Upload
trevor-oconnor
View
229
Download
1
Tags:
Embed Size (px)
Citation preview
FunctionalityFunctionality
• Server side technologies:– Scripting languages– Web application platform– Web server software– Databases– Back-end components
• Client-side technologies: – Browser Extension technologies
Computer Science and Engineering 3
Application Application CharacteristicsCharacteristics
• Understand what application does and how it behaves– Content– Functionality
• Find out:– Application behavior– Core security mechanisms– Technologies being used
Computer Science and Engineering 4
Enumerating Content Enumerating Content and Functionalityand Functionality
• Manual vs. automated browsing– Walk through the application– Follow every link– Navigate through multistage functions
• Web spidering– Tools to follow all links until no new content is
found– Can parse static HTML, multi-stage functionality,
form-based navigation, client-side JavaScript
Computer Science and Engineering 5
Automated SpideringAutomated Spidering
• E.g., Burp Spider, WebScarab• General limitations:
– Cannot handle dynamically created menus– Limited depth to find links– May fail input validation for multistage functionality – Unique content is identified by URL not good for
form-based navigation– May fail authentication session
Computer Science and Engineering 6
User Directed SpideringUser Directed Spidering
• User walks through the application and uses a spider to collect and analyze findings
• Good for– Unusual or complex navigation needs– User control of input data– User can login to application and pass authentication – User can decide on requested functions
Computer Science and Engineering 7
Hacking Steps 1.Hacking Steps 1.
• Configure browser to use spider• Browse the application normally
– Visit every link– Proceed through multi-stage functions– JavaScrip enabled/disabled; cookies
enabled/disabled• Review site map to identify non-visited content• Do an automated spidering
Computer Science and Engineering 9
Discovering Hidden Discovering Hidden ContentContent
• Not directly linked to or reachable from the main page– E.g., testing and debugging content, different
functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc.
• Added attack points, sensitive content, etc. • Automated, brute-force attack: Burp Intruder
– Burp Suite Tutorial – The Intruder Tool, http://www.securityninja.co.uk/hacking/burp-suite-tutorial-the-intruder-tool/
Computer Science and Engineering 10
Hacking Steps 2Hacking Steps 2
• Make unusual requests and identify response• Use site map to identify hidden content• Use brute-force attacks to identify how application handles requests• Manually review responses• Inferencing from published content (e.g., naming)
– Compile list of names of subdirectories– Identify naming schemes, file extensions– Review all client side code– Look at temporary files
Computer Science and Engineering 11
Use Public InformationUse Public Information
• Find old resources• Search Engines:
– Advanced Search: resource, login, links, related– Google domains– Omitted results– Cashed versions– Other domains of the same organization
• Web archives, e.g., WayBack Machine
Computer Science and Engineering 12
Web Server Web Server VulnerabilitiesVulnerabilities
• Web server software vulnerability
– Default content
– Sample and diagnostic scripts
– Standard functionality
• Wikto: a tool that checks for flaws in web servers
– http://sectools.org/tool/wikto/
• Nikto: checks for potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems, configuration issues, etc. http://sectools.org/tool/nikto
Computer Science and Engineering 13
Additional MappingsAdditional Mappings
• Functional paths – URL query parameters
• Discovering Hidden Parameters– Try default parameter names, e.g, debug, test, hide,
etc.– Monitor responses to identify anomalies
• Analyzing Applications– Functionality, behavior, security
• Server side functionality
Computer Science and Engineering 14
Mapping the Attack Mapping the Attack SurfaceSurface
• Use the results of the analysis to find vulnerabilities
Computer Science and Engineering 15
Easy picking: @Easy picking: @
• Hidden symbol in URL • Change IP address (only the info to the right of @
is used)• Browser vulnerability
– “You are about to log in to the site “cse.sc.edu” with the username “farkas”, but the website does not require authentication. This may be an attempt to trick you.”
• Twitter – executable JavaScript after @
16
Who is at risk?Who is at risk?
• Client: browsers– Complex systems– Plug-ins, extensions– Server authentication
• JavaScript and paid ads ease of propagating malicious code
• Never trust a client on the server side• Never trust a browser on the client side
17
Improve client securityImprove client security
• Install patches to the browser• Update commonly used plug-ins• Eliminate unused plug-ins• Heed your browser warnings• Make antivirus software watch browser and
downloads• Clear history, stored files, and cookies• If a file is not signed and trusted, don’t download it
18
Improve server side Improve server side securitysecurity
• Never execute client input as code• Never allow client input to pass into the system without
validating it internally• Scrub client input for any known exploits and suspect
characters• Keep a layer of indirection between client input received and
the system• Manage sessions from inside the trust boundary and not on the
client side• Never encode secrets of functional variables in information
sent to the clies.
19
Biggest Threats to Biggest Threats to Web ApplicationsWeb Applications
• Cross-site scripting (XSS)• Cross-site request forgeries (CSRF)• Remote file uploads, (buffer overflow, SQL injection,
etc.)
• Trust between the client’s machine and the web applications.
21
XSSXSS
• Inject client-side script into Web pages• Client views web page download script • Used for bypass access controls such as the same origin
policy– Permits scripts running on pages originating from the
same site ( scheme, hostname, and port number) to access each other's Document Object Model with no specific restrictions
• XMLHttpRequest and Robots.txt
Computer Science and Engineering 22
How to avoid XSS?How to avoid XSS?
• Scrub all input• Escape output for display• Use trusted solutions when available• Use separate variables for scrubbed input
23
Cross-site request Cross-site request forgeryforgery
• Exploits the trust between server and client machine• Mostly http requests and responses• Based on how web pages are delivered along with
images and other web content
Prevent CSRFPrevent CSRF
• Require verification and stages for sensitive applications
• Use anti-CSRF tokens in your forms and processing• Use post as the mean of taking form input
– Get: encodes the data of the form into the url of the recipient, appending it to the query string of the request
– Post: encodes it as a message
Unrestricted file uploadUnrestricted file upload
• Users may upload malicious files• Uploaded files can be called by a url (if stored on the
web server)• Example: php
– Embedded in image files– Compile php code
26
Avoid file upload Avoid file upload problemsproblems
• System should determine file name• Do not allow users to access the folders where content
is uploaded• Parse file extensions carefully or set your own file
parser• White list extensions• Be secure with the .htaccess file (controls accesses to
the files on the server
27
Adobe FlashAdobe Flash
• 99% of all internet connected machines use AdobeFlesh• No internal automated update capability• Flash security policy: Same Origin
– Can be modified by XML cross-domain policy declaration
• Can facilitate XSS, CSRF, DNS rebiding
28
Ways of Attacking Ways of Attacking ApplicationsApplications
• Use of a web browser only• Use of an intercepting web proxy• Use of a standalone application scanner
Computer Science and Engineering 29
Web BrowsersWeb Browsers
• Choice of web browser impacts the effectiveness of the attack
• Most popular browsers:– Internet Explorer– Firefox– Chrome
• Extensions: additional web browser functionalities
Computer Science and Engineering 30
IEIE
• Declining number of users but still the leader• Native support for ActiveX control• Must work with Windows platform • Anti-XSS filter with IE 8• Extensions:
– HttpWatch: analyzes HTTP requests and responses, details of headers, cookies, URLs, request parameters, HTTP status codes, and redirect
Computer Science and Engineering 31
Integrated Testing Suits Integrated Testing Suits
• Intercepting proxy• Achilles proxy: early, basic proxy, standalone
application, displayed each request and response for editing
• Modern proxies: – Highly functional tool suits– Several interconnected tools to facilitate common
tasks of attacks– Useful for both defense and offense
Computer Science and Engineering 32
Some of the ToolsSome of the Tools
• Differ widely in their functionalities• The best one: Burp Suite• Others:
– WebScarab
– Paros
– Zed Attack Proxy
– Andiparos
– Fiddler
– Etc.
Computer Science and Engineering 33
How the Tools WorkHow the Tools Work
• Several complementary tools that share information about the target application
Computer Science and Engineering 34
IE
Attacker Target application
Toolkit: monitors interaction between the attacker and the targetapplication. Stores all requests and responses and all detailsabout the target application.
Toolkit ElementsToolkit Elements
1. An intercepting proxy
2. A web application spider
3. A customizable web application fuzzer
4. A vulnerability scanner
5. A manual request tool
6. Functions for analyzing session cookies and tokens
7. Other functions and utilities
Computer Science and Engineering 35
1. Intercepting Proxies1. Intercepting Proxies
• Must configure the attacker’s browser to use an intercepting proxy (listen at a specified port)– Can be easily configured for the 3 most popular
browsers• If you are using a thick client and cannot configure a
proxy you need to modify the OS files to resolve the hostname used by the application to allow the proxy to listen on this communication
Computer Science and Engineering 36
1. Intercepting Proxies1. Intercepting Proxies
• Basic HTTP messages: Intercepting proxy acts as a normal web proxy
Computer Science and Engineering 37
IE
Attacker
The web browser send the hostnameof the application.
The proxy resolves the corresponding IP addressand converts the request to a non-proxy equivalent message.
ProxyCONNECT
Computer Science and Engineering 38
1. Normal Web Proxy1. Normal Web Proxy
• HTTPS messages
Computer Science and Engineering 38
IE
Client
Proxy
After the connection wasestablished, the proxy acts as a TCP-levelrelay between the client and the application.
CONNECT
SSL handshake
Computer Science and Engineering 39
Computer Science and Engineering 39
1. Intercepting Proxy1. Intercepting Proxy
• HTTPS messages
Computer Science and Engineering 39
IE
Attacker
Proxy
After the connection wasestablished, the proxy acts as a TCP-levelrelay between the client and the application.
CONNECT
SSL handshake SSL handshake
Computer Science and Engineering 40
40
SSL HandshakeSSL Handshake
1. C S: CLIENTHELLO2. S C: SERVERHELLO
[CERTIFICATE]
[SERVERKEYEXCHANGE]
[CERTIFICATEREQUEST]
SERVERHELLODONE3. C S: [CERTIFICATE]
CLIENTKEYEXCHANGE[CERTIFICATEVERIFY]CHANGECIPHERSPECFINISH
4. S C: CHANGECIPHERSPECFINISH
Phase 1
Phase 2
Phase 3
Phase 4
Security capabilities
Optional server messages
Client key exchange
Change cipher suite
Fake CertificatesFake Certificates
• Proxies certificate may not be accepted– Cross-domain requests– Users’ trust
• Burp Suite: generates a unique CA certificate for the current user. Use this to generate new certificates for the proxy.
Computer Science and Engineering 41
Common features of the Common features of the Intercepting ProxiesIntercepting Proxies
• Fine-grained intercepting rules• Detailed history of all requests and responses• Automated match and replace rules for dynamic
modification of the requests and responses• Access to proxy’s functionality within the web browser• Utilities
Computer Science and Engineering 42
2. Web Application 2. Web Application SpiderSpider
• Share data with intercepting proxies• Manual spidering followed by automated spidering• Challenges:
– Form-based navigation
– JavaScript enabled navigation
– Multistage functions
– Authentication and sessions
– Parameter-based identifications
– Tokens and cookies
Computer Science and Engineering 43
Common Functionalities Common Functionalities of Web Spiders of Web Spiders
• Automatic update or the site map based on data supplied by the proxy
• Parsing proxy data for links• Fine-grained control over the scope of spidering• Automatic parsing and analysis of HTML forms,
scripts, comments, images• Automated and user-guided submission of forms• Automatic retrieval of the root of all enumerated
directories
Computer Science and Engineering 44
3. Web Application 3. Web Application FuzzersFuzzers
• Use automation to perform common attack tasks• Common features:
– Manually configured probing for common vulnerabilities
– A set of built-in payload and functions to generate arbitrary payload
– Save attack results and response data
– Customizable functions for viewing and analyzing responses
– Functions tor extracting useful data from the applications
Computer Science and Engineering 45
4. Web Application 4. Web Application Vulnerability ScannersVulnerability Scanners
• Passive scanning: monitoring the requests and responses passing through the local proxy– Detect vulnerabilities: clear text password, incorrect cookie,
etc
– Non-invasive, often used for penetration testing
• Active scanning: sending new requests to the target application – To tests for XSS vulnerability, HTTP header injection, etc.
– Can be potentially dangerous
Computer Science and Engineering 46
5. Manual request 5. Manual request ToolsTools
• Functionality to issue a single request and view its response
• Can be very useful when need slight modification of the request based on the responses
• Can be both standalone tool and web browser-based
• Common features:
– Integration with other suit components
– Keep record on all requests and responses
– Multitabbed interface: handle multiple items
Computer Science and Engineering 47
6. Session Token 6. Session Token AnalyzerAnalyzer
• Randomness of session cookies• Burp Sequencer: standard statistical tests
Computer Science and Engineering 48
Testing WorkflowTesting Workflow
Computer Science and Engineering 49
Browser
Interc. ProxySpider
Content Disc.
Scanner Repeater Fuzzer Token analyzer
P. history Site map
Vulnerabilities
Recon and analysis
Vulnerability detectionand exploitation
activepassivePassive
scanning
Confirm vulnerabilities
Alternatives to Alternatives to Intercepting ProxiesIntercepting Proxies
• Non-traditional applications– Cannot use proxy
• Browser extensions– Extend functionality– Does not interfere with the network-layer
communication between the server and the browser– Allows to submit arbitrary request to the application
Computer Science and Engineering 50
MethodologyMethodology
1. Recon and analysis– Map application content
– Analyze application
2. Analysis– Application logic: test client side controls and for logic flaws
– Access handling: test authentication, session management, access control
– Input handling: fuzz all parameters, test specific functionalities
– Application hosting: test for shared hosting issues, test the web server
– Miscellaneous checks
– Information leakage
Computer Science and Engineering 51