Web Application Hacking
Matthew Fisher, SPI Dynamics CNA, MCSA, MCSE, CCSE, CCSE, CISSP, XYZ, 0x80, cameron can't hax

· · · · · · · · · · · · · ·

Comparing web app sec to host / network security Cross-site-scripting XSS Proxy SQL Injection SQL Injection "spot" techniques Nasty SQL Injections Blind SQL Injection Testing ACLs with param manip Web Telnet: Something fun for WebDav Uploads Bad Extension source disclosures Managing web app sec Contributing factors to the problem Approach to web app sec programs Why the C&A process fails web app sec

Copyright 2005 SPI Dynamics

Web Application Development "Truisms"
· · Web applications are software Multi-billion dollar software companies inadvertently create a massive number of vulnerabilities in their software Your web developers have a lot less training and resources than software companies do. Development standards emphasize functionality, not security C-Levels understand other topics better ­ IDS / IPS, patches Web App dev not approached as engineering

·

· · ·

Copyright 2005 SPI Dynamics

Most Exposed and Least Protected

Web Application

Web Application Attacks
Known Web Server Attacks

Code - Content - Implementation

Web Server
Known Vulnerabilities - Misconfigurations

Operating System
OS Attacks
s Network Attack
Known Vulnerabilities - Misconfigurations

Network Layer
Exposed Hosts ­ Insecure Protocols

Copyright 2005 SPI Dynamics

HOST Security
More manageable due to uniformity
· uniform vulnerabilities

·

Global notification · Single source fix

·

Standardized testing

Copyright 2005 SPI Dynamics

Web App is A Different Paradigm
· · · · · Vulnerabilities are custom No global announcement No fix handed down Non-standard testing Overall more difficult management

· Bottom Line: It's YOUR problem

Copyright 2005 SPI Dynamics

Web Application Vulnerability Characteristics
· Affects all Web applications: ·Exists in your own application, not the operating system ·Can exit regardless of the Web server, operating system, configuration, or patch level · Extremely easy to exploit: · Sometimes requires nothing more than a Web browser · Orders of magnitude easier than buffer overflows ·Difficult to deal with at the perimeter: ·SSL Encrypted Traffic , Huge Volume ·Rules granular to each input on each page, change as app changes

Copyright 2005 SPI Dynamics

Typical Security Model

· Hardened Builds ­ Patch Management ­ Configuration Management

Network Scanning Firewalls IDS / IPS AV, ASPY, A-SPAM

Copyright 2005 SPI Dynamics

Typical Web App Sec Practices

This Page Intentionally Left Blank

Copyright 2005 SPI Dynamics

Tuesday's BugTraq Summary Pt 1
> -----------------------------------------------------------------> I. FRONT AND CENTER > 1. Windows rootkits of 2005, part three > 2. Patching a broken Windows > II. BUGTRAQ SUMMARY > 1. MTink Home Environment Variable Buffer Overflow Vulnerability > 2. MyBB Print Thread Script HTML Injection Vulnerability > 3. MyBB File Upload SQL Injection Vulnerability > 4. IBM AIX GetShell and GetCommand File Enumeration Vulnerability > 5. IBM AIX GetShell and GetCommand Partial File Disclosure Vulnerability > 6. InTouch User Variable SQL Injection Vulnerability > 7. PHPJournaler Readold Variable SQL Injection Vulnerability > 8. Chimera Web Portal Multiple Input Validation Vulnerabilities > 9. B-Net Multiple HTML Injection Vulnerabilities > 10. ScozNet ScozBook AdminName Variable SQL Injection Vulnerability > 11. VBulletin Event Title HTML Injection Vulnerability > 12. Drupal URL-Encoded Input HTML Injection Vulnerability > 13. File::ExtAttr Extended File Attribute Off-By-One Buffer Overflow Vulnerability > 14. DiscusWare Discus Error Message Cross-Site Scripting Vulnerability > 15. Gentoo Pinentry Local Privilege Escalation Vulnerability >

Copyright 2005 SPI Dynamics

Tuesday's BugTraq Summary Pt 2
> > > > > > > > > > > > > > 16. INCOGEN Bugport Multiple SQL Injection Vulnerabilities 17. SCO OpenServer Termsh Buffer Overflow Vulnerability 18. INCOGEN Bugport Index.PHP Multiple Cross-Site Scripting Vulnerabilities 19. EFileGo Multiple Input Validation Vulnerabilities 20. Primo Place Primo Cart Multiple SQL Injection Vulnerabilities 21. Valdersoft Shopping Cart Remote File Include Vulnerability 22. Intel Graphics Accelerator Driver Remote Denial Of Service Vulnerability 23. Linux Kernel SET_MEMPOLICY Local Denial of Service Vulnerability 24. ESRI ArcPad APM File Processing Buffer Overflow Vulnerability 25. IDV Directory Viewer Index.PHP Information Disclosure Vulnerability 26. raSMP User-Agent HTML Injection Vulnerability 27. Linux Kernel FIB_LOOKUP Denial of Service Vulnerability 28. Lizard Cart CMS Multiple SQL Injection Vulnerabilities 29. Linux Kernel Sysctl_String Local Buffer Overflow Vulnerability 30. Linux Kernel DVB Driver Local Buffer Overflow Vulnerability > 31. KPdf and KWord Multiple Unspecified Buffer and Integer Overflow Vulnerabilities > 32. OpenBSD DEV/FD Arbitrary File Access Vulnerability > 33. PHP MySQL_Connect Remote Buffer Overflow Vulnerability > 34. Apple AirPort Remote Denial of Service Vulnerability

Copyright 2005 SPI Dynamics

Tuesday's BugTraq Pt 3
> 35. Blue Coat Systems WinProxy Remote Host Header Buffer Overflow Vulnerability > 36. Blue Coat Systems WinProxy Remote Denial Of Service Vulnerability > 37. Blue Coat Systems WinProxy Telnet Remote Denial Of Service Vulnerability > 38. HylaFAX Remote PAM Authentication Bypass Vulnerability > > > > > > > > > > > > > > 39. Hylafax Multiple Scripts Remote Command Execution Vulnerability 40. Apache mod_auth_pgsql Multiple Format String Vulnerabilities 41. Foro Domus Multiple Input Validation Vulnerabilities 42. OnePlug CMS Multiple SQL Injection Vulnerabilities 43. iNETstore Online Search Cross-Site Scripting Vulnerability 44. ADN Forum Multiple Input Validation Vulnerabilities 45. IBM Lotus Domino and Notes Multiple Unspecified Vulnerabilities 46. Timecan CMS ViewID SQL Injection Vulnerability 47. Modular Merchant Shopping Cart Cross-Site Scripting Vulnerability 48. TheWebForum Multiple Input Validation Vulnerabilities 49. Aquifer CMS Index.ASP Cross-Site Scripting Vulnerability 50. TinyPHPForum Multiple Directory Traversal Vulnerabilities 51. NetSarang XLPD Remote Denial of Service Vulnerability 52. Navboard Multiple BBCode Tag Script Injection Vulnerabilities

Copyright 2005 SPI Dynamics

Cross-Site-Scripting
Download the Cross-Site-Scripting Whitepaper from http://www.SPIDynamics.com

Cross-Site Scripting: Find the vulnerable field
·Website accepts input from user ·Replays their input without validating it. ·Accepts JavaScript as input and replays it to the browser

Copyright 2005 SPI Dynamics

Enter java script

Malicious script is entered in a form field, but is passed to next page as parameters in a URL

URL with malicious script in parameter can now be distributed as a vector
Copyright 2005 SPI Dynamics

Cross-Site-Scripting Attack Vector

Cross-Site-Scripting attack via emailed vector. Innocent-looking Link has embedded JavaScript

Copyright 2005 SPI Dynamics

Decoded Attack Sequence
No Alarms and No Surprises
Original legitimate website No login errors, no changes, user works normally UserID and Password quietly handed off to remote website

Copyright 2005 SPI Dynamics

What Else
· · · · · · · · Document.Cookie Window.Location Document.Write (your own html) Window.Open Window.Close Lets you steal the cookie from the site Lets you read the forms on the page that has the XSS Lets you create fake login forms etc.

Copyright 2005 SPI Dynamics

Massive Advancements in XSS
· · · · · · XSS Proxy by Anton Rager ­ revealed Shmoocon 2005 http://sourceforge.net/projects/xss-proxy Opens an iFrame via an XSS ­ (ie, param=document.write (`<iframe src... DOM trusts this new frame ­ opened by parent site Frame source is xss-proxy running on attackers machine Chunks and codes current parent url / HTML into requests to attacker machine via this frame ­ Attacker sees what victim sees Receives commands via script from attacker machine ­ Attacker controls what victim sees does

·

· Makes XSS considerably more dangerous.

Copyright 2005 SPI Dynamics

XSS Defenses
· · · · · · Input AND output validation Always validate input. Always validate input. Always validate input. Validate/encode output: HTML Encoding helps break XSS. More on Good / Bad Input Validation later

Copyright 2005 SPI Dynamics

SQL Injection
Download the SQL Injection Whitepaper from http://www.SPIDynamics.com

Verbose and Blind

· ·

Two types of SQL Injection Verbose: lack of error handling provides verbose feedback to the browser. Greatly enables the attacks Blind: Input still vulnerable to SQL Injection, but error handling is performed to prevent ODBC errors from displaying in the browser. Still vulnerable, requires more advanced and time consuming technique

·

Copyright 2005 SPI Dynamics

SQL Injection

Massively Serious Issue
Exploits common techniques developers use to query databases Allows attacker to indirectly access the database by piggybacking their queries onto the web developer's queries.

Bottom Line : Turns any Web Surfer into your new Database Administrator ;)
Copyright 2005 SPI Dynamics

Database Driven Page

·Page reads ErrorCode from request

·Uses ErrorCode in a SQL Query

·Writes the results of the query

Copyright 2005 SPI Dynamics

Common Database Query
Query written as text string

sSql = "select ErrorMessage from ErrorMessages where ErrorCode = " & Request("ErrorCode")
Query parameter appended to query

select ErrorMessage from ErrorMessages where ErrorCode = 2
Copyright 2005 SPI Dynamics

Problem: Unvalidated Input

·Invalid character entered is used in query ·Resulting back-end query results in an ODBC erorr message

select ErrorMessage from ErrorMessages where ErrorCode = 2'
1 HTTP Packet

Copyright 2005 SPI Dynamics

Piggybacking Queries with UNION

Values entered into the parameter ErrorCode now have the ability to modify the query itself ( instead of just being a parameter to the query) :

select ErrorMessage from ErrorMessages where ErrorCode = 9 union select name from sysobjects where xtype=`u'
UNION keyword tells SQL to combine two statements into one

Copyright 2005 SPI Dynamics

Enumerate all tables in the database

Sysobjects stores names of tables in database Name = name of table Xtype = type of table (system, user)

Xtype=`u' = all user tables, no system tables.

Copyright 2005 SPI Dynamics

A SubQuery Enumerates Columns in the Table

Columns are stored in syscolumns Keyed on ID Subquery against ID in sysobjects for the table you want

Select name from syscolumns where id=(select id from sysobjects where name=`table') Copyright 2005 SPI Dynamics

Select the data from the column

· · · · · ·

4 HTTP packets to your data Find the injection Select tables from sysobjects Select columns from syscolumns Select data from column Can be reduced ­ Don't need to do an individual test ­ test could be exploit ­ Reduce enumerations with more advanced queries

Copyright 2005 SPI Dynamics

More Techniques

Page Returns only One Record at a time

Change code from: do until rs.eof response.write rs(0) & "<br>" rs.movenext loop To just : response.write rs(0)

Copyright 2005 SPI Dynamics

Incrementing the queries

ErrorCode=2 union select card_number from bank_cards where 1=1
1 is always equal to 1, returns first record

ErrorCode=2 union select card_number from bank_cards where card_number>'123-445-4222'
Simple Boolean operator returns new number, just rinse and repeat ...

Copyright 2005 SPI Dynamics

Dealing with Strings

· ·

Change the code from this: sSql = "select message from Error_Messages where Code = " & request("ErrorCode") To this: sSql = "select message from Error_Messages where Code = '" & request("ErrorCode") & "'" Page now expects a string, everthing entered is inserted between single quotes

· ·

·

Copyright 2005 SPI Dynamics

Escaping from Strings
ErrorCode=2` union select card_number from%20 bank_cards where '1'='1

Query becomes: select message from Error_Messages where Code = `ErrorCode=2` union select card_number from%20 bank_cards where '1'='1'

Copyright 2005 SPI Dynamics

Page Doesn't Print Response

· Use CONVERT function · CONVERT is used to convert datatypes · When it fails, the error message shows you what fails Limitations: can only select one row at a time

Copyright 2005 SPI Dynamics

Trapped in Middle of Query

· ·

Change code to: Error_Messages where Code = " & request("ErrorCode") & " and message like '%error' " Injections are now trapped in middle of query with "unbreakable" where clause

·

Copyright 2005 SPI Dynamics

Breaking Out of Queries

· ·

Comment characters at end of query truncated rest of string query. select message from Error_Messages where Code = 2 union select card_number from bank_cards --and message like '%error' "

Copyright 2005 SPI Dynamics

More SQL Injection Goodness

SELECT is just the first 1%
DML : Data Manipulation Language

Select, Insert, Update, Delete

DBML: DataBASE Manipulation Language Add / Drop / Shrink / Grow DB's Stored procedures, extended stored procedures, functions Server management: users, network, disks
Copyright 2005 SPI Dynamics

SQL Injection Annoyances
Annoy the DBA

Seriously **** OFF THE DBA !!

Copyright 2005 SPI Dynamics

Who is the App Logged In As?

SA ? Predictable, but BORING. Let's try to be a bit more creative
Copyright 2005 SPI Dynamics

Adding your Own Database Account

Not that we really needed a login anyhow ... Copyright 2005 SPI Dynamics

Port Scanning the Internal Network
Port Scanning the Back End Network from the DB Server ? Priceless.
Just try to initiate a new database connection within the query

Something's wrong (because it isn't a database server ! ) but the port's open ; )

Copyright 2005 SPI Dynamics

Sanctified

Port closed ... build script, rinse and repeat.

Copyright 2005 SPI Dynamics

Your Back End Network

?
Not So Back End ;)
Copyright 2005 SPI Dynamics

Who's Vulnerable
· · · · · · Ridiculous number of sites Not aware Aware of vulnerability but not defenses Fully aware, no testing capabilities DoD ? Government ? Commercial ? Only small unimportant sites ?

Copyright 2005 SPI Dynamics

Don't Suppress Errors Without Safe Queries

· · · ·

The ODBC errors are the symptoms They help, but aren't required The problem is the way the query is formed in the web app Not fixing the query but suppressing errors is still hackable

Copyright 2005 SPI Dynamics

Blind SQL Injection

Blind Conditions
· · · Error Handling in Place : No ODBC error messages Does not necessarily print recordsets to screen Still using string concatenation queries : still vulnerable

·

General Process: ­ Find a boolean situation you can use for deduction ­ Figure out how to ask Yes / No questions instead of open-ended questions ­ Ask lots and lots of Yes / No questions

Copyright 2005 SPI Dynamics

Proper Error Handling In place

Copyright 2005 SPI Dynamics

Does Not Print Records to Screen

if rs(0) <>"" then response.write " in stock"

Will not be able to use UNION attack

Copyright 2005 SPI Dynamics

Test for Blind
Pass a false statement

Pass a true statement

Copyright 2005 SPI Dynamics

Using Substring Command
SUBSTRING command lets you specify a range of characters from a string accepts a query as the input specify start string and end string Substring("f1sh" 1,1) returns `f' Substring ("f1sh",1,2) returns `f1' Substring ("f1sh", 2,3) returns "1sh"

Copyright 2005 SPI Dynamics

Using Switch for Guessing
Problem: Can't print results to screen. Solution: Guess using booleans Is the letter greater than `m' ? Problem: Can't grab everything at once. Solution: Grab one item at a time using TOP 1 select top 1 name from sysobjects where xtype=`u' Problem: Don't want to guess full name at a time Solution: Isolate each letter and guess those. Substring((select top 1 name from sysobjects where xtype=`u'),1,1)

Copyright 2005 SPI Dynamics

20 Questions

· ·

Combines two queries: hardcoded query and our injected query Asks a Yes / No question: Does the first letter of the first name in sysobjects come after the letter m ?

Copyright 2005 SPI Dynamics

Bracket to Reduce Guessing

· · · ·

Dividing in half to reduce to a single Faster work Less log / network traffic Not greater than `m', therefore between `a' and `m'

Copyright 2005 SPI Dynamics

Repetez
· · · · · Substring(string,character position,number of characters) Substring(`tbl_credit_cards',1,1) = `t' Substring(`tbl_credit_cards',2,1) = `b' Substring(`tbl_credit_cards',3,1) = `l' Substring(`tbl_credit_cards',4,1) = `_'

Copyright 2005 SPI Dynamics

Input Validation

Good Advice for Input Validation

"as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know "
- Donald Rumsfeld Tuesday, Feb. 12, 2002
Source: http://www.defenselink.mil/transcripts/2002/t02122002_t212sdv2.html Copyright 2005 SPI Dynamics

Don't BlackList
You don't know what you don't know · Stripping out bad words ­ Defense: remove "union" or "select" ­ Attack: ununionion seselectlect yadda yadda yadda Stripping out single quotes ­ Integers don't require quotes ­ Commmands ­ shutdown ? Drop ? Relying solely on stored procedures only ­ Attackable  if you still concatenate strings to call the procedure Relying on the platform alone ­ MagicQuotes ?

·

· ·

Copyright 2005 SPI Dynamics

WhiteList

·

Validate against the known good format ­ A zip code should always be [0-9] [0-9] [0-9] [0-9] [0-9] Trim lengths

·

·

Use parameterized queries ­ All input to the query is treated as a parameter, no chance to modify the base query HTML encode output (for XSS)

·

Copyright 2005 SPI Dynamics

Parameter Manipulation

Parameter Manipulation
· · · · Different from parameter injections Injections put new data types into the parameter Strict parameter manipulation just changes existing parameters Usually takes advantage of state mechanisms

Copyright 2005 SPI Dynamics

Differences Illustrated
Injection: Putting invalid data, also invalid TYPE of data

Manipulation: Same type of data, just wrong values

Copyright 2005 SPI Dynamics

Victoria's Secret
· Victoria's Secret, November 27, 2002 Order ID parameter in the order status page Order status page bound to your session, but not the parameters $50,000 fine and publicity in 2003

Victoria's Secret
·

·

·

Copyright 2005 SPI Dynamics

Gateway Computers
Gateway Computers
· · · Website stored an ID number in a cookie to identify you when returning to the site. By changing this ID number, you are able to view the information of other shoppers. Information viewable includes Name, Address, Phone Number, Order History, Last Four Digits of Credit Card, Credit Card Expiration Date, Credit Card Verification Code. Wall Street Journal "More Scary Tales Involving Big Holes in Website Security", by Lee Gomes, February 2nd 2004

Copyright 2005 SPI Dynamics

Exploit Technique: Parameter Fuzzing

Configuring the Fuzzer

Change Pageid=8 to Pageid=0 ­ 100 And check results

Copyright 2005 SPI Dynamics

Reviewing the Results
· 404's indicated no page behind that parameter 302: page behind parameter properly redirected to login 200: page behind parameter did not check access and allowed viewing Approximately half the pages had broken access controls

·

·

·

Copyright 2005 SPI Dynamics

Misconfig allowing PUTs
Improper VERBS: Exploiting PUT capabilities

Exploiting WebDav PUTs

· · · ·

Only requires Windows Script Host on server WSH installed by default in everything since NT 4.0 WSH rarely removed / disabled in production environments ASP usually relies on it (Scripting.FileSystemObject)

Copyright 2005 SPI Dynamics

Directory Browsing

Directory browsing reveals file names ­ no chance at obscuring Reveals portions of site otherwise unknown Hacker would normally have to use file-guessing scripts and other clues

Datacon.inc is easily guessed
Copyright 2005 SPI Dynamics

Unmapped / Backup Files

Only a few "known" file types get rendered.

Everything else reveals their source code

True for every web server, not just IIS

Copyright 2005 SPI Dynamics

Source Code Disclosure

Copyright 2005 SPI Dynamics

The Proverbial Post-It On the Monitor

Yes, those are real live database connection strings
Yes, they contain real live usernames and passwords
Copyright 2005 SPI Dynamics
No, Special Agent, I didn't try them out.

Managing Web App Sec

Why Web Application Risks Occur
The Web Application Security Gap

Security Professionals Don't Know The Applications

Application Professionals Don't Know Security
"As an Application Developer, I can build great features and functions while meeting deadlines, but I don't know how to build security into my Web applications."

"As a Network Security Professional, I don't know how my company's Web applications are supposed to work so I deploy a protective solution...but don't know if it's protecting what it's supposed to."

Copyright 2005 SPI Dynamics

Contributing Factors
Developers not taught security Security not development experts Low barrier to entry for building web apps Easy to use languages Rapid development times COPY / PASTE code from websites, books etc. · Lack of internal coding standards / guildelines
Copyright 2005 SPI Dynamics

· · · · · ·

Approach
· · · · · · · · · · · Awareness Education Coding Practices ! Standard Libraries Assessment Tools and Technology Design for Security ­ document input types, valid formats, constraints and build them into the design spec Test for Security Don't just review code ­ the implementation counts Combine techniques ­ static, dynamic, bin Test in QA , also validate Production Test Often ­ things changes

Copyright 2005 SPI Dynamics

Traditional Security Certification

Development builds Application QA performs functional and/or performance testing

Functional defects are found and fixed App is declared ready for UAT

Customer performs acceptance testing

Customer accepts application and sets deployment expectation Security applies any missing patches or tweaks configuration Deployment begins

Security tests server patches and configuration

Program goes live

Copyright 2005 SPI Dynamics

Application Security Certification

Development builds Application QA performs functional and/or performance testing

Deployment is delayed while Dev remediates Security discovers vulnerabilities they cannot remediate

Customer performs acceptance testing

Security tests for application vulnerabilities
Program goes live

Copyright 2005 SPI Dynamics

References / Contact
· XSS-Proxy by Anton Rager ­ http://sourceforge.net/projects/xss-proxy Whitepapers on www.spidynamics.com: ­ Cross-Site-Scripting ­ SQL Injection ­ Blind SQL Injection ­ LDAP Injection ­ SOAP Attacks Open Web Application Security Project: ­ www.owasp.org Next meeting in Columbia MD: AJAX ! Contact: mfisher@spidynamics.com

·

· ·

Copyright 2005 SPI Dynamics