Upload
fedora
View
50
Download
0
Embed Size (px)
DESCRIPTION
COMMON APPLI. CATION FLAWS. Back To Basics. Objective Provide an overview of common application flaws No ‘exploitation’ techniques Discussion based, to provide an understanding To provoke thinking Originally going to provide a Tokemon walkthrough Won’t work over conference call. - PowerPoint PPT Presentation
Citation preview
CATION FLAWSCOMMON APPLI
Objective: Provide an overview of common application flaws: No ‘exploitation’ techniques: Discussion based, to provide an understanding: To provoke thinking
: Originally going to provide a Tokemon walkthrough: Won’t work over conference call
Back To Basics
Slide 2
Cross Site Scripting <script>alert()</script>
Injection Flaws: SQL, LDAP, XML, etc
File Execution: Scripting, RFI, shell execution
Direct Object Reference: /access.asp?record=##
Cross Site Request Forgery: Session riding, Accessing internal device
OWASP Top Ten Summary
Slide 3
Information Leakage and Error Handling: Every bit of information helps an attacker
Broken Authentication and Session Management: Login bypass, cookie manipulation
Insecure Cryptographic Storage: Static keys, Non seeded encryption
Insecure Communications: HTTP, Clear text internal web services
Failure to Restrict URL Access: /adminportal/adminfunction?action=adduser&user=me
OWASP Top Ten Summary
Slide 4
Comes from many places: Passed on the URL, or as a parameter: Passed in posted data, hidden fields: Passed in HTTP headers, referer: Cookie data, client certificates, files for import, etc..
User Supplied Input Is The Cause
Slide 5
THE USER CAN NOT BE TRUSTED... EVER
Validate ALL user input, server side: Cint(), isDate(), len() <= x, isAlphaNumeric() : Whitelist, NOT blacklist: Decode input, in the correct order, and in the right case
Filter Output at use: Different uses of data, require different filters
function cleanrequest(theID)theID = lcase(theID)if instr(theID,";") > 0 then
theID = left(theID,instr(theID,";")-1)end ifif instr(theID,"exec ") > 0 then
theID = left(theID,instr(theID,"exec ")-1)end if
Faulty Filters Worse Than No Filters
Slide 6
Function To Filter User Input
Looks For The Use Of A Semi Colon
Looks For The Term exec followed by a
space
This Filter Can Be Bypassed By Using A Tab Character As A Separator/page.aspx?theID=1%09exec%09xp_cmdshell ‘serverpwnage.exe’;
/page.aspx?theID=1;exec xp_cmdshell ‘serverpwnage.exe’;
function displayText(htmlInput)htmlInput=str_ireplace("script", "",htmlInput)echo htmlInput
Faulty Filters Worse Than No Filters
Slide 7
Function To Display User Input
Looks For The Term script And
Remove ItDisplay The
Filtered Data
These Types Of Filters Are Just Rubbish!/page.php?htmlInput=<sscriptcript>alert()</sscriptcript>
/page.php?htmlInput=<script>alert()</script>
Robots.txt / Sitemap.xml: Often reveal more than they should: Spiders don’t have to obey
Things that don’t belong: Site archives: .svn trees: .inc, .cfg, .txt, bak, .backup: Admin portals: ‘hidden’ paths: Virtual sites
The Clean Server
Slide 8
Don’t Want It Indexed?Don’t Link It!
Don’t Want It Found?Don’t Put It There
http://www.owasp.org/_admin/http://www.owasp.org/_database/http://www.owasp.org/_debug/http://www.owasp.org/_debuglogs/http://www.owasp.org/_includes/http://www.owasp.org/admin/http://www.owasp.org/adminportal/http://www.owasp.org/adminsite/http://www.owasp.org/console/http://www.owasp.org/backups/http://www.owasp.org/logs/http://www.owasp.org/maintentance/http://www.owasp.org/sites/http://www.owasp.org/sysadmin/http://www.owasp.org/admin/admin.http://www.owasp.org/admin/admin.asphttp://www.owasp.org/admin/admin.bakhttp://www.owasp.org/admin/admin.inchttp://www.owasp.org/admin/admin.loghttp://www.owasp.org/admin/admin.jsphttp://www.owasp.org/admin/admin.phphttp://www.owasp.org/admin/adminpage.http://www.owasp.org/admin/adminpage.asphttp://www.owasp.org/admin/adminpage.bakhttp://www.owasp.org/admin/adminpage.inchttp://www.owasp.org/admin/adminpage.jsphttp://www.owasp.org/admin/adminpage.php
Manipulation of the SQL query string
Becomes
Or
SQL Injection
Slide 9
sqlString=select * from users where name =‘+userinput’+’and password=‘+userinput
select * from users where name =‘admin’;--and password=‘anything’
select * from users where name =‘admin’ and password=‘anything’ or ‘1’=‘1’
Syntax Grouping
Where(name =‘admin’) (and
(password=‘anything’) or (‘1’=‘1’)
)
Syntax Grouping
Use parameterized queries: asp, .net, java, php, python, flex?Use stored procedures: Type cast variables: Don’t use dynamic SQL inside procedure: Often seen in ‘search’ procedures: Use the QuoteName function
SQL Injection
Slide 10
Yes. Of course your flash application
can be vulnerable to injection attacks
DO NOT BUILD SQL STATEMENTS DYNAMICALLY
SELECT @SQL = 'SELECT * from USERS WHERE NAME ='+ @UsernameEXEC @SQL
Application vs SQL: The form data is stored varies between the two
MySQL: MySQL will truncate data during an insert
: PHP asks MYSQL “Any users by this name?”: MYSQL responds “No, I don’t know that person”: PHP says “Ok add a user by this name”: MYSQL says “Sure, his name is too long I’ll shorten it for you”
SQL Truncation Attacks
Slide 11
Column Size
Name 100
.. ..
User=“admin<100spaces>x”
GEE THANKS
MSSQL: Data is truncated when calling stored procedures
: SQL returns record for admin
: Data mailed to both admin and attacker
SQL Truncation Attacks
Slide 12
User=“[email protected]<100spaces>;[email protected]”
Create procedure [FindUser]@username VARCHAR(100)
...Input To A Forgotten Password Page
Parameter Has A Length 100
Stored within the webroot: /dbase/dbase.mdb: Flat files etc..
Running as ROOT or SYSTEM: Or worse... A domain account
Encryption Of Data: If the server or application is compromised, is the data?
: Unique record ID of the user account: User supplied password
Databases
Slide 13
Don’t Use A Static Key Do Seed With User Specific Data
Microsoft Used To Recommend This.....
Encryption is difficult: Do NOT roll your own XOR based encryption scheme: BASE64 is not encryption
Weakness is in the implementation: Verify your data is getting encrypted: Use one way encryption for passwords
Storing the secrets: Database credentials should never be stored clear text: Encryption keys should not be stored in accessible configs
Cryptography
Slide 14
Often vulnerable to spam attacks: SMTP is a text based protocol: CR/LF pairs and new command can be inserted
Normal communication with SMTP server
Application Email
Slide 15
Mail From: <[email protected]>Rcpt To: <[email protected]>DataSubject: This is a test email.quit
Injection through recipient field: [email protected]>%0a%0drset%0a%0dMail From: <spam@foo.....
Modified communication with SMTP server
Application Email
Slide 16
Mail From: <[email protected]>Rcpt To: <[email protected]>rsetMail From: <[email protected]>Rcpt To: <[email protected]>DataSubject: This is a spam emailblah blah spam spam.quit
RESET Injected
New Details Injected
The sending of user supplied input to the browser
: More than alert()
Reflective: Code passed as a parameter, usually on the URL
Persistent: Code stored and then displayed to user
Consequences: Cookie theft: Site interaction: Web application worms
Cross Site Scripting
Slide 17
JavaScript is a powerful
programming language
Example flaw: echo “hello “.$_GET[‘username’].”welcome to the site”
Normal output: <html>hello Brett welcome to the site</html>
Exploit output: <html>hello <script>alert()</script> welcome ...</html>
Cross Site Scripting
Slide 18
Insert Any JavaScript Or Script Inclusion
Widely Known, Well Explained, Still Exists In
Most Applications
Cross Site Request Forgery: Attacking site causes browser to make a request to target
User logs into banking.co.nz: banking.co.nz sets an authentication cookie: User leaves but doesn’t log out
User browses to attacking site: Attacking site creates a post to banking.co.nz: Users browser sends cookie with post: Browser is already authenticated
CSRF
Slide 19
Defence: Each post must contain a random parameter value
CSRF
Slide 20
Site redirection: User supplied input used as target page
: Can be used in phishing and scam attacks
Page inclusion: User supplied input use as source for frame, iframe, image
Other Related Attacks
Slide 21
http://site.com/login.php?redirect=<value>Microsoft Still Do
This In Versions Of OWA
<frameset> <frame src="topbar.html"> <frameset> <frame src="<%=request("page")%>"> </frameset></frameset>
External Content Displayed In Browser
Don’t store credentials in the cookie: Set-cookie: user=admin
Set the cookie path: Specifies which part of the application the cookie is sent to
Cookie Security
Slide 22
This Sort Of Thing Still Happens!
http://Application
Secured Blog Posting Sectionhttp://Application/secure/login
Insecure General Sectionhttp://Application/general/read
Requires AuthCookie Set
If The Cookie Path Is Not SetA Vulnerability In The General Section Can Read The Secure Section Cookie
Set the SECURE flag: Prevents the cookie been sent in HTTP requests: Cookie sent even if target site not listening on HTTP
Set the HTTPOnly Flag: Prevents access to the cookie through JavaScript: Defence against cross site scripting
Cookie Security
Slide 23
Attacker Needs Access To Sniff
The Traffic
File uploading is dangerous: Provides the ability for the user to create data on server: Usual attacks involve uploading a script file for access
Check the file extension: Check the portion after the last .: Compare against WHITELIST
Check the file data: Valid graphic, csv, numeric data
Store as blob in database: Do NOT store as raw file under webroot
File Uploading
Slide 24
Beware The NULL (%00) byte
Local file include: Occurs when user can affect or supply a file path: Leads to disclosure of source and other sensitive items
Remote file include: Occurs in PHP (usually), when an HTTP reference is provided: Is disabled in modern versions of PHP
.Net LoadControl: Can be used to load arbitrary controls that exist on server
If you must accept paths from a user: Reject anything that is suspect. Ie; ../../ ..\..\ %xx
File Include Attacks
Slide 25
http://site.com/help.jsp?helppage=/help/index.html
What is wrong with these?
Configuration
Slide 26
<Limit GET> order deny,allow deny from all allow from 203.10.1.104 allow from 192.168.1.1</Limit>
<location path=“admin.aspx“> <system.web> <authorization> <deny users="?"/> </authorization> </system.web></location>
.htaccess Web.config
www.insomniasec.com