Differences between revisions 4 and 10 (spanning 6 versions)
Revision 4 as of 2010-04-20 03:25:03
Size: 7841
Editor: c-71-226-185-105
Comment:
Revision 10 as of 2010-04-20 03:45:39
Size: 8035
Editor: c-71-226-185-105
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Ch 11 - Web Hacking
Presented by Matt Zuehlke
4/7/2010
Early Days
• In the early days of web hacking the web server was often the main target.
• Now days vulnerabilities in server software are widely publicized and easy to detect and attack and protect.
• Fewer and fewer vulnerabilities are showing up because…
 Vendors and open-source are learning from past mistakes
 Sys. Admins are learning how to better configure
 Vendors and open-source are responding faster to patches
 Proactive countermeasures are fast becoming standard (Watchfire’s AppSheild, Microsoft’s URLScan, etc.)
 Automated vulnerability-scanning products that can quickly check common problems.
Current Vulnerabilities
• Web server vulnerabilities tend to fall into one of the following categories:
 Sample files
 Source code disclosure
 Canonicalization
 Server extensions
 Input validation (ex. Buffer overflows)
Sample Files
• With more and more features in web software, developers are adding in more sample code and scripts to show what can be done.
• If left in place the sample files can become an easy target for hackers.
• Ex. IIS4 had two sample files that let hackers remote access and reveal the contents of just about every other file on the server.
Source Code Disclosure
• Allow a malicious user to view the source code of application files on a vulnerable web server that is intended to remain confidential.
• Can combine this with other attacks to gain access to protected areas such as /etc/passwd, etc.
• Good practice to assume your web files will be seen, and should never store sensitive data in any source code.
Canonicalization Attacks
• Computer and network resources can often be addressed using more than one way.
• Ex. C:\text.txt ; ..\\text.txt ; \\computer\C$\text.txt
• Apps that make security decisions based on the resource name can be vulnerable to these attacks, and easily fooled.
• Make sure to keep web platforms up to date with all patches.
• Compartmentalize your directory structure.
• Constrain input using platform-layer solutions (MS’s URLScan) to strip unicode or double-hex-encoded characters before reaching the server.
Server Extensions
• Web servers by themselves are minimal in functionality, extensions add a lot to the web experience
• With web extensions also come trouble
• MS’s indexing extension, IPP, IIS5, WebDAV, SSL, etc all are extensions and all have had their fair share of security holes
• Make sure you patch or disable the vulnerable extension. In general make sure you only run extensions that are needed and nothing more
Buffer Overflows
• Buffer overflow attack symbolizes the coup de grace of hacking
• Often result in the ability to execute arbitrary commands on the victim machine, with very high privilege levels
• Easiest way to counter buffer overflow vulnerabilities is to apply a software patch
Web Server Vulnerability Scanners
• Tools that automate the process of parsing web servers for a bunch of vulnerabilities that come from the hacking community
• Allows you to focus on patching the holes that are found when the automated process is done, make sure to patch them fast because a hacker can find them easily too
• Ex. Nikto, and Nessus
• https://71.226.185.105:8834
= Ch 11 - Web Hacking =

Link to PDF of powerpoint presentation
http://dl.dropbox.com/u/68566/WebHacking.pdf
Line 51: Line 7:
Web Application Hacking
• Web app hacking refers to hacking the app itself and not the web server
• Requires more patience and sophistication then hacking off the shelf web server software
=== Early Days ===
 *In the early days of web hacking the web server was often the main target.
 *Now days vulnerabilities in server software are widely publicized and easy to detect and attack and protect.
 *Fewer and fewer vulnerabilities are showing up because…
  * Vendors and open-source are learning from past mistakes
  * Sys. Admins are learning how to better configure
  * Vendors and open-source are responding faster to patches
  * Proactive countermeasures are fast becoming standard (Watchfire’s !AppSheild, Microsoft’s URLScan, etc.)
Line 55: Line 16:
Finding vulnerable apps with Google
• Search engines are dangerous because users are careless
• Makes finding candidate machines almost effortless
• Find list of publicly accessible pages
 Site:southern.edu; inurl:southern.edu
• Find unprotected directories
 “Index of /admin” /password, /mail, password.txt
• Find password hint applications that are poorly setup
 Password hint, password hint –email, show password hint –email, filetype:htaccess user
Web Crawling
• A serious attacker takes the time to become familiar with the application
• Download entire contents of site, look for low hanging fruit
 Local path info, back-end server names, IP address, SQL query strings with passwords, info comments, etc
• Tools
 wget to get entire websites which can then be used to study later in great detail
Web Application Assessment
• Once target app content has been crawled and analyzed attacker will then turn to more in-depth probing
• Ultimate goal of this is to thoroughly understand the architecture and design of the application and identify any weaknesses
• Focus on authentication, session management, database interaction, generic input validation, and application logic
=== Current Vulnerabilities ===
 *Web server vulnerabilities tend to fall into one of the following categories:
  * Sample files
  *Source code disclosure
  *Canonicalization
  *Server extensions
  *Input validation (ex. Buffer overflows)
Line 75: Line 24:
Browser Plug-ins
Browser plug-ins allow you to view the requests as they are made and stop, and modify them on their way
Very valuable in finding hidden form fields, modifying query arguments and request headers, and inspecting the response from the remote server
TamperData is a plug-in for Firefox coupled with no-script can selectively run and edit JavaScript
Tool Suites
Web proxies that are in between the web client and server
Basically a man-in-the-middle during an http session
Fiddler can be used with any WinINET library software, IE, Outlook, Office, etc
Fiddler can adjust files on the way
Ex. bpu .css
Common Web Application Vulnerabilities
The main categories are
Cross-Site Scripting (XSS)
Injection Flaws
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Arise from input/output validation deficiencies in web applications
Attacks other users of the page
Ex. Attacker puts code in guestbook online, people who view guestbook has the attackers code executed, potentially giving attacker control of second users’ system
Counter with filter input parameters for special characters. Ex. < > ( ) # & “
SQL Injection
Adjusting the SQL to point it at a file you wish to view
Is a problem because by default a web browser is a “trusted” user.
Counter measures
Perform strict input validation on any input from the client
Replace direct SQL statements with stored procedures, prepared statements
Implement defaut error handling
Lock down ODBC
Lock down database server configuration
Cross-Site Request Forgery
Known about for nearly a decade, but just now becoming a serious problem
Allows for users to stay logged in without having to authenticate after each page load
Can cause problems for the users, passwords changed, funds transferred, merchandise purchased, and more.
Attacker puts image tag in a real page that a user is already logged in to and when the browser requests the link instead of an image it is a url string that can change the password for example.
<img src=http://example.com/update_account.asp?new_password=evil>
Conutermeasures
Tying the incoming request to the auth. session. Use random values, tied to the specified user’s session. If it doesn’t match have them re authenticate their connection.
Misuse of Hidden Tags
Allows attackers to adjust hidden fields before being sent to the server for processing
Business should not have price of item set as a hidden form
Would be very easy to adjust the price
Countermeasures
Limit the use of hidden tags, or at least confirm the value before processing
Summary
Qu
iz
• List
2 of the 5 common web server vulnerabilities.
Name one of the two browser plugins/toolsets to preform a man-in-the-middle attack.
What is a common tool used to gather entire websites?
What is the easiest method to find vulnerable web applications?
=== Sample Files ===
 *With more and more features in web software, developers are adding in more sample code and scripts to show what can be done.
 *If left in place the sample files can become an easy target for hackers.
 *Ex. IIS4 had two sample files that let hackers remote access and reveal the contents of just about every other file on the server.

=== Source Code Disclosure ===
 *Allow a malicious user to view the source code of application files on a vulnerable web server that is intended to remain confidential.
 *Can combine this with other attacks to gain access to protected areas such as /etc/passwd, etc.
 *Good practice to assume your web files will be seen, and should never store sensitive data in any source code.

=== Canonicalization Attacks ===
 *Computer and network resources can often be addressed using more than one way.
 *Ex. C:\text.txt ; ..\\text.txt ; \\computer\C$\text.txt
 *Apps that make security decisions based on the resource name can be vulnerable to these attacks, and easily fooled.
 *Make sure to keep web platforms up to date with all patches.
 *Compartmentalize your directory structure.
 *Constrain input using platform-layer solutions (MS’s URLScan) to strip unicode or double-hex-encoded characters before reaching the server.

=== Server Extensions ===
 *Web servers by themselves are minimal in functionality, extensions add a lot to the web experience
 *With web extensions also come trouble
 *MS’s indexing extension, IPP, IIS5, WebDAV, SSL, etc all are extensions and all have had their fair share of security holes
 *Make sure you patch or disable the vulnerable extension. In general make sure you only run extensions that are needed and nothing more

===
Buffer Overflows ===
 *Buffer overflow attack symbolizes the coup de grace of hacking
 *Often result in the ability to execute arbitrary commands on the victim machine, with very high privilege levels
 *Easiest way to counter buffer overflow vulnerabilities is to apply a software patch

=== Web Server Vulnerability Scanners ===
 *Tools that automate the process of parsing web servers for a bunch of vulnerabilities that come from the hacking community
 *Allows you to focus on patching the holes that are found when the automated process is done, make sure to patch them fast because a hacker can find them easily too
 *Ex. Nikto, and Nessus
 
=== Web Application Hacking ===
 *Web app hacking refers to hacking the app itself and not the web server
 *Requires more patience and sophistication then hacking off the shelf web server software

=== Finding vulnerable apps with Google ===
 *Search engines are dangerous because users are careless
 *Makes finding candidate machines almost effortless
 *Find list of publicly accessible pages
  *Site:southern.edu; inurl:southern.edu
 *Find unprotected directories
  *Index of /admin” /password, /mail, password.txt
 *Find password hint applications that are poorly setup
  *
Password hint, password hint –email, show password hint –email, filetype:htaccess user

=== Web Crawling ===
 *A serious attacker takes the time to become familiar with the application
 *Download entire contents of site, look for low hanging fruit
  *Local path info, back
-end server names, IP address, SQL query strings with passwords, info comments, etc
 *Tools
  *wget to get entire websites which can then be used to study later in great detail

=== Web Application Assessment ===
 *Once target app content has been crawled and analyzed attacker will then turn to more in-depth probing
 *Ultimate goal of this is to thoroughly understand the architecture and design of the application and identify any weaknesses
 *Focus on authentication, session management, database interaction, generic input validation, and application logic

===
Browser Plug-ins ===
 *Browser plug-ins
allow you to view the requests as they are made and stop, and modify them on their way
 *Very valuable in finding hidden form fields, modifying query arguments and request headers, and inspecting the response from the remote server
 *TamperData is a plug-in for Firefox coupled with no-script can selectively run and edit JavaScript

===
Tool Suites ===
 *
Web proxies that are in between the web client and server
 *Basically a man-in-the-middle during an http session
 *Fiddler can be used with any WinINET library software, IE, Outlook, Office, etc
 *Fiddler can adjust files on the way
  *Ex. bpu .css

===
Common Web Application Vulnerabilities ===
 *
The main categories are
  *Cross-Site Scripting (XSS)
  *Injection Flaws
  *Cross-Site Request Forgery (CSRF)

===
Cross-Site Scripting (XSS) ===
 *
Arise from input/output validation deficiencies in web applications
 *Attacks other users of the page
  *Ex. Attacker puts code in guestbook online, people who view guestbook has the attackers code executed, potentially giving attacker control of second users’ system
 *Counter with filter input parameters for special characters. Ex. < > ( ) # & “

===
SQL Injection ===
 *
Adjusting the SQL to point it at a file you wish to view
 *Is a problem because by default a web browser is a “trusted” user.
 *Counter measures
  *Perform strict input validation on any input from the client
  *Replace direct SQL statements with stored procedures, prepared statements
  *Implement defaut error handling
  *Lock down ODBC
  *Lock down database server configuration

===
Cross-Site Request Forgery ===
 *
Known about for nearly a decade, but just now becoming a serious problem
 *Allows for users to stay logged in without having to authenticate after each page load
 *Can cause problems for the users, passwords changed, funds transferred, merchandise purchased, and more.
 *Attacker puts image tag in a real page that a user is already logged in to and when the browser requests the link instead of an image it is a url string that can change the password for example.
  *&<img src=http://example.com/update_account.asp?new_password=evil>
 *Conutermeasures
  *Tying the incoming request to the auth. session. Use random values, tied to the specified user’s session. If it doesn’t match have them re authenticate their connection.

===
Misuse of Hidden Tags ===
 *
Allows attackers to adjust hidden fields before being sent to the server for processing
 *Business should not have price of item set as a hidden form
 *Would be very easy to adjust the price
 *Countermeasures
  *Limit the use of hidden tags, or at least confirm the value before processing

== Quiz ==
1. List 2 of the 5 common web server vulnerabilities.
||<#32CD32>
Sample files, Source code disclosure, Canonicalization, Server extensions, Input validation(ex. Buffer overflow) ||
2. Name one of the two browser plugins/toolsets to preform a man-in-the-middle attack.
||<#32CD32> !TamperData or Fiddler ||
3.
What is a common tool used to gather entire websites?
||<#32CD32> wget ||
4.
What is the easiest method to find vulnerable web applications?
||<#32CD32> Using search engines ||

Ch 11 - Web Hacking

Link to PDF of powerpoint presentation http://dl.dropbox.com/u/68566/WebHacking.pdf

Early Days

  • In the early days of web hacking the web server was often the main target.
  • Now days vulnerabilities in server software are widely publicized and easy to detect and attack and protect.
  • Fewer and fewer vulnerabilities are showing up because…
    • Vendors and open-source are learning from past mistakes
    • Sys. Admins are learning how to better configure
    • Vendors and open-source are responding faster to patches
    • Proactive countermeasures are fast becoming standard (Watchfire’s AppSheild, Microsoft’s URLScan, etc.)

Current Vulnerabilities

  • Web server vulnerabilities tend to fall into one of the following categories:
    • Sample files
    • Source code disclosure
    • Canonicalization
    • Server extensions
    • Input validation (ex. Buffer overflows)

Sample Files

  • With more and more features in web software, developers are adding in more sample code and scripts to show what can be done.
  • If left in place the sample files can become an easy target for hackers.
  • Ex. IIS4 had two sample files that let hackers remote access and reveal the contents of just about every other file on the server.

Source Code Disclosure

  • Allow a malicious user to view the source code of application files on a vulnerable web server that is intended to remain confidential.
  • Can combine this with other attacks to gain access to protected areas such as /etc/passwd, etc.
  • Good practice to assume your web files will be seen, and should never store sensitive data in any source code.

Canonicalization Attacks

  • Computer and network resources can often be addressed using more than one way.
  • Ex. C:\text.txt ; ..\\text.txt ; \\computer\C$\text.txt
  • Apps that make security decisions based on the resource name can be vulnerable to these attacks, and easily fooled.
  • Make sure to keep web platforms up to date with all patches.
  • Compartmentalize your directory structure.
  • Constrain input using platform-layer solutions (MS’s URLScan) to strip unicode or double-hex-encoded characters before reaching the server.

Server Extensions

  • Web servers by themselves are minimal in functionality, extensions add a lot to the web experience
  • With web extensions also come trouble
  • MS’s indexing extension, IPP, IIS5, WebDAV, SSL, etc all are extensions and all have had their fair share of security holes
  • Make sure you patch or disable the vulnerable extension. In general make sure you only run extensions that are needed and nothing more

Buffer Overflows

  • Buffer overflow attack symbolizes the coup de grace of hacking
  • Often result in the ability to execute arbitrary commands on the victim machine, with very high privilege levels
  • Easiest way to counter buffer overflow vulnerabilities is to apply a software patch

Web Server Vulnerability Scanners

  • Tools that automate the process of parsing web servers for a bunch of vulnerabilities that come from the hacking community
  • Allows you to focus on patching the holes that are found when the automated process is done, make sure to patch them fast because a hacker can find them easily too
  • Ex. Nikto, and Nessus

Web Application Hacking

  • Web app hacking refers to hacking the app itself and not the web server
  • Requires more patience and sophistication then hacking off the shelf web server software

Finding vulnerable apps with Google

  • Search engines are dangerous because users are careless
  • Makes finding candidate machines almost effortless
  • Find list of publicly accessible pages
    • Site:southern.edu; inurl:southern.edu

  • Find unprotected directories
    • Index of /admin” /password, /mail, password.txt
  • Find password hint applications that are poorly setup
    • Password hint, password hint –email, show password hint –email, filetype:htaccess user

Web Crawling

  • A serious attacker takes the time to become familiar with the application
  • Download entire contents of site, look for low hanging fruit
    • Local path info, back-end server names, IP address, SQL query strings with passwords, info comments, etc
  • Tools
    • wget to get entire websites which can then be used to study later in great detail

Web Application Assessment

  • Once target app content has been crawled and analyzed attacker will then turn to more in-depth probing
  • Ultimate goal of this is to thoroughly understand the architecture and design of the application and identify any weaknesses
  • Focus on authentication, session management, database interaction, generic input validation, and application logic

Browser Plug-ins

  • Browser plug-ins allow you to view the requests as they are made and stop, and modify them on their way
  • Very valuable in finding hidden form fields, modifying query arguments and request headers, and inspecting the response from the remote server
  • TamperData is a plug-in for Firefox coupled with no-script can selectively run and edit JavaScript

Tool Suites

  • Web proxies that are in between the web client and server
  • Basically a man-in-the-middle during an http session
  • Fiddler can be used with any WinINET library software, IE, Outlook, Office, etc
  • Fiddler can adjust files on the way
    • Ex. bpu .css

Common Web Application Vulnerabilities

  • The main categories are
    • Cross-Site Scripting (XSS)
    • Injection Flaws
    • Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

  • Arise from input/output validation deficiencies in web applications
  • Attacks other users of the page
    • Ex. Attacker puts code in guestbook online, people who view guestbook has the attackers code executed, potentially giving attacker control of second users’ system
  • Counter with filter input parameters for special characters. Ex. < > ( ) # & “

SQL Injection

  • Adjusting the SQL to point it at a file you wish to view
  • Is a problem because by default a web browser is a “trusted” user.
  • Counter measures
    • Perform strict input validation on any input from the client
    • Replace direct SQL statements with stored procedures, prepared statements
    • Implement defaut error handling
    • Lock down ODBC
    • Lock down database server configuration

Cross-Site Request Forgery

  • Known about for nearly a decade, but just now becoming a serious problem
  • Allows for users to stay logged in without having to authenticate after each page load
  • Can cause problems for the users, passwords changed, funds transferred, merchandise purchased, and more.
  • Attacker puts image tag in a real page that a user is already logged in to and when the browser requests the link instead of an image it is a url string that can change the password for example.
  • Conutermeasures
    • Tying the incoming request to the auth. session. Use random values, tied to the specified user’s session. If it doesn’t match have them re authenticate their connection.

Misuse of Hidden Tags

  • Allows attackers to adjust hidden fields before being sent to the server for processing
  • Business should not have price of item set as a hidden form
  • Would be very easy to adjust the price
  • Countermeasures
    • Limit the use of hidden tags, or at least confirm the value before processing

Quiz

1. List 2 of the 5 common web server vulnerabilities.

Sample files, Source code disclosure, Canonicalization, Server extensions, Input validation(ex. Buffer overflow)

2. Name one of the two browser plugins/toolsets to preform a man-in-the-middle attack.

TamperData or Fiddler

3. What is a common tool used to gather entire websites?

wget

4. What is the easiest method to find vulnerable web applications?

Using search engines

HackingExposedChapter11 (last edited 2010-04-20 03:48:38 by c-71-226-185-105)