Stopping Automated Application Attack Tools

Similar documents
Penetration Test Report

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Combating Common Web App Authentication Threats

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

HTTP Protocol and Server-Side Basics

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Web Application Penetration Testing

CSWAE Certified Secure Web Application Engineer

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Hyperlinks, Tables, Forms and Frameworks

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Threat Landscape 2017

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

s642 web security computer security adam everspaugh

Penetration Testing. James Walden Northern Kentucky University

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Web Security: Vulnerabilities & Attacks

HashCookies A Simple Recipe

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

EasyCrypt passes an independent security audit

Introduction to Ethical Hacking

CS 142 Winter Session Management. Dan Boneh

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

How to perform the DDoS Testing of Web Applications

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Applications & Application-Layer Protocols: The Web & HTTP

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

MBFuzzer - MITM Fuzzing for Mobile Applications

Some Facts Web 2.0/Ajax Security

Lab 5: Web Attacks using Burp Suite

Certified Secure Web Application Engineer

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Progress Exchange June, Phoenix, AZ, USA 1

PRODUCT DOCUMENTATION. Installing and Implementing Enterprise Contact Center Chat RELEASE 5.1

JOE WIPING OUT CSRF

Umbra. Embedded Web Security through Application-Layer Firewalls. 1st Workshop on the Security of Cyber-Physical Systems 22 September 2015

Curso: Ethical Hacking and Countermeasures

Introduction to HTTP. Jonathan Sillito

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Penetration Testing with Kali Linux

RiskSense Attack Surface Validation for Web Applications

Dynamic Documents. Kent State University Dept. of Math & Computer Science. CS 4/55231 Internet Engineering. What is a Script?

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

Proxying. Why and How. Alon Altman. Haifa Linux Club. Proxying p.1/24

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

Security implications of the Cross-Origin Resource Sharing. Gergely Revay

AppSpider Enterprise. Getting Started Guide

JOE WIPING OUT CSRF

Web Application Security GVSAGE Theater

Ethical Hacking and Prevention

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Web Security, Part 2

Cross Site Request Forgery

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Lecture 6: Web Security CS /17/2017

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

3. WWW and HTTP. Fig.3.1 Architecture of WWW

Business Logic Attacks BATs and BLBs


Preparing for the Cross Site Request Forgery Defense

GOING WHERE NO WAFS HAVE GONE BEFORE

Computer Networks - A Simple HTTP proxy -

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Server-Side Web Programming: Python (Part 1) Copyright 2017 by Robert M. Dondero, Ph.D. Princeton University

Web Security, Summer Term 2012

Web Security, Summer Term 2012

CS System Security 2nd-Half Semester Review

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

Chapter 4 Sending Data to Your Application

Solutions Business Manager Web Application Security Assessment

Cross-Site Request Forgery in Cisco SG220 series

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Beyond Blind Defense: Gaining Insights from Proactive App Sec

LAMP, WEB ARCHITECTURE, AND HTTP

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Portcullis Computer Security.

Securing The Apache Web Server. Matthew Cook

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Self-Learning Systems for Network Intrusion Detection

The HTTP Protocol HTTP

Copyright

COSC 2206 Internet Tools. The HTTP Protocol

WFUZZ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona!

Project 2 Implementing a Simple HTTP Web Proxy

Andrés Riancho sec.com H2HC, 1

A framework to 0wn the Web - part I -

Application security : going quicker

Configuring User Defined Patterns

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

CS105 Perl: Perl CGI. Nathan Clement 24 Feb 2014

Transcription:

Stopping Automated Application Attack Tools Black Hat 2006 - Amsterdam March, 2006 Gunter Ollmann Director of X-Force Internet Security Systems

Introduction Automated Attack Methods Common Protection Strategies Protection with Client-side Code Forcing a Client-side Overhead Thwarting Distributed and Future Attack Tools

Automated Attack Methods Greater is our terror of the unknown Titus Livius (59 BC 17 AD)

Automated Tool Functionality Most Common Methods: Copying or mirroring a complete site Navigating a site by scraping or Spidering Identifying files and scripts through CGI Scanning Brute Forcing of variables and submissions Intelligent manipulation of variables by Fuzzing

Functions: Mirroring Theft of intellectual property Repackaging of intellectual property Key component of criminal deception Man-in-the-middle attacks Phishing Identity theft

Functions: Site Scraping & Spidering Harvesting of email addresses for spam lists Social engineering attacks using personal data Fingerprinting server processes & software versions Understanding development techniques & bypasses Discovering hidden content Mapping of application functionality

Functions: CGI Scanning Discovery of administrative pages or directories Identifying historically vulnerable pages Default content or samples Spotting hidden directories or file paths Cross-platform shared web services File download repository locations Temporary file content or backups

Functions: Brute Forcing Brute force guess an important piece of data making use of the following: Extensive dictionaries Common file or directory path listings Information gathered through scraping & spidering Information gathered through CGI scanning Hybrid dictionaries catering for obfuscation Automatic character iteration

Functions: Fuzzing Buffer overflows Type conversion handling Cross-site scripting - XSS SQL injection File and directory path navigation Validation differences between client and server

Classes of Automated Tools Can be broken down into the following: Web Spiders CGI Scanners Brute Forcers Automatic Fuzzers Vulnerability Scanners

Common Protection Strategies There is no security on this earth; there is only opportunity Douglas MacArthur (1880-1964)

Server Host Renaming Changing the Server: response in the HTTP headers to stop some types of fingerprinting HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://www.example.com/pageishere.html Date: Fri, 01 Jan 2005 01:01:01 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 2005 01:01:01 GMT Content-Length: 1337

Blocking HEAD requests Any HTTP HEAD request is rejected. HEAD /index.html HTTP/1.0 Instead the tool must use: GET /index.html HTTP/1.0 Slower to make requests but the tool may drop the connection once the data is received

Use of the REFERER Field Make use of the HTTP REFERER field supplied by the client browser in the request GET /Next/ImGoingHere.html HTTP/1.1 Host: www.example.com Referer: http://www.example.com/iwashere.html Accept-Language: en-gb Content-Type: application/x-www-form-urlencoded Requires a method of validating a legitimate navigation path through the application

Content-type Manipulation Make use of the HTTP Content-Type defined in the server response or page contents HTTP/1.0 200 OK Location: http://www.example.com/imgoinghere.html Server: Microsoft-IIS/5.0 Content-Type: text/html Content-Length: 145 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=koi8-r">

Content-type Manipulation Change the content page extension to anything even image formats HTTP/1.0 200 OK Location: http://www.example.com/imgoinghere.jpg Server: Microsoft-IIS/5.0 Content-Type: text/html Content-Length: 145

HTTP Status Codes Changing the status code of the response e.g. responding with a 200 OK instead of 404 File Not Found etc. Every request generates a message effectively saying the page requested exists

Client-side Redirection Focusing on tools that make use of: HREF= 200 OK responses HTTP/1.0 200 OK Server: Microsoft-IIS/5.0 Content-Type: text/html Refresh: 3;URL=http://www.example.com/ThisWay.html <META HTTP-EQUIV="Refresh" CONTENT="3;URL=http://www.example.com/ThisWay.html">

Thresholds & Timeouts Focusing on tools that can t handle state: Use of cookie SessionID s Monitoring of time between submissions and requests Lockout procedures Timeouts Triggered thresholds POST /Toys/IWantToBuy.aspx HTTP/1.1 Host: www.example.com Referer: http://www.example.com/toys/ilikethisone.aspx Accept-Language: en-gb Content-Type: application/x-www-form-urlencoded Content-Length: 437 Cookie: SessionID=sse9d7783790 Postcode=SW11%201SA&Var1=Yes&Var2=Yes&Account=';--<H1>

Onetime Links Focusing on tools that multithread submissions: Add tracking ID s to each URL Ensuring a single application navigation path Within page /BuyStageOne.aspx?track=1104569 http://www.example.com/index.aspx?track=1104569 http://www.example.com/buystagetwo.aspx?track=1104569 Within page /BuyStageTwo.aspx?track=1104570 http://www.example.com/index.aspx?track=1104570 http://www.example.com/buystagetwo.aspx?track=1104570 http://www.example.com/buystagethree.aspx?track=1104570

Honeypot Links Focusing on non human-readable links: Invalid links within HTML content hidden links such as web-bugs Coloured text <BODY BGCOLOR="white"> Valid Links <BR> <A HREF="http://www.example.com/index.html">Home</A><BR> <A HREF="../Toys/IWantOneOfThose.html">Mine!</A><BR> Invalid Link <BR> <!-- HREF="../Bad.HTML"> --> Hidden Link <BR> <FONT COLOR="white"><A HREF="../Bad2.HTML">hidden</A></FONT> </BODY>

Graphical & Audio Turing Tests Focusing on non machine-readable puzzles: Difficult to read text against OCR systems Inclusion of sound recordings

Protection with Client-side Code Security puts a premium on feebleness H.G.Wells

Strengths of Client-side Code Misconception of bypassing client-side code Bypassing is trivial, but not if you must execute it to do/calculate something that is validated at the server-side. Practically all current tools can t fully interpret scripting languages

Token Appending Simplest method No calculation, just string concatenation <SCRIPT LANGUAGE="javascript"> var token="0a37847ea23b984012" document.write("<a HREF='http://www.example.com/ NextPage.aspx?JSToken="+token+"'>Link</A>") </SCRIPT>

Token Appending <HTML> <HEAD> <TITLE>Example Post</TITLE> <SCRIPT> function addtoken() { document.myform.token.value="0a37847ea23b984012"; document.myform.submit(); } </SCRIPT> </HEAD> <BODY> <FORM NAME="myform" ACTION="http://www.example.com/BuyIt.aspx" METHOD="POST"> <INPUT TYPE="TEXT" NAME="ItemName" >Item Name<BR> <INPUT TYPE="RADIO" NAME="Buy" VALUE="Now">Now <INPUT TYPE="RADIO" NAME="Buy" VALUE="Later">Later<BR> <INPUT TYPE="HIDDEN" NAME="token" VALUE="Fail"> <INPUT TYPE="BUTTON" VALUE="SUBMIT" onclick="addtoken()"> </FORM> </BODY> </HTML>

Token Calculator Improved method Relies upon mathematical routines Can include complex routines that also incorporate other submission variables Harder to bypass using smart tools <HEAD> <TITLE>Example Post</TITLE> <SCRIPT TYPE="text/javascript" SRC="crc32.js"></SCRIPT> <SCRIPT TYPE="text/javascript" SRC="cookies.js"></SCRIPT> <SCRIPT> function encodetoken() { var token = document.myform.token.value; var cookie = getcookie("sessionid"); var page = location.pathname; document.myform.token.value = crc32(token + cookie + page); document.myform.submit(); } </SCRIPT> </HEAD>

Token Resource Metering Complex method Relies upon mathematical routines that require processing time to calculate Incurs an overhead at the client-side Something difficult to calculate by quick to validate

Forcing a Client-side Overhead Do, or do not. There is no try. Yoda ( The Empire Strikes Back )

Understanding Resource Metering Why not just use server-side wait states? Shift computational load to client Better in load-balancing infrastructure Break non-script-aware tools Force an attacker to write custom attack tools why not?

Understanding Resource Metering

Borrowing from HashCash

Thwarting Distributed and Future Attack Tools Never interrupt your enemy when he is making a mistake Napoleon Bonaparte (1769-1821)

Distributed Attack Tools What about Distributed attack tools? Multiple IP sources of attack Variable levels of computing power Master/slave configuration of DDoS agents Focus upon slowing down the attack Techniques that force single navigation threads Techniques that force a computational overhead Use of thresholds and invisible wait states

Protection Appliance? Application Firewalls Failed technology too complex & costly to setup Better value to pentest and code application securely Anti-tool Protection as an Appliance? Need to have zero or minimal configuration Proxy browser requests and server responses Rewrite server responses

Protection Appliance? Automated attack protection with an appliance? Server Host Renaming Yes Trivial Blocking of HEAD Requests Yes Trivial Use of REFERER Field Yes Easy Content-Type Manipulation Yes Easy HTTP Status Codes Yes Easy (with config.) Client-side Redirection Maybe Thresholds & Timeouts Yes Difficult (with config.) Onetime Links No Honeypot Links Yes Easy Touring Tests No Token Appending No Resource Metering Yes Medium (with config.)

Next Generation Automated Tools The next generation of tools will need to: Fully understand and parse client-side code Be highly customisable to each application Have some form of intelligence to make sense of server responses

Limitations of the Techniques There are limits to each and every technique. Consider the impact of: Slow computers Slow connections Shared connections and DHCP Alienation due to script language requirements Processing power Mobile computing devices

Future Research Areas Probable areas of future study: Tools that utilise second-order attacks and how they detect success Sandboxing of client-side code and execution to obtain HREF information Advances in automated responses to distributed attacks at the custom application level.

Thank You Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback