(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Transcription

1 Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy 1 Practical session - setup Target Configuration Browser Zed Attack Proxy Internet 2

2 Practical session - setup In your host machine 1. Install Zed Attack Proxy (ZAP) 2. Make sure that ZAP : Practical session - setup In your host machine 1. Go to Settings->Dynamic SSL certificates 2. Save the ZAP root CA within a folder of your choice owasp_zap_root_ca.cer 4

3 Practical session - setup From your host machine 1. Open your browser (Firefox) Preferences->Security&Privacy->Certificates->Authorities 2. Open owasp_zap_root_ca.cer 3. Trust the ZAP CA for web sites 5 Practical session - setup From your host machine 1. Install Firefox - Web Browser 2. Open your browser (Firefox) 3. Settings->General>Proxy server->settings 6

4 Practical session - setup From your host machine 1. Open your browser (Firefox) 2. Settings->Advanced->Network->Settings 7 Practical session - setup From your host machine 1. Open your browser (Firefox) 2. Go to a HTTPS enabled site (e.g. Google) 8

5 Information System Security Main Security Goals key aspects: authentication access control Confidentiality ensure that (sensitive) information is disclosed to authorized parties only Integrity prevent unauthorized modification of data (data integrity), including system code and (ab)use of system functionalities (system integrity) Availability guarantee that data and services can be accessed (in a reasonable time) by authorized parties when requested NOTE: Violations in one category may enable violations in any other category! Examples: Password theft (confidentiality violation) may allow attackers to perform unhauthorized modifications of user data (data integrity violation) A buffer overflow attack (system integrity violation) may allow attackers to gather private data (confidentiality violation) 9 Integrity Attacks - Pratical session (System) Integrity Attacks Legitimate inputs, malicious goals Application-specific: not covered by TOP 10 OWASP There are at least four TOP 10 threats that exploit DataàCode vulnerabilities A1: Injection A4: XML External Entities (XXE) A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization In this lesson we will focus on Real-world abuse of web services with legitimate inputs A1:2017 Injection 10

6 Legitimate inputs, Malicious goals REAL-WOLD PHISHING AGAINST APPLE USERS! =j&q=&esrc=s&source=web&cd=1&cad=rja&u act=8&ved=0ahukewi3nrfsrvjzahxmobqkhac fafiqfggnmaa&url=http%3a%2f%2fpralab.di ee.unica.it%2f&usg=aovvaw0lfljwt5lit4axl3u WkXHq 11 Legitimate inputs, Malicious goals Google Redirect Service Google business: track users who click on search results Cybercriminal business: evade spam filters, by masquerading a (google-indexed) malicious/compromised URL eb&cd=1&cad=rja&uact=8&ved=0ahukewi3nrfsrvjzahxmo BQKHacfAFIQFggnMAA&url=http%3A%2F%2Fpralab.diee. unica.it%2f&usg=aovvaw0lfljwt5lit4axl3uwkxhq 12

7 Legitimate inputs, Malicious goals To protect against such attacks Google might add the following security requirements check the Referer header (it should be a valid Google search result URL) Legitimate inputs must provide a valid Referer malicious URLs might be de-indexed/blacklisted Legitimate inputs must not involve a blacklisted URL 13 Legitimate inputs, Malicious goals Legitimate business: HTTP debugger Malicious business: unconventional web proxy 14

8 Legitimate inputs, Malicious goals 15 Legitimate inputs, Malicious goals Take away: the same technical function can be used for different business goals Legitimate (Service Provider) Malicious (Cybercriminals) App-specific: Not covered by OWASP TOP 10! Once abuse is detected, attack protection is typically achieved by service providers adding security checks to better describe how legitimate inputs are Take away: think about how the intended functionalities of your web applications can be abused, even if inputs are legitimate! 16

9 Pratical session with OWASP BWA OWASP Broken Web Applications Project 1. Install Virtualbox 2. Download the OVA archive 3. Import the OVA archive into VirtualBox 17 Practical session Vulnerable services setup Setup NAT (port forwarding) rule. Make sure that Guest IP is correct, it should be displayed in the OWASP BWA shell at startup 18

10 Practical session From your host machine 1. Open your browser (Firefox) 2. Go to 19 OWASP WebGoat Very useful training application by OWASP 20

11 Confidentiality It should appear an authentication request On ZAP you can see a request such as 21 Confidentiality The following is a successful (authorized) request on the web server. GET HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 17.1; WOW64; rv:132.0) Gecko/ Firefox/60.2 Accept: text/html,application/xhtml+xml [ ] Accept-Language: it,en;q=0.8,it-it;q=0.5,en-us;q=0.3 Referer: Cookie: sid=fe26.2**2df [ ] Upgrade-Insecure-Requests: 1 Authorization: Basic cm9vddpvd2fzcgj3yq== Connection: keep-alive Host: :8888 What about its confidentiality? It is not handled! The underlying protocol is HTTP and all data is transferred in clear text through TCP. What about its authentication? It is handled through the Authorization header (Basic Authentication). 22

12 Confidentiality Basic authentication transfers username and passwords in clear text! TheAuthorization field isconstructed asfollows: The username and password are combined with a single colon. (:) The resulting string is encoded into an octet sequence The resulting string is encoded using a variant of Base64 The authorization method and a space is then prepended to the encoded string, separated with a space (e.g. "Basic "). Exercise: what are the credentials associated to the previous header? Authorization: Basic cm9vddpvd2fzcgj3yq== Let s execute some code. Open a shell, and launch the python interpreter $ python >>> import base64 >>> base64.b64decode("cm9vddpvd2fzcgj3yq==") 23 Confidentiality $ python >>> import base64 >>> base64.b64decode("cm9vddpvd2fzcgj3yq==") 'root:owaspbwa' OK we now have the credentials to access WebGoat! 24

13 How do I protect against Confidentiality violations? Data should be exchanged using: HTTPS with strong ciphers and additional headers for security SSL certificate with trusted Certificate Authorities No excuses! You can get them for free using HTTPS must be enforced However, preserving data confidentiality is not just matter of data transport How it is stored and how it can be accessed (including backups)? Authentication and access control 25 OWASP WebGoat From the left menu Malicious Execution->Malicious File Execution The page allows one to upload/display (read) an image 26

14 OWASP WebGoat Let s check out request and responses in ZAP To understand what is the backend web application interpreter Our first guessis that there is a JavaServer Pages (JSP) interpreter 27 OWASP WebGoat In JSP (like PHP), programs are written within files that are read and interpreted at runtime Any file with a name which ends with a specific extension (e.g.,.jsp) is executed by the interpreter Key security question: does the application checks the extension and content of the uploaded files? Let s try to upload a file browser program written in JSP 28

15 OWASP WebGoat Oh we were able to upload the JSP file... Let s execute it (right click, view image) 29 OWASP WebGoat Oh... The JSP file is actually executed and give us a full-featured file browser with read/write permissions on the filesystem! 30

16 A6:2010 Malicious File Execution Targets: file (up)load routine of the web application Interpreter: web application server (typically) An insecure handling of external/uploaded files, allows the attacker to convert input data into (arbitrary) application code Flash Silverlight PDF Reader External file Images JavaScript CSS (up)load routine HTML Application Database HTTP(S) Client HTTP(S) server 31 Wordpress Let s play with Wordpress 32

17 Wordpress OK, it appears that we are in front of WP 2.0 Plugin Spreadsheet v0.6 as well as MyGallery installed 33 Wordpress Let s find a suitable exploit 34

18 Wordpress OWASP TOP A Found SQL Injection exploit for plugin spreadsheet v Wordpress You may launch the exploit using your browser (user_login,0x3a,user_pass,0x3a,user_ ),3,4+from+wp_users-- &display=plain password hash NOTE: no errors on the DB side. Why? Because we injected the SQL query so that it generates one more row, - containing exactly the expected number of columns (4 in this case) - putting in the string field (n. 2) the char-separated (0x3a) concatenation of desired info (user_login, user_pass, user_ ) 36

19 Wordpress Let s find out the password through bruteforce We can use an online webservice In a more realistic case, attackers may use offline tools such a John The Ripper 37 Wordpress Now that we have both username and password The login URL for wordpress is at /wp-login.php 38

20 Wordpress We are in (with administrative privileges) The website is now 0wned by us (the end) 39 A SQL Injection Targets: insecure API between web application and database Interpreter: DataBase backend An insecure API between Application and Database allows the attacker to convert input data into (arbitrary) DB Queries Flash Silverlight PDF Reader Database Images JavaScript CSS HTML Application DB access API HTTP(S) Client HTTP(S) server 40