Download - CATION FLAWS
CATION FLAWSCOMMON APPLI
Objective: Provide an overview of common application flaws: No ‘exploitation’ techniques: Discussion based, to provide an understanding: To provoke thinking
: Originally going to provide a Tokemon walkthrough: Won’t work over conference call
Back To Basics
Slide 2
Cross Site Scripting <script>alert()</script>
Injection Flaws: SQL, LDAP, XML, etc
File Execution: Scripting, RFI, shell execution
Direct Object Reference: /access.asp?record=##
Cross Site Request Forgery: Session riding, Accessing internal device
OWASP Top Ten Summary
Slide 3
Information Leakage and Error Handling: Every bit of information helps an attacker
Broken Authentication and Session Management: Login bypass, cookie manipulation
Insecure Cryptographic Storage: Static keys, Non seeded encryption
Insecure Communications: HTTP, Clear text internal web services
Failure to Restrict URL Access: /adminportal/adminfunction?action=adduser&user=me
OWASP Top Ten Summary
Slide 4
Comes from many places: Passed on the URL, or as a parameter: Passed in posted data, hidden fields: Passed in HTTP headers, referer: Cookie data, client certificates, files for import, etc..
User Supplied Input Is The Cause
Slide 5
THE USER CAN NOT BE TRUSTED... EVER
Validate ALL user input, server side: Cint(), isDate(), len() <= x, isAlphaNumeric() : Whitelist, NOT blacklist: Decode input, in the correct order, and in the right case
Filter Output at use: Different uses of data, require different filters
function cleanrequest(theID)theID = lcase(theID)if instr(theID,";") > 0 then
theID = left(theID,instr(theID,";")-1)end ifif instr(theID,"exec ") > 0 then
theID = left(theID,instr(theID,"exec ")-1)end if
Faulty Filters Worse Than No Filters
Slide 6
Function To Filter User Input
Looks For The Use Of A Semi Colon
Looks For The Term exec followed by a
space
This Filter Can Be Bypassed By Using A Tab Character As A Separator/page.aspx?theID=1%09exec%09xp_cmdshell ‘serverpwnage.exe’;
/page.aspx?theID=1;exec xp_cmdshell ‘serverpwnage.exe’;
function displayText(htmlInput)htmlInput=str_ireplace("script", "",htmlInput)echo htmlInput
Faulty Filters Worse Than No Filters
Slide 7
Function To Display User Input
Looks For The Term script And
Remove ItDisplay The
Filtered Data
These Types Of Filters Are Just Rubbish!/page.php?htmlInput=<sscriptcript>alert()</sscriptcript>
/page.php?htmlInput=<script>alert()</script>
Robots.txt / Sitemap.xml: Often reveal more than they should: Spiders don’t have to obey
Things that don’t belong: Site archives: .svn trees: .inc, .cfg, .txt, bak, .backup: Admin portals: ‘hidden’ paths: Virtual sites
The Clean Server
Slide 8
Don’t Want It Indexed?Don’t Link It!
Don’t Want It Found?Don’t Put It There
http://www.owasp.org/_admin/http://www.owasp.org/_database/http://www.owasp.org/_debug/http://www.owasp.org/_debuglogs/http://www.owasp.org/_includes/http://www.owasp.org/admin/http://www.owasp.org/adminportal/http://www.owasp.org/adminsite/http://www.owasp.org/console/http://www.owasp.org/backups/http://www.owasp.org/logs/http://www.owasp.org/maintentance/http://www.owasp.org/sites/http://www.owasp.org/sysadmin/http://www.owasp.org/admin/admin.http://www.owasp.org/admin/admin.asphttp://www.owasp.org/admin/admin.bakhttp://www.owasp.org/admin/admin.inchttp://www.owasp.org/admin/admin.loghttp://www.owasp.org/admin/admin.jsphttp://www.owasp.org/admin/admin.phphttp://www.owasp.org/admin/adminpage.http://www.owasp.org/admin/adminpage.asphttp://www.owasp.org/admin/adminpage.bakhttp://www.owasp.org/admin/adminpage.inchttp://www.owasp.org/admin/adminpage.jsphttp://www.owasp.org/admin/adminpage.php
Manipulation of the SQL query string
Becomes
Or
SQL Injection
Slide 9
sqlString=select * from users where name =‘+userinput’+’and password=‘+userinput
select * from users where name =‘admin’;--and password=‘anything’
select * from users where name =‘admin’ and password=‘anything’ or ‘1’=‘1’
Syntax Grouping
Where(name =‘admin’) (and
(password=‘anything’) or (‘1’=‘1’)
)
Syntax Grouping
Use parameterized queries: asp, .net, java, php, python, flex?Use stored procedures: Type cast variables: Don’t use dynamic SQL inside procedure: Often seen in ‘search’ procedures: Use the QuoteName function
SQL Injection
Slide 10
Yes. Of course your flash application
can be vulnerable to injection attacks
DO NOT BUILD SQL STATEMENTS DYNAMICALLY
SELECT @SQL = 'SELECT * from USERS WHERE NAME ='+ @UsernameEXEC @SQL
Application vs SQL: The form data is stored varies between the two
MySQL: MySQL will truncate data during an insert
: PHP asks MYSQL “Any users by this name?”: MYSQL responds “No, I don’t know that person”: PHP says “Ok add a user by this name”: MYSQL says “Sure, his name is too long I’ll shorten it for you”
SQL Truncation Attacks
Slide 11
Column Size
Name 100
.. ..
User=“admin<100spaces>x”
GEE THANKS
MSSQL: Data is truncated when calling stored procedures
: SQL returns record for admin
: Data mailed to both admin and attacker
SQL Truncation Attacks
Slide 12
User=“[email protected]<100spaces>;[email protected]”
Create procedure [FindUser]@username VARCHAR(100)
...Input To A Forgotten Password Page
Parameter Has A Length 100
Stored within the webroot: /dbase/dbase.mdb: Flat files etc..
Running as ROOT or SYSTEM: Or worse... A domain account
Encryption Of Data: If the server or application is compromised, is the data?
: Unique record ID of the user account: User supplied password
Databases
Slide 13
Don’t Use A Static Key Do Seed With User Specific Data
Microsoft Used To Recommend This.....
Encryption is difficult: Do NOT roll your own XOR based encryption scheme: BASE64 is not encryption
Weakness is in the implementation: Verify your data is getting encrypted: Use one way encryption for passwords
Storing the secrets: Database credentials should never be stored clear text: Encryption keys should not be stored in accessible configs
Cryptography
Slide 14
Often vulnerable to spam attacks: SMTP is a text based protocol: CR/LF pairs and new command can be inserted
Normal communication with SMTP server
Application Email
Slide 15
Mail From: <[email protected]>Rcpt To: <[email protected]>DataSubject: This is a test email.quit
Injection through recipient field: [email protected]>%0a%0drset%0a%0dMail From: <spam@foo.....
Modified communication with SMTP server
Application Email
Slide 16
Mail From: <[email protected]>Rcpt To: <[email protected]>rsetMail From: <[email protected]>Rcpt To: <[email protected]>DataSubject: This is a spam emailblah blah spam spam.quit
RESET Injected
New Details Injected
The sending of user supplied input to the browser
: More than alert()
Reflective: Code passed as a parameter, usually on the URL
Persistent: Code stored and then displayed to user
Consequences: Cookie theft: Site interaction: Web application worms
Cross Site Scripting
Slide 17
JavaScript is a powerful
programming language
Example flaw: echo “hello “.$_GET[‘username’].”welcome to the site”
Normal output: <html>hello Brett welcome to the site</html>
Exploit output: <html>hello <script>alert()</script> welcome ...</html>
Cross Site Scripting
Slide 18
Insert Any JavaScript Or Script Inclusion
Widely Known, Well Explained, Still Exists In
Most Applications
Cross Site Request Forgery: Attacking site causes browser to make a request to target
User logs into banking.co.nz: banking.co.nz sets an authentication cookie: User leaves but doesn’t log out
User browses to attacking site: Attacking site creates a post to banking.co.nz: Users browser sends cookie with post: Browser is already authenticated
CSRF
Slide 19
Defence: Each post must contain a random parameter value
CSRF
Slide 20
Site redirection: User supplied input used as target page
: Can be used in phishing and scam attacks
Page inclusion: User supplied input use as source for frame, iframe, image
Other Related Attacks
Slide 21
http://site.com/login.php?redirect=<value>Microsoft Still Do
This In Versions Of OWA
<frameset> <frame src="topbar.html"> <frameset> <frame src="<%=request("page")%>"> </frameset></frameset>
External Content Displayed In Browser
Don’t store credentials in the cookie: Set-cookie: user=admin
Set the cookie path: Specifies which part of the application the cookie is sent to
Cookie Security
Slide 22
This Sort Of Thing Still Happens!
http://Application
Secured Blog Posting Sectionhttp://Application/secure/login
Insecure General Sectionhttp://Application/general/read
Requires AuthCookie Set
If The Cookie Path Is Not SetA Vulnerability In The General Section Can Read The Secure Section Cookie
Set the SECURE flag: Prevents the cookie been sent in HTTP requests: Cookie sent even if target site not listening on HTTP
Set the HTTPOnly Flag: Prevents access to the cookie through JavaScript: Defence against cross site scripting
Cookie Security
Slide 23
Attacker Needs Access To Sniff
The Traffic
File uploading is dangerous: Provides the ability for the user to create data on server: Usual attacks involve uploading a script file for access
Check the file extension: Check the portion after the last .: Compare against WHITELIST
Check the file data: Valid graphic, csv, numeric data
Store as blob in database: Do NOT store as raw file under webroot
File Uploading
Slide 24
Beware The NULL (%00) byte
Local file include: Occurs when user can affect or supply a file path: Leads to disclosure of source and other sensitive items
Remote file include: Occurs in PHP (usually), when an HTTP reference is provided: Is disabled in modern versions of PHP
.Net LoadControl: Can be used to load arbitrary controls that exist on server
If you must accept paths from a user: Reject anything that is suspect. Ie; ../../ ..\..\ %xx
File Include Attacks
Slide 25
http://site.com/help.jsp?helppage=/help/index.html
What is wrong with these?
Configuration
Slide 26
<Limit GET> order deny,allow deny from all allow from 203.10.1.104 allow from 192.168.1.1</Limit>
<location path=“admin.aspx“> <system.web> <authorization> <deny users="?"/> </authorization> </system.web></location>
.htaccess Web.config
www.insomniasec.com
