauthorized file access,cache access, uploads, andpotential for email exposure.
Javascript
**102 Javascript.
Page 12 of 36
ActiveX
103
ActiveX
Pre-compiled executables implemented by Microsoft to customize client usability
Can be embedded in web pages
Executes with permissions of logged on user
Settings in the client’s browser determines if the user is prompted to approve
Execution is restricted by whether it is signed
Uses technology Authenticode to validate certificate
Auto-accepting ActiveX components may cause malicious code to be executed or other system vulnerability exploitation.
**103 And Active X, they are configured so that they will automatically execute whatever that is based on the users context. They trust that the user knows what they are doing and I think that's the mistake.
Page 13 of 36
SQL Injection Attacks -1
104
SQL Injection Attacks -1
A server side attack in which SQL statements are used to map out the entire database and possibly modify entriesTables can be found through error messages
‘ UNION SELECT TOP 1 table_name FROM information_schema.tables;--
Produces an error message that contains the table nameMicrosoft OLE DB Provider for ODBC Drivers error ‘80040e07’ [Microsoft][ODBC SQL
Sserver Driver][SQL Server] Syntax error converting the nvarchar value ‘table1’ to a column of data type int.
/index.asp, line 5
To get additional tables, use the following statement
‘ UNION SELECT TOP 1 table_name FROM information_schema.tables WHERE table_nameNOT IN (‘table1’);--
Or, try a targeted query to find tables containing keywords
‘ UNION SELECT TOP 1 table_name FROM information_schema.tables WHERE table_nameLIKE ‘%25login%25’;--
**104 Let's talk about SQL injection for a second. I make a statement that is true and you accept that it's true. Based on this statement I want you to execute that other statement. That makes sense. An SQL injection what the attacker does is they break that statement up into more clauses. Notice it starts with that tick mark. We can tick or close the quote and add anything that we want into it. When we take a look here, these two statements look identical until we get to this point right here. And then we add extra stuff into it. When we get to here on this one, we add extra stuff that's different. All we are
Page 14 of 36
saying in SQL injection is that we can add more conditional statements that either make it always true or ask for information that we shouldn't have. That's SQL injection in a nutshell.
SQL Injection Attacks -2
105
SQL Injection Attacks -2
An attacker can also map out column names of a table.
‘ UNION SELECT TOP 1 column_name FROM information_schema.columns WHERE table_name = ‘table1’;--
Produces an error message which contains the column name.Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’
[Microsoft][ODBC SQL Sserver Driver][SQL Server] Syntax error converting the nvarchar value ‘login_id’ to a column of data type int.
/index.asp, line 5
To get additional columns, use the following statement
‘ UNION SELECT TOP 1 column_name FROM information_schema.columns WHERE table_name = ‘table1’ AND column_name NOT IN (‘login_id’);--
**105 We could if we wanted to do a reconnaissance attack against this database by mapping out the column names of a table. And we query the database and say give me the information of the name of this table. Or I don't know the name of the table, tell me what it is. I don't know the name of the field, tell me what it is based on these conditions
Page 15 of 36
here when zero is equal to zero fulfill this condition over here.
SQL Injection Attacks -3
106
SQL Injection Attacks -3
Combining table and column names, an attacker can get the actual data stored in the database too.
‘ UNION SELECT TOP 1 login_id FROM table1;--
And assuming the returned value is admin_user, you can get the password.
‘ UNION SELECT TOP 1 password FROM table1 WHERE login_id = ‘admin_user’;--
One more step and an attacker can add or update records in the database.
‘; UPDATE ‘admin_login’ SET ‘password’ = ‘hacker’ WHERE login_name = ‘admin_user’;--
‘; INSERT INTO ‘table1’ (‘login_id’, ‘login_name’, ‘password’) VALUES (111, ‘hacker’, ‘h@ck3r’);--
**106 We can combine those table names and column names and now the attacker can query and say "Give me all the data in this table." What I think is worse is corruption of this data. So we can exfiltrate it and that's one thing. But what's worse is that the attacker can say once I pulled all this data out, wipe all the data in this table. Rewrite it so that it's got random trash in it so now you can't even use it and I'm gone. I work with an organization that had an SQL database and one of the
Page 16 of 36
fields that they allowed people to post into was a field for an avatar. A file, a picture that represents you. And what the attacker did was is they went into that place where you posted an avatar and instead of posting an avatar, they posted code. Because it was a big field that allowed anything that you wanted to put inside of there. All you had to do is have the correct extension on the name of the file. But they inserted that into the database. And then what they did was they came around with their query tool and they said "Get the first 15 bits of that particular avatar file." The avatar file is a perfectly valid file for this user to be querying. But the way they queried it was not really for the avatar, but those bits were actually not an avatar. They weren't a picture. That was code for them to execute. Now that avatar sits into any container that has the privileges of the container itself or of the system because it's pulling these two things together. What did it pull together? It pulled out of there: Query, give me all the credit card numbers. Query, give me all the user names. Query, give me all the people that are your new contacts in your database.
Page 17 of 36
XML Injection
107
XML Injection
Just as with SQL Injection, non-validated input into an XML based form can allow an attacker to enumerate the backend system.
Single Tick Mark
Username = ‘foo
Double Quotation Mark
Username = “foo
Ampersand
Username = @foo
**107 XML is just another language. This one is a data definition language but XML injection will allow us to if we understand that data definition language, we can further enumerate deeper and deeper into the database. So we can use these two tools together.
Page 18 of 36
LDAP Vulnerabilities
108
LDAP Vulnerabilities
Buffer overflows may make LDAP server vulnerable to execution of malicious code.
Unauthorized access may be achieved by exploiting format string vulnerabilities.
DoS attacks may be initiated by illicitly formatted requests.
**108 Lightweight directory access protocol is a tool used for collecting all of the information about users, computers, and resources on a network. When we deal with LDAP and we can query it on a regular basis, we can find out every single user in an active directory tree, every single computer and every single service that they offer there. If we are allowed to query it from the outside. Most of the time what happens is active directory says you're not allowed to query this. Hey, you're not from our place. Get away from us.
Page 19 of 36
But if LDAP itself has a vulnerability in it, what we can do is we can query it. It's supposed to return a response of no, but the contents of the query is junk that we've put into a buffer that you don't know how to handle which coughs up a vulnerability which allows us to attack. So we didn't actually attack the LDAP database and get the user names although we would really like that stuff. But when we create a request that's inappropriate, how does LDAP reject that? And in some cases for previous versions of LDAP it didn't reject it. It executed the request and coughed up a shell on that machine.
Page 20 of 36
Directory Traversal Attacks
109
Directory Traversal Attacks
Occur when an attacker is able to browse directories and files outside the web application itself
Attacks of this nature often expose the directory structure of the application, the web server, and the underlying operating system, providing the attacker access to potentially secure or restricted pages, files, source code, and information.
Countermeasures• Define access rights for protected areas of site.• Apply checks and patches to prevent directory traversal attacks
through vulnerabilities like Unicode canonicalization.
**109 Rain Forest Puppy a long time ago sent a message to one of the major lists out there and said he announced "I have an attack against Windows IIS" That's the Internet Information Server. "I have an attack that will work against IIS 3, 4, and 5 that will allow you to gain total control over every single one of the web servers in the world. So here was the attack. The attack was let's go back to your command line for a second. You open up a command line and you type in CD.. That says go up a directory. CD../.. Oh, two directories. You do that enough times eventually you'll get to
Page 21 of 36
the root. Now if you know you can go up seven directories and get to the root, then the next stage is to go down into a location that is appropriate for you. CD, WinNT, System32, and execute the command CMD.EXE. Take these two commands and put them into the URL field. Go to this location. Go up to the top and then give me a command shell. But it's hard to spot so somebody has to find it. As a security professional in your organization you have to look at the permissions and is directory traversal allowed within the context of users, services, servers, internal, and external. Sometimes you need directory traversal in order for somebody to list the set of files and be able to walk up and down the tree and find their files, they need that. But do outsiders need that? And the answer is no.
Page 22 of 36
Arbitrary / Remote Code Execution
110
Arbitrary / Remote Code Execution
A weakness in a program or service allows the running of code not intended by the programmer
The key to exploiting a vulnerability
Allows the attacker to run their own code locally or remotely
Often with the same permission as the exploited program• Privilege escalation
**110 Arbitrary / Remote Code Execution. This is a big wide thing. A weakness in a program or a service that allows the running of a code not intended by the programmer. Arbitrary. It is arbitrary and it is executable. This usually happens with buffer overflows. So your program that you've designed is supposed to do bounce checking and it doesn't. And when it doesn't do bounce checking the arbitrary code that is offered to this application spills over into another area or is executed under kernel mode and in all those cases, what happens is that remote code execution well, it's allowed to do the same things as the original
Page 23 of 36
application is allowed to do. So this gives us the ability to escalate our privileges. It doesn't have to be all the way to the kernel level. It can just be administrative level. But what we'd really like is an attack or a system level. An arbitrary remote code execution allows us to do that.
Buffer Overflows
111
Buffer Overflows
Cause application to crash by sending more data than memory buffer can handle
• Data overflows to adjacent memory
• Processes crash or return other undesired results
Exploit poor programming and code review
Common web server attack
**111 Which brings me to buffer overflows. Here is a container. Put your stuff inside of this container. What happens when it doesn't fit? This happens all the time. Buffers are said to be this size. The code spills over and it falls over into this other area and then the executing program
Page 24 of 36
exits and it says there was a failure here. Because we put too long of a string in the name field. No big deal. But what happens if it's not our name field? Now because of the way buffer overflows work, what we tend to do is we tend to make a really, really long string that will get our code to a location in the memory stack that is executable at like root level if possible or at least at another level. How do we make this really, really long? What we do is we put a whole bunch of what are called no operations in there. And they literally live in hex. They look like 0X90 and that repeats over and over again. There's a whole bunch of different ways to do no operations but that's just the classic one that we see. And so it's a whole string of numbers and at the very end it says "Give me shell" or something like that and it doesn't say it in plain text. It says it in machine language so this isn't something that you can write in your spare time at home. You're going to have to really think about this. Now, here's a really cool thing. Let's look at that last piece there. This is the cool part. There are certain pieces of application programming that are susceptible to buffer overflow. We know what they are and we know that they are available to us for a limited period of time. I believe EI is one of the places that does just this for their customers. On Super Tuesday Microsoft rolls out a patch and they say "Please update
Page 25 of 36
your systems. Here is the patch." That patch consists of seven or eight different executables in DLLs. And what Microsoft is saying is when these conditions are true, when we execute these conditions right now with the previous version of the software, we are susceptible to a buffer overflow. So you don't want to play against this patch. What you want to do is you want to find all the old versions of this executable in the system that is there. Okay so that patch fixes this thing. That means that when these conditions exist, there is a buffer overflow that we can go after. So now you program like crazy. That's what EI does. You program like crazy at that moment in time and you look for a way to exploit these conditions. You have created not a Zero Day exploit however long it took you. Let's say it took you 24 hours to do it. You have created a Day One exploit that will be good against all the machines who have not placed this patch in. What we really want to look for is really small sets of patching or updates that Microsoft rolls out as out-of-cycle patches because that means from an evil perspective that this is the time that would be really good to attack them because this is an emergency. So you go back to these conditions here. This is not an easy thing to do.
Page 26 of 36
Integer Overflows
112
Integer Overflows
Integer overflows or arithmetic overflows are errors that occur when a number is too large to be stored in a variable.
Causing• Crashes• Data corruption• Arbitrary code execution
**112 Integer overflows. Now what we're doing is we're doing arithmetic overflows. Errors that occur when numbers are too large. So this is buffer overflows but only for numbers. Usually what happens in integer overflows is that we actually either crash the operating system or we crash the application and it reboots. Before it reboots what we could do is we could execute arbitrary code for that small piece of time. It's still a buffer overflow.
Page 27 of 36
Zero Day Exploits
113
Zero Day Exploits
Target vulnerabilities in applications or Operating Systems for which the developer does not yet know about
The following do not yet exist for zero day exploits and the underlying vulnerability
• Anti-virus signatures• Patch or update for the vulnerability• IDS alert strings• Mitigation strategy
**113 Zero Day exploits. If we have the patch here that's released, what about the day before? If somebody knows how to attack this thing, there's no patch that exists for it. How long before that patch exists is this out here? It can be anything. It can be for antivirus. It can be for patching. It can be for IDS alerts. It can be for any mitigation strategies. How long did this last and how long did the evil doers keep this a secret and how often have they used it? They use it a whole bunch of times what's going to happen is eventually it's going to get out there and people
Page 28 of 36
are going to know about it and then the vendor who is supposed to patch this is going to be listening, they are going to hear it, they're going to see it. Maybe they're going to have monitoring out on the network to listen for this. They're going to capture that, they're going to see what's going on there. They're going to bring it over here. They are going to fix the patch for it and they're going to roll out the patch and now the Zero Day is gone. But that code is still valid for a short period of time because not everybody patches on the next day. So Zero Day exploits are good until people patch but Zero Day exploits say there is no patch at this point.
Page 29 of 36
Cookies
114
Cookies
Text file sent to a web browser from a server and sent back to the server each time it is accessed
Used for tracking client history, authentication, tracking, and other user information
Allowing cookies may reveal personal information.
Rejecting cookies may make some websites unusable.
**114 I love cookies. Well I love brownies today but tomorrow I'm going to love cookies. What is a cookie? Cookie is not an attack. Cookie is a way to maintain state. It says the web is a stateless thing. How do I know who you are and what you're supposed to be doing? I need to track you. You started the session with me. Here, take this cookie. And every time you talk back to me give me back this cookie. That works just fine. It could be that somebody could get our cookies, steel our cookies. That cookie could reveal information about us. When they created that cookie was it a random set of numbers that's a token
Page 30 of 36
or was it our name wrapped up some other way?
Cookie / Session Poisoning
115
Cookie / Session Poisoning
Cookie poisoning involves modifying the contents of a cookie with malicious content to modify the user’s session and potentially obtain unauthorized information.
Cookies can also be read from a user’s hard drive and any sensitive information contained in them (e.g., usernames, passwords, ID, account number) can be compromised.
Compromising information in cookies is also called “Cookie Snooping.”
**115 What could happen is we could do cookie poisoning. This is when it gets bad. If we modify the contents of a cookie to have malicious content in it and then that malicious content is parsed by either the server or the client, we could have a problem. Remember cookies could also do other things, maliciously like look at the user's hard drive, capture that information, based upon the context of the browser and that end user they could retrieve information that they could
Page 31 of 36
use for later on. They could look at other different temporary files and other different cookies and retrieve that if it has enough malicious intent within it.
Local Shared Objects (LSO)
116
Local Shared Objects (LSO)
Also known as flash cookies
Similar to http cookies but associated with Adobe Flash
Associated with games
Stores more then user information• Store large amounts of data• Applications• User files
Disable in Adobe Flash
**116 Locally share objects, LSOs. These are flash cookies. Now this looks like an HTTP cookie but it's only for adobe Flash and it does the exact same thing. This is more associated with gaming and flash and it stores a lot of data in it. It could store large amounts of information, applications, user files, all sorts of stuff. Now what you do to fix this is you disable it in Adobe but then that probably breaks
Page 32 of 36
some of the games that you're used to out there.
Session Hijacking
117
Session Hijacking
An attack where the intruder takes control of a legitimate TCP/IP session by spoofing the source address
• The spoofed packet is inserted into victim’s communication stream redirecting session to rouge client.
• The valid client is ejected from the session and the rouge client takes over.
Mitigation includes the use of unique ISNs (initial serial numbers) and Web session cookies.
Header Manipulation – changing values in HTTP headers in order to falsify access
**117 Session hijacking. Session hijacking is a man-in-the-middle attack only what we're looking for is an HTTP session. How can we get inside of here? Well what we can do is we can wait for that session to be established and then step in and pull it. That means that you're actually close enough to the client to pick this up. What I do as an evil doer is I manipulate the header values in order to falsify the access in some way shape or form and that gets passed back and forth. So in session
Page 33 of 36
hijacking what I do is I take over your session. This works really well in HTTP. It works pretty well in SSL.
SMTP Relay
118
SMTP Relay
Simple Mail Transfer Protocol (SMTP) Relay
Feature that allows email servers to forward mail to other email servers
Protects actual email server from direct attacks
May be target of DoS caused by spam
**118 Last thing we need to talk about here is the SMTP Relay. When we go way, way back in history for mail servers, mail servers weren't always online. Some people actually turned them off when they went home at night. So what would happen is when you turned off yours and there was another one here what we would say is "Hey look, that mail server is off. Can you hold this mail? Can you give that mail to them when they pop back up?" You're not really
Page 34 of 36
the originator. You are just holding onto the mail to hand over. They have no place in today's 24/7 world mail servers. Some people say that they can use them internally as a mail gateway to aggregate mail and then ship it out to the Internet. Maybe. SMTP Relays really don't have a place today and they should not exist. What's happening today is SMTP Relays are being used to transmit spam. More and more of them are being black holed and what that means is that they are found to be a spam relay instead of an SMTP Relay and all the other companies that are out there say "That's going to give me spam so therefore I'm not going to take any mail from it. I'll take it from the originator but I won't take it from you." And that's your SMTP Relay.
Page 35 of 36
Notices
Page 36 of 36
