Secure Programming and! Common Errors! PART II"

Size: px

Start display at page:

Download "Secure Programming and! Common Errors! PART II""

Kevin Wade
5 years ago
Views:

1 Secure Programming and! Common Errors! PART II" brought to you by Michele AntiSnatchOr Orrù and Integrating Web LTD! Computer System Security course lead by Prof. Ozalp Babaoglu! 9 December 2009! Who am I?"!!Director and CSO of Integrating Web LTD!!!Bachelor Degree in Internet Sciences!!!Independent Security Researcher!!!Owner of security advisory blog!!!jee developer" Who am I?!!" 2 of 25! Seminar outline (part II)" What we will discuss:"!!discuss other important attack vectors, not limited to Web Applications!!!Practical screen-casts that show how attackers exploit common flows!!!understand the impact of these threats on your privacy, data and identity! Seminar outline (part II)!!!CWE-22: Path Traversal + screen-cast!!!cwe-89: Failure to Preserve SQL Query Structure (SQL injection) + screen-cast!!!cwe-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast!!!appendix: do you think HTTPS is secure? Not completely true! What we will discuss! 3 of 25! 4 of 25!

CWE-22: Path Traversal "!! Many applications read from or write to a file system parsing user supplied parameters that specify the file or the operation!

2 CWE-22: Path Traversal "!! Many applications read from or write to a file system parsing user supplied parameters that specify the file or the operation!!! If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS.! CWE-22: Path Traversal! CWE-22: Example! Path traversal vulnerability on ONERROR parameter!!! The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-iis owned files! CWE-22: 5 of 25! 6 of 25! CWE-22: Good books:!!!#$%&''((()05074+)34)89':-2;<%%=*3014+;>039-/6;>0+?2449;@*634a-/*+.'?%' BCDB!DBDDE'/-FG6/H!H!I*-GJKLEM6G24496MN*?G!OPBOPCQDDM6/GE;!"!!#$%&''((()05074+)345':-2;R-38/*,S;K-61+.;T ;RS6,-5013'?%' BUQPU!CEVO'/-FG6/H!HVI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;V""!! SANS/MITRE: #$%&''3(-)5*,/-)4/.'?0,0'?-W+*14+6'OO)#,5="!! OWASP: #$%&''((()4(06%)4/.'*+?-X)%#%'Y0,#HK/0A-/60="!! Good hacker: #$%&''9870UU)2=4.6%4,)345'OBBE'BD'3449*-;%0,#;,/0A-/60=)#,5="!! PHP security guru: #$%&''((()686%-9,)4/.'OBBE'!O'BU'%#%;UOD; 0+?;7*%0/3#*A--X,/03$4'"" CWE-22: Links! 7 of 25! 8 of 25!

CWE-89:! SQL Injection"!! If attackers can influence the SQL that you use to communicate with your database, then they can do nasty things for fun and profit!!! Thanks to Bernardo for SQLmap!

3 CWE-89:! SQL Injection"!! If attackers can influence the SQL that you use to communicate with your database, then they can do nasty things for fun and profit!!! Thanks to Bernardo for SQLmap!!! Open source, written in python!!! Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server!!! Metasploit plugin to exploit MS (M. SQL Server 2000/2005 heap based buffer overflow)! CWE-89: SQL Injection! CWE-89:Example! Confirmed unescaped numeric injection on GET parameter anno (patched from many months)!!! We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0!!! For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento! CWE-89: 9 of 25! 10 of 25! CWE-89: Good books:!!!#$%&''((()05074+)34)89':-2;<%%=*3014+;>039-/6;>0+?2449;@*634a-/*+.'?%' BCDB!DBDDE'/-FG6/H!H!I*-GJKLEM6G24496MN*?G!OPBOPCQDDM6/GE;!"!!#$%&''((()05074+)345'@0,0206-;>039-/6;>0+?2449;@-F-+?*+.;R-/A-/6'?%' BDPCUDEB!C'/-FG6/H!HOI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;O"!!#$%&''((()05074+)345':-2;R-38/*,S;K-61+.;T ;RS6,-5013'?%' BUQPU!CEVO'/-FG6/H!HVI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;V""!! SQLmap author:!!!#$%&''((()6=*?-6#0/-)+-,'*+n8*6'6n=;*+z-314+;+4,;4+=s;0+?;!!" CWE-89: Links! 11 of 25! 12 of 25!

4 CWE-79: Cross Site Scripting"!! When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts!!! Really difficult to create a powerful anti-xss filter:!!! Multiple data encoding handling!!! Data truncation handling!!! New vectors (CSS, JSON, XUL)! CWE-79: The Plague of Cross Site Scripting! 13 of 25! CWE-79: Example! 1. KonaKart"!! KonaKart is a free Java based web application to manage e-commerce websites ( Stored XSS has been found and verified in the backend!!! More info here: #$%&''0+16+0,3#4/)345'OBBE'!O'OO'94+090/,;OOPB;/-6%4+6*2=-;?*63=468/-'""!! Let see how we can exploit them! CWE-79: KonaKart! 14 of 25! CWE-79: Examples! 2. WMSmonitor" KonaKart" CWE-79: KonaKart! 15 of 25!!! Internal Penetration Test at INFN (National Institute of Nuclear Physics)!!! Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor!!! Some serious flows have been identified!!! Unsecure handling of X.509 client certificates!!! Reflected XSS!!! TRACE method enabled!!! Let see how can we take full control of the victim browser! CWE-79: WMSmonitor! 16 of 25!

5 !! Wade Alcorn s works:!!! BeEF: #$%&''((()2*+?6#-==)+-,',44=6'!""#'"" WMSmonitor" CWE-79: WMSmonitor!!! Inter-Protocol Exploitation: #$%&''((()2*+?6#-==)+-,'%0%-/6'*%-"!! The Advanced Cross-Site Scripting Virus: #$%&'' ((()2*+?6#-==)+-,'%0%-/6'0X66A"!! Rsnake works:!!! XSS cheat sheet: #$%&''#0)39-/6)4/.'X66)#,5="!! XSS worm context: #$%&''#0)39-/6)4/.'2=4.'OBBEB!BP'?*5*+81A-; X66;(4/5;34+,-6,;?/050;0+?;6,0,86;8%?0,-'"""!! AntiSnatcOr works research:!!! Advisories on SecurityFocus: #$%&''0+16+0,3#4/)345'OBBQ'!B'!C'W+0==S;4+;28.,/0N'" CWE-79: Links! 17 of 25! 18 of 25!!! Good books:!!!#$%&''((()05074+)34)89':-2;<%%=*3014+;>039-/6;>0+?2449;@*634a-/*+.'?%' BCDB!DBDDE'/-FG6/H!H!I*-GJKLEM6G24496MN*?G!OPBOPCQDDM6/GE;!""!!#$%&''((()05074+)345'[RR;<$0396;R3/*%1+.;\X%=4*,6;@-F-+6-'?%'!UQDCQ!UCV' /-FG6/H!HCI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;C"!!#$%&''((()05074+)345':-2;R-38/*,S;K-61+.;T ;RS6,-5013'?%' BUQPU!CEVO'/-FG6/H!HVI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;V""" CWE-79: Links! 19 of 25! Appendix: do you think HTTPS is secure?"!! SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)!!! But they have well known limitations and security flows!!! They all suffer from MITM attacks and network protocol manipulation!!! Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed! 20 of 25!

6 Appendix: do you think HTTPS is secure?"!! Latest research of Moxie Marlinspike ( Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.!!! We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing!!! Eventually altering BGP routing tables on routers, for remote sniffing! 21 of 25! Appendix: do you think HTTPS is secure?"!! Old exploit method (still useful)!!! MITM and fake certificate injection!!! ARP spoofing!!! IP forwarding!!! Sniffing!!! webmitm!!! Cons: the victim will see that the certificate is not valid (BTW, almost all of you don t take care to Firefox s alerts on certificates problems)!!! Press OK " That s FINE! 22 of 25! Fake certificate injection"!! Vimeo screencasts:!!!#$%&''((()a*5-4)345'p!cq!!q"!!#$%&''(((),#48.#,3/*5-)4/.'64](0/-'66=6,/*%'a*?-4'66=6,/*%)54a""!! Papers:!!!OCSP: #$%&''(((),#48.#,3/*5-)4/.'%0%-/6'436%;0$039)%?F"!!Null-byte: #$%&''(((),#48.#,3/*5-)4/.'%0%-/6'+8==;%/-WX;0$0396)%?F"!!Fake-cert: #$%&''0+16+0,3#4/)345'(4/96'6+*^+.;66=;,=6; ;,#/48.#;F09-; 3-/1W30,-;*+Z-314+'" Appendix: Links! 23 of 25! 24 of 25!

7 Thanks for your! attention!" Questions?" 25 of 25!

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language