SlideShare uma empresa Scribd logo

CarolinaCon 2005 Web Application Hacking 101

Tyler Shields
Tyler Shields

Introduction to web application hacking circa 2005

Tecnologia
1 de 36
Web Application Hacking 101 Common Web Attacks and Defenses
Agenda • Introduction • Application Attacks Overview • Attack Methodologies • Demonstration Platform Details • Demo of Common Vulnerabilities Cross-site Scripting Directory Traversal SQL Injection Verbose Error Messages Price Fixing (Parameter Tampering) Information Disclosure • Review • Questions 9/17/2009 www.0x90.org email: txs@0x90.org 2
Introduction • txs@0x90.org – Active member of 0x90.org “Digital Think Tank” and “Source of Proper Internet Villainy” (www.0x90.org) – Founding member of the GhettoHackers, GHI (www.ghettohackers.net) – Professional security consultant to the U.S. Government, Financial Institutions, Fortune 500 Companies, and anyone willing to pay cash. – Primary focus is application penetration testing and analysis. In other words I break stuff. – Presented at major industry conferences, taught security courses, and has been involved in the security community for nearly a decade contributing to many prominent mailing lists and open source security projects. 9/17/2009 www.0x90.org email: txs@0x90.org 3
Application Attacks Overview • Application security measures are often implemented at the network level – This will not work effectively as network ACLs cannot protect against the use of valid connections – Network security cannot generally provide adequate protection at the application level – Network implemented application controls may introduce significant impact on performance • Applications are the next generation attack point – Information about application attacks is more readily available – Protections against application attacks are not as robust or mature as network security – Tools for testing applications are becoming more readily available 9/17/2009 www.0x90.org email: txs@0x90.org 4
Application Attacks Overview • Applications are targeted because they are the access point for data, products, resources, and money – Even with conventional network defenses, many applications can be attacked – Security controls around applications can be bypassed, which allows attackers to: • Modify information • Steal products • Credit money to accounts – In some cases the attack may grant access to other portions of the application or to the environment – The attack may not even involve theft • If the attacker understands the system being attacked, it is possible that they will be able to merely “borrow” resources 9/17/2009 www.0x90.org email: txs@0x90.org 5
Attack Methodology • Discover • Target • Attack 9/17/2009 www.0x90.org email: txs@0x90.org 6
Attack Methodology: Discover • Examine the environment – Identify what types and version of applications are running (banners/headers) – Identify what ports are open for communication to the server and the application – Examine extensions: foo.jhtml, foo.shtml - will often reveal the application server engine (weblogic, coldfusion, tomcat, etc.) • Generate and examine errors – Submit ridiculous input and monitor response (fuzzing) – Database errors are extremely helpful • Look for information left behind from development – Sample code or snippets 9/17/2009 www.0x90.org email: txs@0x90.org 7
Attack Methodology: Discover • Look for configuration errors: – Use a sniffer to examine traffic – Review client software – Use network scanning and probing tools • Look for environment errors: – Identify ways to circumvent application security controls – Reveal program data flow and logic flow – Reveal critical systems that are easier to attack than the original target 9/17/2009 www.0x90.org email: txs@0x90.org 8
Attack Methodology: Discover • Use a debug proxy to intercept client-server communications – Observe application traffic and modify components of application traffic independently of the client – Look for hidden fields and notes embedded in the source – Developers tend to make assumptions about the integrity of “client” generated data, like headers and other data that is supposedly concealed from the user -- abuse these assumptions • Include a regular expression engine to make on the fly replacements • Use an existing tool or a write a new one – HTTP: @Stake/Symantec WebProxy, Paros, 0x90.org Sake 9/17/2009 www.0x90.org email: txs@0x90.org 9
Attack Methodology: Target • Login Mechanism • Session Management • Input Fields • Unprotected Interfaces • Application Related Infrastructure • Application Related Networks 9/17/2009 www.0x90.org email: txs@0x90.org 10
Attack Methodology: Attack Ok enough of this chit-chat. Show me how to break something! 9/17/2009 www.0x90.org email: txs@0x90.org 11
Demonstration Platform Details • “Microsoft .Net PetShop 3.0” is Microsoft’s implementation of a .NET sample application. – Original application can be found at : http://msdn.microsoft.com/library/default.asp?url=/library/en -us/dnbda/html/psimp.asp?frame=true • Does not out of the box have these vulnerabilities – Added for demonstration purposes • Vulnerabilities based on common web application issues found in production environments. • Platform built on Windows 2000 Server, IIS 5.0 and SQL Server 2000 9/17/2009 www.0x90.org email: txs@0x90.org 12
Vulnerability Details • What it is and what does it do • Vulnerability identification • Execution of the vulnerability • Review of faulty application code • Possible mitigation techniques 9/17/2009 www.0x90.org email: txs@0x90.org 13
Common Vulnerabilities Verbose Error Messages • What it is and what does it do – Presenting the end user with verbose error messages including potentially sensitive information – Utilized to further other attacks against the system • Vulnerability identification – No special technique required – Review all error messages in detail • Execution of the vulnerability – May directly result in an attack vector presenting itself for exploit – May leak information that can be used in conjunction with other attack vectors 9/17/2009 www.0x90.org email: txs@0x90.org 14
Common Vulnerabilities Verbose Error Messages • Review of faulty application code – Configuration error allowing the web service to be available for requests – Error presents detailed information • Possible mitigation techniques – Modify the resulting page to have a limited error message – Configure the server so this functionality is not available or remove it all together 9/17/2009 www.0x90.org email: txs@0x90.org 15
Verbose Error Messages Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 16
Verbose Error Messages Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 17
Common Vulnerabilities Information Disclosure • What it is and what does it do – Default functionality leaks information – Allows an attacker to gain knowledge about the target environment – May leak sensitive data • Vulnerability identification – Subtle differences in information displayed in the browser – Comments left in production code – Application functionality that does not require authentication 9/17/2009 www.0x90.org email: txs@0x90.org 18
Common Vulnerabilities Information Disclosure • Execution of the vulnerability – Varies dependant upon the type of information disclosure – May be an error scenario – May be standard functionality available without authentication • Review of faulty application code – Commonly a configuration error – May be extra information in comments or in presented data • Possible mitigation techniques – Require authentication on all requests – Verify presented data can not be used in other attacks 9/17/2009 www.0x90.org email: txs@0x90.org 19
Information Disclosure Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 20
Common Vulnerabilities Directory Traversal • What it is and what does it do – Allow the attacker to download or gain access to files outside of the normal web directory structure • Vulnerability identification – Manipulation of parameters with .. And / or characters in an attempt to bypass normal directory structures • Execution of the vulnerability – Modify the parameters within the URL – Alternatively intercept the request and modify hidden fields or modify the content of the HTTP POST 9/17/2009 www.0x90.org email: txs@0x90.org 21
Common Vulnerabilities Directory Traversal • Review of faulty application code – string path = "c:PetStore.review"+itemId; using (StreamReader sr = new StreamReader(path)) – Lack of input validation – File access granted where not specifically required • Possible mitigation techniques – Validate all input – Utilize a lower privileged account – Only grant permissions on specifically required files – Use “Mappath” method to safely generate a file path 9/17/2009 www.0x90.org email: txs@0x90.org 22
Directory Traversal Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 23
Common Vulnerabilities Price Fixing • What it is and what does it do – Commonly referred to as parameter manipulation attacks – Allows the attacker to modify values that are then utilized by the application in an unchecked fashion • Vulnerability identification – Modification of parameters in a logical fashion in an attempt to verify the validation and authorization routines of the application server • Execution of the vulnerability – If possible modify in the URL directly – Alternatively utilize an http(s) intercepting proxy 9/17/2009 www.0x90.org email: txs@0x90.org 24
Common Vulnerabilities Price Fixing • Review of faulty application code – decimal price = decimal.Parse(Request["UnitPrice"]); myCart.Add(itemId,price); – Data stored client side utilized directly in the application business logic – No verification of pricing (parameter) against server side data • Possible mitigation techniques – Do not store sensitive information client side • If you must, encrypt and sign the data – Do not trust client data • Verify that user supplied data has not been tampered with 9/17/2009 www.0x90.org email: txs@0x90.org 25
Price Fixing - Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 26
Common Vulnerabilities Cross Site Scripting (XSS) • What it is and what does it do – XSS is the injection of code or script into a web page that is then displayed to a third party executing the script in the context of their web browser. • Vulnerability identification – Look for anywhere were client supplied data is redisplayed to the end user and not properly input validated or output encoded. • Execution of the vulnerability – Inject some simple script and see if the resulting page contains your data. 9/17/2009 www.0x90.org email: txs@0x90.org 27
Common Vulnerabilities Cross Site Scripting (XSS) • Review of faulty application code – Search Results for "<%=Request["keywords"]%>“ – Lack of input validation and output encoding • Possible mitigation techniques – Input validation and output encoding • The original code htmlEncodes suspicious values on output • Validate all input against a known set of approved characters – Defense in depth: • Truncate all input fields to a max reasonable length • Out-of the box .Net bans ‘<‘ 9/17/2009 www.0x90.org email: txs@0x90.org 28
Cross Site Scripting Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 29
Common Vulnerabilities SQL Injection • What it is and what does it do – SQL Injection is a vulnerability allowing an attacker to submit SQL statements of their choosing that are then processed by the application. • Vulnerability identification – Typical identification techniques include submitting characters such as ‘, “, or – characters into an input field. Based on the resulting errors and/or data, SQL Injection points may be identified. • Execution of the vulnerability – Longer cycle of execution. Based on resulting error pages and/or data the entire database schema and stored data may be compromised. 9/17/2009 www.0x90.org email: txs@0x90.org 30
Common Vulnerabilities SQL Injection • Review of faulty application code – string sql = "SELECT Item.ItemId, Item.Attr1, Inventory.Qty, Item.ListPrice, Product.Name, Product.Descn FROM Item INNER JOIN Inventory ON Item.ItemId = Inventory.ItemId INNER JOIN Product ON Item.ProductId = Product.ProductId WHERE Item.ItemId = '"+itemId+"';"; – Lack of input validation – Dynamically concatenated SQL statements 9/17/2009 www.0x90.org email: txs@0x90.org 31
Common Vulnerabilities SQL Injection • Possible mitigation techniques – Input Validation • The original code htmlEncodes suspicious values such as ’ • Input validation: itemId should not contain anything but A-Z,0-9 and not be longer than 15 characters. Use white-list based input filtering. – Prepared statements • Arguments are added to the statement after it is parsed for validation • Limited privileges: Create a “browse” identity with only select privileges on the products tables 9/17/2009 www.0x90.org email: txs@0x90.org 32
SQL Injection Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 33
Review - Attacks • Cross-site Scripting • SQL Injection • Price Fixing (aka Parameter Tampering) • Directory Traversal • Verbose Error Messages • Information Disclosure 9/17/2009 www.0x90.org email: txs@0x90.org 34
Review - Defenses • Input validation • Output sanitation and encoding • Least privilege accounts and account permissions • Limit error message information • Require authentication and authorization for all requests • Harden the web application removing extraneous content 9/17/2009 www.0x90.org email: txs@0x90.org 35
9/17/2009 www.0x90.org email: txs@0x90.org 36

Recomendados

Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
Mohit Dholakiya
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Md Samsul Kabir
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 

Recomendados

Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
Mohit Dholakiya
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Md Samsul Kabir
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Ccsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentationCcsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentation
Nasir Bhutta
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
Alphageeks
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
Imaginea
 
APEC TEL 58: Social Media Security
APEC TEL 58: Social Media SecurityAPEC TEL 58: Social Media Security
APEC TEL 58: Social Media Security
APNIC
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
Kabul Education University
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Chetanmalviya8
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
robin_bene
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
Marco Morana
 
Applying the nist framework to transportation systems mod 1 nhi instructor de...
Applying the nist framework to transportation systems mod 1 nhi instructor de...Applying the nist framework to transportation systems mod 1 nhi instructor de...
Applying the nist framework to transportation systems mod 1 nhi instructor de...
raymurphy9533
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
Lumension
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
National Cheng Kung University
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 

Mais conteúdo relacionado

Mais procurados

The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
Imaginea
 

Mais procurados (16)

A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Ccsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentationCcsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentation
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
APEC TEL 58: Social Media Security
APEC TEL 58: Social Media SecurityAPEC TEL 58: Social Media Security
APEC TEL 58: Social Media Security
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Applying the nist framework to transportation systems mod 1 nhi instructor de...
Applying the nist framework to transportation systems mod 1 nhi instructor de...Applying the nist framework to transportation systems mod 1 nhi instructor de...
Applying the nist framework to transportation systems mod 1 nhi instructor de...
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 

Semelhante a CarolinaCon 2005 Web Application Hacking 101

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
Nicholas Davis
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
Nicholas Davis
 

Semelhante a CarolinaCon 2005 Web Application Hacking 101 (20)

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 

Mais de Tyler Shields

United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Tyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Tyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
Tyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
Tyler Shields
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
Tyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
Tyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Tyler Shields
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
Tyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
Tyler Shields
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
Tyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
Tyler Shields
 

Mais de Tyler Shields (20)

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

CarolinaCon 2005 Web Application Hacking 101

  • 1. Web Application Hacking 101 Common Web Attacks and Defenses
  • 2. Agenda • Introduction • Application Attacks Overview • Attack Methodologies • Demonstration Platform Details • Demo of Common Vulnerabilities Cross-site Scripting Directory Traversal SQL Injection Verbose Error Messages Price Fixing (Parameter Tampering) Information Disclosure • Review • Questions 9/17/2009 www.0x90.org email: txs@0x90.org 2
  • 3. Introduction • txs@0x90.org – Active member of 0x90.org “Digital Think Tank” and “Source of Proper Internet Villainy” (www.0x90.org) – Founding member of the GhettoHackers, GHI (www.ghettohackers.net) – Professional security consultant to the U.S. Government, Financial Institutions, Fortune 500 Companies, and anyone willing to pay cash. – Primary focus is application penetration testing and analysis. In other words I break stuff. – Presented at major industry conferences, taught security courses, and has been involved in the security community for nearly a decade contributing to many prominent mailing lists and open source security projects. 9/17/2009 www.0x90.org email: txs@0x90.org 3
  • 4. Application Attacks Overview • Application security measures are often implemented at the network level – This will not work effectively as network ACLs cannot protect against the use of valid connections – Network security cannot generally provide adequate protection at the application level – Network implemented application controls may introduce significant impact on performance • Applications are the next generation attack point – Information about application attacks is more readily available – Protections against application attacks are not as robust or mature as network security – Tools for testing applications are becoming more readily available 9/17/2009 www.0x90.org email: txs@0x90.org 4
  • 5. Application Attacks Overview • Applications are targeted because they are the access point for data, products, resources, and money – Even with conventional network defenses, many applications can be attacked – Security controls around applications can be bypassed, which allows attackers to: • Modify information • Steal products • Credit money to accounts – In some cases the attack may grant access to other portions of the application or to the environment – The attack may not even involve theft • If the attacker understands the system being attacked, it is possible that they will be able to merely “borrow” resources 9/17/2009 www.0x90.org email: txs@0x90.org 5
  • 6. Attack Methodology • Discover • Target • Attack 9/17/2009 www.0x90.org email: txs@0x90.org 6
  • 7. Attack Methodology: Discover • Examine the environment – Identify what types and version of applications are running (banners/headers) – Identify what ports are open for communication to the server and the application – Examine extensions: foo.jhtml, foo.shtml - will often reveal the application server engine (weblogic, coldfusion, tomcat, etc.) • Generate and examine errors – Submit ridiculous input and monitor response (fuzzing) – Database errors are extremely helpful • Look for information left behind from development – Sample code or snippets 9/17/2009 www.0x90.org email: txs@0x90.org 7
  • 8. Attack Methodology: Discover • Look for configuration errors: – Use a sniffer to examine traffic – Review client software – Use network scanning and probing tools • Look for environment errors: – Identify ways to circumvent application security controls – Reveal program data flow and logic flow – Reveal critical systems that are easier to attack than the original target 9/17/2009 www.0x90.org email: txs@0x90.org 8
  • 9. Attack Methodology: Discover • Use a debug proxy to intercept client-server communications – Observe application traffic and modify components of application traffic independently of the client – Look for hidden fields and notes embedded in the source – Developers tend to make assumptions about the integrity of “client” generated data, like headers and other data that is supposedly concealed from the user -- abuse these assumptions • Include a regular expression engine to make on the fly replacements • Use an existing tool or a write a new one – HTTP: @Stake/Symantec WebProxy, Paros, 0x90.org Sake 9/17/2009 www.0x90.org email: txs@0x90.org 9
  • 10. Attack Methodology: Target • Login Mechanism • Session Management • Input Fields • Unprotected Interfaces • Application Related Infrastructure • Application Related Networks 9/17/2009 www.0x90.org email: txs@0x90.org 10
  • 11. Attack Methodology: Attack Ok enough of this chit-chat. Show me how to break something! 9/17/2009 www.0x90.org email: txs@0x90.org 11
  • 12. Demonstration Platform Details • “Microsoft .Net PetShop 3.0” is Microsoft’s implementation of a .NET sample application. – Original application can be found at : http://msdn.microsoft.com/library/default.asp?url=/library/en -us/dnbda/html/psimp.asp?frame=true • Does not out of the box have these vulnerabilities – Added for demonstration purposes • Vulnerabilities based on common web application issues found in production environments. • Platform built on Windows 2000 Server, IIS 5.0 and SQL Server 2000 9/17/2009 www.0x90.org email: txs@0x90.org 12
  • 13. Vulnerability Details • What it is and what does it do • Vulnerability identification • Execution of the vulnerability • Review of faulty application code • Possible mitigation techniques 9/17/2009 www.0x90.org email: txs@0x90.org 13
  • 14. Common Vulnerabilities Verbose Error Messages • What it is and what does it do – Presenting the end user with verbose error messages including potentially sensitive information – Utilized to further other attacks against the system • Vulnerability identification – No special technique required – Review all error messages in detail • Execution of the vulnerability – May directly result in an attack vector presenting itself for exploit – May leak information that can be used in conjunction with other attack vectors 9/17/2009 www.0x90.org email: txs@0x90.org 14
  • 15. Common Vulnerabilities Verbose Error Messages • Review of faulty application code – Configuration error allowing the web service to be available for requests – Error presents detailed information • Possible mitigation techniques – Modify the resulting page to have a limited error message – Configure the server so this functionality is not available or remove it all together 9/17/2009 www.0x90.org email: txs@0x90.org 15
  • 16. Verbose Error Messages Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 16
  • 17. Verbose Error Messages Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 17
  • 18. Common Vulnerabilities Information Disclosure • What it is and what does it do – Default functionality leaks information – Allows an attacker to gain knowledge about the target environment – May leak sensitive data • Vulnerability identification – Subtle differences in information displayed in the browser – Comments left in production code – Application functionality that does not require authentication 9/17/2009 www.0x90.org email: txs@0x90.org 18
  • 19. Common Vulnerabilities Information Disclosure • Execution of the vulnerability – Varies dependant upon the type of information disclosure – May be an error scenario – May be standard functionality available without authentication • Review of faulty application code – Commonly a configuration error – May be extra information in comments or in presented data • Possible mitigation techniques – Require authentication on all requests – Verify presented data can not be used in other attacks 9/17/2009 www.0x90.org email: txs@0x90.org 19
  • 20. Information Disclosure Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 20
  • 21. Common Vulnerabilities Directory Traversal • What it is and what does it do – Allow the attacker to download or gain access to files outside of the normal web directory structure • Vulnerability identification – Manipulation of parameters with .. And / or characters in an attempt to bypass normal directory structures • Execution of the vulnerability – Modify the parameters within the URL – Alternatively intercept the request and modify hidden fields or modify the content of the HTTP POST 9/17/2009 www.0x90.org email: txs@0x90.org 21
  • 22. Common Vulnerabilities Directory Traversal • Review of faulty application code – string path = "c:PetStore.review"+itemId; using (StreamReader sr = new StreamReader(path)) – Lack of input validation – File access granted where not specifically required • Possible mitigation techniques – Validate all input – Utilize a lower privileged account – Only grant permissions on specifically required files – Use “Mappath” method to safely generate a file path 9/17/2009 www.0x90.org email: txs@0x90.org 22
  • 23. Directory Traversal Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 23
  • 24. Common Vulnerabilities Price Fixing • What it is and what does it do – Commonly referred to as parameter manipulation attacks – Allows the attacker to modify values that are then utilized by the application in an unchecked fashion • Vulnerability identification – Modification of parameters in a logical fashion in an attempt to verify the validation and authorization routines of the application server • Execution of the vulnerability – If possible modify in the URL directly – Alternatively utilize an http(s) intercepting proxy 9/17/2009 www.0x90.org email: txs@0x90.org 24
  • 25. Common Vulnerabilities Price Fixing • Review of faulty application code – decimal price = decimal.Parse(Request["UnitPrice"]); myCart.Add(itemId,price); – Data stored client side utilized directly in the application business logic – No verification of pricing (parameter) against server side data • Possible mitigation techniques – Do not store sensitive information client side • If you must, encrypt and sign the data – Do not trust client data • Verify that user supplied data has not been tampered with 9/17/2009 www.0x90.org email: txs@0x90.org 25
  • 26. Price Fixing - Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 26
  • 27. Common Vulnerabilities Cross Site Scripting (XSS) • What it is and what does it do – XSS is the injection of code or script into a web page that is then displayed to a third party executing the script in the context of their web browser. • Vulnerability identification – Look for anywhere were client supplied data is redisplayed to the end user and not properly input validated or output encoded. • Execution of the vulnerability – Inject some simple script and see if the resulting page contains your data. 9/17/2009 www.0x90.org email: txs@0x90.org 27
  • 28. Common Vulnerabilities Cross Site Scripting (XSS) • Review of faulty application code – Search Results for "<%=Request["keywords"]%>“ – Lack of input validation and output encoding • Possible mitigation techniques – Input validation and output encoding • The original code htmlEncodes suspicious values on output • Validate all input against a known set of approved characters – Defense in depth: • Truncate all input fields to a max reasonable length • Out-of the box .Net bans ‘<‘ 9/17/2009 www.0x90.org email: txs@0x90.org 28
  • 29. Cross Site Scripting Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 29
  • 30. Common Vulnerabilities SQL Injection • What it is and what does it do – SQL Injection is a vulnerability allowing an attacker to submit SQL statements of their choosing that are then processed by the application. • Vulnerability identification – Typical identification techniques include submitting characters such as ‘, “, or – characters into an input field. Based on the resulting errors and/or data, SQL Injection points may be identified. • Execution of the vulnerability – Longer cycle of execution. Based on resulting error pages and/or data the entire database schema and stored data may be compromised. 9/17/2009 www.0x90.org email: txs@0x90.org 30
  • 31. Common Vulnerabilities SQL Injection • Review of faulty application code – string sql = "SELECT Item.ItemId, Item.Attr1, Inventory.Qty, Item.ListPrice, Product.Name, Product.Descn FROM Item INNER JOIN Inventory ON Item.ItemId = Inventory.ItemId INNER JOIN Product ON Item.ProductId = Product.ProductId WHERE Item.ItemId = '"+itemId+"';"; – Lack of input validation – Dynamically concatenated SQL statements 9/17/2009 www.0x90.org email: txs@0x90.org 31
  • 32. Common Vulnerabilities SQL Injection • Possible mitigation techniques – Input Validation • The original code htmlEncodes suspicious values such as ’ • Input validation: itemId should not contain anything but A-Z,0-9 and not be longer than 15 characters. Use white-list based input filtering. – Prepared statements • Arguments are added to the statement after it is parsed for validation • Limited privileges: Create a “browse” identity with only select privileges on the products tables 9/17/2009 www.0x90.org email: txs@0x90.org 32
  • 33. SQL Injection Demonstration 9/17/2009 www.0x90.org email: txs@0x90.org 33
  • 34. Review - Attacks • Cross-site Scripting • SQL Injection • Price Fixing (aka Parameter Tampering) • Directory Traversal • Verbose Error Messages • Information Disclosure 9/17/2009 www.0x90.org email: txs@0x90.org 34
  • 35. Review - Defenses • Input validation • Output sanitation and encoding • Least privilege accounts and account permissions • Limit error message information • Require authentication and authorization for all requests • Harden the web application removing extraneous content 9/17/2009 www.0x90.org email: txs@0x90.org 35
  • 36. 9/17/2009 www.0x90.org email: txs@0x90.org 36