CATION FLAWSCOMMON APPLI

Objective: Provide an overview of common application flaws: No ‘exploitation’ techniques: Discussion based, to provide an understanding: To provoke thinking

: Originally going to provide a Tokemon walkthrough: Won’t work over conference call

Back To Basics

Slide 2

Cross Site Scripting <script>alert()</script>

Injection Flaws: SQL, LDAP, XML, etc

File Execution: Scripting, RFI, shell execution

Direct Object Reference: /access.asp?record=##

Cross Site Request Forgery: Session riding, Accessing internal device

OWASP Top Ten Summary

Slide 3

Information Leakage and Error Handling: Every bit of information helps an attacker

Broken Authentication and Session Management: Login bypass, cookie manipulation

Insecure Cryptographic Storage: Static keys, Non seeded encryption

Insecure Communications: HTTP, Clear text internal web services

Failure to Restrict URL Access: /adminportal/adminfunction?action=adduser&user=me

OWASP Top Ten Summary

Slide 4

Comes from many places: Passed on the URL, or as a parameter: Passed in posted data, hidden fields: Passed in HTTP headers, referer: Cookie data, client certificates, files for import, etc..

User Supplied Input Is The Cause

Slide 5

THE USER CAN NOT BE TRUSTED... EVER

Validate ALL user input, server side: Cint(), isDate(), len() <= x, isAlphaNumeric() : Whitelist, NOT blacklist: Decode input, in the correct order, and in the right case

Filter Output at use: Different uses of data, require different filters

function cleanrequest(theID)theID = lcase(theID)if instr(theID,";") > 0 then

theID = left(theID,instr(theID,";")-1)end ifif instr(theID,"exec ") > 0 then

theID = left(theID,instr(theID,"exec ")-1)end if

Faulty Filters Worse Than No Filters

Slide 6

Function To Filter User Input

Looks For The Use Of A Semi Colon

Looks For The Term exec followed by a

space

This Filter Can Be Bypassed By Using A Tab Character As A Separator/page.aspx?theID=1%09exec%09xp_cmdshell ‘serverpwnage.exe’;

/page.aspx?theID=1;exec xp_cmdshell ‘serverpwnage.exe’;

function displayText(htmlInput)htmlInput=str_ireplace("script", "",htmlInput)echo htmlInput

Faulty Filters Worse Than No Filters

Slide 7

Function To Display User Input

Looks For The Term script And

Remove ItDisplay The

Filtered Data

These Types Of Filters Are Just Rubbish!/page.php?htmlInput=<sscriptcript>alert()</sscriptcript>

/page.php?htmlInput=<script>alert()</script>

Robots.txt / Sitemap.xml: Often reveal more than they should: Spiders don’t have to obey

Things that don’t belong: Site archives: .svn trees: .inc, .cfg, .txt, bak, .backup: Admin portals: ‘hidden’ paths: Virtual sites

The Clean Server

Slide 8

Don’t Want It Indexed?Don’t Link It!

Don’t Want It Found?Don’t Put It There

http://www.owasp.org/_admin/http://www.owasp.org/_database/http://www.owasp.org/_debug/http://www.owasp.org/_debuglogs/http://www.owasp.org/_includes/http://www.owasp.org/admin/http://www.owasp.org/adminportal/http://www.owasp.org/adminsite/http://www.owasp.org/console/http://www.owasp.org/backups/http://www.owasp.org/logs/http://www.owasp.org/maintentance/http://www.owasp.org/sites/http://www.owasp.org/sysadmin/http://www.owasp.org/admin/admin.http://www.owasp.org/admin/admin.asphttp://www.owasp.org/admin/admin.bakhttp://www.owasp.org/admin/admin.inchttp://www.owasp.org/admin/admin.loghttp://www.owasp.org/admin/admin.jsphttp://www.owasp.org/admin/admin.phphttp://www.owasp.org/admin/adminpage.http://www.owasp.org/admin/adminpage.asphttp://www.owasp.org/admin/adminpage.bakhttp://www.owasp.org/admin/adminpage.inchttp://www.owasp.org/admin/adminpage.jsphttp://www.owasp.org/admin/adminpage.php

Manipulation of the SQL query string

Becomes

Or

SQL Injection

Slide 9

sqlString=select * from users where name =‘+userinput’+’and password=‘+userinput

select * from users where name =‘admin’;--and password=‘anything’

select * from users where name =‘admin’ and password=‘anything’ or ‘1’=‘1’

Syntax Grouping

Where(name =‘admin’) (and

(password=‘anything’) or (‘1’=‘1’)

)

Syntax Grouping

Use parameterized queries: asp, .net, java, php, python, flex?Use stored procedures: Type cast variables: Don’t use dynamic SQL inside procedure: Often seen in ‘search’ procedures: Use the QuoteName function

SQL Injection

Slide 10

Yes. Of course your flash application

can be vulnerable to injection attacks

DO NOT BUILD SQL STATEMENTS DYNAMICALLY

SELECT @SQL = 'SELECT * from USERS WHERE NAME ='+ @UsernameEXEC @SQL

Application vs SQL: The form data is stored varies between the two

MySQL: MySQL will truncate data during an insert

: PHP asks MYSQL “Any users by this name?”: MYSQL responds “No, I don’t know that person”: PHP says “Ok add a user by this name”: MYSQL says “Sure, his name is too long I’ll shorten it for you”

SQL Truncation Attacks

Slide 11

Column Size

Name 100

.. ..

User=“admin<100spaces>x”

GEE THANKS

MSSQL: Data is truncated when calling stored procedures

: SQL returns record for admin

: Data mailed to both admin and attacker

SQL Truncation Attacks

Slide 12

User=“admin@site.com<100spaces>;attacker@home.com”

Create procedure [FindUser]@username VARCHAR(100)

...Input To A Forgotten Password Page

Parameter Has A Length 100

Stored within the webroot: /dbase/dbase.mdb: Flat files etc..

Running as ROOT or SYSTEM: Or worse... A domain account

Encryption Of Data: If the server or application is compromised, is the data?

: Unique record ID of the user account: User supplied password

Databases

Slide 13

Don’t Use A Static Key Do Seed With User Specific Data

Microsoft Used To Recommend This.....

Encryption is difficult: Do NOT roll your own XOR based encryption scheme: BASE64 is not encryption

Weakness is in the implementation: Verify your data is getting encrypted: Use one way encryption for passwords

Storing the secrets: Database credentials should never be stored clear text: Encryption keys should not be stored in accessible configs

Cryptography

Slide 14

Often vulnerable to spam attacks: SMTP is a text based protocol: CR/LF pairs and new command can be inserted

Normal communication with SMTP server

Application Email

Slide 15

Mail From: <feedback@foo.co.nz>Rcpt To: <user@user.co.nz>DataSubject: This is a test email.quit

Injection through recipient field: user@user.co.nz>%0a%0drset%0a%0dMail From: <spam@foo.....

Modified communication with SMTP server

Application Email

Slide 16

Mail From: <website@foo.co.nz>Rcpt To: <user@demo.co.nz>rsetMail From: <spam@foo.co.nz>Rcpt To: <newrecipient@host.co.nz>DataSubject: This is a spam emailblah blah spam spam.quit

RESET Injected

New Details Injected

The sending of user supplied input to the browser

: More than alert()

Reflective: Code passed as a parameter, usually on the URL

Persistent: Code stored and then displayed to user

Consequences: Cookie theft: Site interaction: Web application worms

Cross Site Scripting

Slide 17

JavaScript is a powerful

programming language

Example flaw: echo “hello “.$_GET[‘username’].”welcome to the site”

Normal output: <html>hello Brett welcome to the site</html>

Exploit output: <html>hello <script>alert()</script> welcome ...</html>

Cross Site Scripting

Slide 18

Insert Any JavaScript Or Script Inclusion

Widely Known, Well Explained, Still Exists In

Most Applications

Cross Site Request Forgery: Attacking site causes browser to make a request to target

User logs into banking.co.nz: banking.co.nz sets an authentication cookie: User leaves but doesn’t log out

User browses to attacking site: Attacking site creates a post to banking.co.nz: Users browser sends cookie with post: Browser is already authenticated

CSRF

Slide 19

Defence: Each post must contain a random parameter value

CSRF

Slide 20

Site redirection: User supplied input used as target page

: Can be used in phishing and scam attacks

Page inclusion: User supplied input use as source for frame, iframe, image

Other Related Attacks

Slide 21

http://site.com/login.php?redirect=<value>Microsoft Still Do

This In Versions Of OWA

<frameset> <frame src="topbar.html"> <frameset> <frame src="<%=request("page")%>"> </frameset></frameset>

External Content Displayed In Browser

Don’t store credentials in the cookie: Set-cookie: user=admin

Set the cookie path: Specifies which part of the application the cookie is sent to

Cookie Security

Slide 22

This Sort Of Thing Still Happens!

http://Application

Secured Blog Posting Sectionhttp://Application/secure/login

Insecure General Sectionhttp://Application/general/read

Requires AuthCookie Set

If The Cookie Path Is Not SetA Vulnerability In The General Section Can Read The Secure Section Cookie

Set the SECURE flag: Prevents the cookie been sent in HTTP requests: Cookie sent even if target site not listening on HTTP

Set the HTTPOnly Flag: Prevents access to the cookie through JavaScript: Defence against cross site scripting

Cookie Security

Slide 23

Attacker Needs Access To Sniff

The Traffic

File uploading is dangerous: Provides the ability for the user to create data on server: Usual attacks involve uploading a script file for access

Check the file extension: Check the portion after the last .: Compare against WHITELIST

Check the file data: Valid graphic, csv, numeric data

Store as blob in database: Do NOT store as raw file under webroot

File Uploading

Slide 24

Beware The NULL (%00) byte

Local file include: Occurs when user can affect or supply a file path: Leads to disclosure of source and other sensitive items

Remote file include: Occurs in PHP (usually), when an HTTP reference is provided: Is disabled in modern versions of PHP

.Net LoadControl: Can be used to load arbitrary controls that exist on server

If you must accept paths from a user: Reject anything that is suspect. Ie; ../../ ..\..\ %xx

File Include Attacks

Slide 25

http://site.com/help.jsp?helppage=/help/index.html

What is wrong with these?

Configuration

Slide 26

<Limit GET> order deny,allow deny from all allow from 203.10.1.104 allow from 192.168.1.1</Limit>

<location path=“admin.aspx“> <system.web> <authorization> <deny users="?"/> </authorization> </system.web></location>

.htaccess Web.config

www.insomniasec.com