Jeroen van Beek 1
Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2
In many cases the web application stores: Credit card details Personal information Passwords that also might be used elsewhere Media likes hacks You company doesn t Governments want to enforce data protection USA NL Meldplicht Datalekken EU will follow soon(?) 3
Your company doesn t like that 4
5
In many cases caused by technical issues: Poor/no input filtering Outdated software with known weaknesses Weak passwords Non-techies are creating technical solutions: Click and play enterprise website Not aware of security issues Techies are also no always aware What about you? In many cases the issues are quite easy to solve If you know what to do 6
The same issues keep on coming back People make the same mistakes over and over again Open Web Application Security Project (OWASP): Free and open Top ten project Documents the 10 most critical webapp security flaws http://www.owasp.org/index.php/category:owasp_top_ Ten_Project Latest version: 2013 Documents solutions For all popular webapp environments 7
8
E.g. contact form forwards you to the home page after submitting your message http://www.example.com/redirect.jsp?url=/home.htm Malicious URLs might be used http://www.example.com/redirect.jsp?url=malware.com Download malware from external site after submitting form 9
Keep your software up-to-date Patching doesn t stop at operating system level! Database Web server Libraries Lots of automated tools available Mapping: nmap, Scanning: Nessus, Nexpose, Exploiting: Metasploit, Canvas, Script kiddies can and will do this! 10
Cross Site Request Forgery Inject code that: Runs in the victim s browser Open a session to a vulnerable 3rd party service Using the victim s credentials Example: Insert a money transfer in a page Forum post Email message (phising) 11
Server side authorization checks are not performed on all actions Attacks: Escalate from anonymous user to authenticated user Escalate for authenticated user to admin Examples: If /users/user1/show_accounts/ exists, it might be worth checking if /users/usern/show_accounts/ also exists Difficult to identify with automated tools 12
Hidden and unchecked parameter: Add to POST data when updating a user: &ctl00%24contentplaceholder1%24dvuser%24cb xuseradmin=on 13
Problem can also occur with secret files: 14
Secure transport: Sending sensitive information over an unencrypted link No encryption / obfuscation Weak encryption Downgrade attacks Check for no encryption / obfuscation Sniff data GET http://target/install.pgsql.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 1.1.4322) Host: target Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx= Connection: Close Pragma: no-cache Referer: http://target/robots.txt 15
Secure transport: Weak transport encryption Allowed SSL ciphers Known flaws is SSLv2/3 SSLv2/3 still enabled in many cases Weak ciphers can be cracked openssl s_client -no_tls1 -connect www.google.com:443 Weak algorithms E.g. MD5, SHA-1 16
Secure transport: Downgrade attacks Strip SSL layer: stripssl http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike- Defeating-SSL.pdf http://www.youtube.com/watch?v=dd5qgs-5c0i Hijack e.g. Facebook and Twitter sessions: Firesheep http://codebutler.github.com/firesheep/ http://www.youtube.com/watch?v=o3nam8og1wm 17
Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, ) Hard coded keys, and storing keys in unprotected environments 18
Real-life example <password>1 <password>2 same passwords different length passwords 19
How to decode the passwords? Create your own account Password = aaaaaaaa Store password hash, e.g. \01\02\03\04\05\06\07\08 Password = bbbbbbbb Store password hash, e.g. \02\03\04\05\06\07\08\09 Etc. Find the link password hash Write a decoder for (i = 0; i < in.length(); i++) print (alfabet(in.position(i) + i)) Decode all passwords Dump sensitive information 20
21
22
Out of the box installs Next, next, next, finish Find it using Google: Web front-end for Oracle intitle:isql intitle:release inurl:isqlplus Indexing of sensitive information intitle:"index of".mysql_history filetype:pdf paspoortnummer koopcontract filetype:sql "phpmyadmin SQL Dump Many many useful Google Dorks online http://www.hackersforcharity.org/ghdb/ 23
Default passwords http://www.phenoelit-us.org/dpl/dpl.html 24
iphone botnet Default SSH password after jailbreak Routers 25
User can access and modify object values Example: Login using your credentials Link refers to http://app/details?userid=1 Script download of all files userid=[1-9999] Hashing doesn t help http://tools.benramsey.com/md5/ 26
Cross Site Scripting Execute scripts in the victim s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user s browser using scripting malware In most cases Javascript based Also applicable to other scripting languages 27
Two types: Reflective Code injected by e.g. sending phishing email victim.com/get.php?id=<script>alert(123)</script> E.g. one phishing email per attack Stored Evil code is stored in the database Store once, run for all users E.g. store <script>alert(123)</script> in record for welcome message of CMS 28
Advanced tools are out there to abuse flaws Tunnel traffic using XSS http://www.portcullissecurity.com/uplds/whitepapers/xsstunnelling.pdf http://www.portcullis- security.com/tools/free/xssshell-xsstunnell.zip 29
Broken authentication and session management 30
Predictable sessions IDs allow an attacker to: Disconnect all users Hijack existing sessions Weak implementations typically use: Sequential numbers Hash of sequential numbers Time elapsed since starting of server / service 31
C:\tmp>java DateDiff Current milliseconds since 13 Oct, 2008 are:1290008271842 sessionsid part 2: 695042 ms = 695 sec = 11 min = 0 hours = 0 days sessionsid part 2: 216006786 ms = 216006 sec = 3600 min = 60 hours = 2 days sessionsid part 2: 218364694 ms = 218364 sec = 3639 min = 60 hours = 2 days sessionsid part 2: 218708589 ms = 218708 sec = 3645 min = 60 hours = 2 days sessionsid part 2: 218964423 ms = 218964 sec = 3649 min = 60 hours = 2 days sessionsid part 2: 219049296 ms = 219049 sec = 3650 min = 60 hours = 2 days Boot time in ms = 1292191288000 sessionsid part 1: 3467281656 ms = 3467281 sec = 57788 min = 963 hours = 40 days Reference time for part 1 = 1286540990186 + ms = date Fri Oct 08 14:29:50 CEST 2010 32
SQL-injection Also applicable for other languages User input is directly used in a query Manipulation of database query User input search = jeroen Backend uses select details from users where name= jeroen Attacker input search = jeroen or 1=1-- Backend uses select details from users where name= jeroen or 1=1 Display all records 33
Advanced tools are out there to abuse flaws File upload File download OS command execution sqlmap http://sqlmap.sourceforge.net/ http://www.youtube.com/watch?v=ylttglskrgu Tunnel shell over http using SQL-injection! 34
35
36
Detection: Detection of well-known attacks using IDS Check web server logs Check network flows Difficult to detect all attacks! Prevention: Use good practices http://www.owasp.org/index.php/category:owasp_guide_project Review and/or test the application before going live Source code review http://www.owasp.org/index.php/category:owasp_code_review_project Penetration test http://www.owasp.org/index.php/category:owasp_testing_project http://www.owasp.org/index.php/appendix_a:_testing_tools 37
Hacking is not allowed Wet Computer Criminaliteit Testing without breaking in is also not allowed If you want to test your (organization s) apps: Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system s owner 38
Hands on hacking environment Ten web based levels Six platform based levels In each level you can find a password Password gives access to the next level You need to exploit a weakness to get the password Most OWASP top ten issues are included We ll show hints on the screen to help you If needed ;) Work in teams We explicitly allow you to hack the system 39
More hands on hacking: Hacking Exposed books http://www.webhackingexposed.com/products.html Certified Ethical Hacker https://www.eccouncil.org/certification/certified_ethic al_hacker.aspx 40
J.C.vanBeek uva.nl 41