Download - Web 2.0 Hacking
![Page 1: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/1.jpg)
Web Application Security Assessments:
Presented by:Blake Turrentine, [email protected]
Date:August 25, 2008
Locale: DHS Conference and Workshops,Baltimore, MD
Beyond the Automated Scanners
![Page 2: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/2.jpg)
AUGUST 2008 2
Scanning Web 1.0 Technology
![Page 3: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/3.jpg)
AUGUST 2008 3
Scanning Today’s Web 2.0 Technology
![Page 4: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/4.jpg)
AUGUST 2008 4
Mashups and Web Widgets
![Page 5: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/5.jpg)
AUGUST 2008 5
Beyond the Browser: Desktop Widgets
![Page 6: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/6.jpg)
AUGUST 2008 6
The Security Process Threat Modeling
STRIDE
CIGITAL
CLASP
FISMA/NIST
![Page 7: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/7.jpg)
AUGUST 2008 7
Types of Testing Techniques Black Box
White Box
Grey Box
![Page 8: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/8.jpg)
AUGUST 2008 8
Types of Automated Scanners Static Code Analysis
Vulnerability
Web Application Specific
Fuzzers
Web Application Firewalls
![Page 9: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/9.jpg)
AUGUST 2008 9
Fortify Source Code Analyzer
Qualys, Nessus, Saint, Foundscan
WebInspect, Cenzic, Appscan, Nikto
Mu4000, Codenomicon, Peach, Spike
Web application firewalls:
Imperva
Fortify
Mod-Security
Today’s Automated Scanners
![Page 10: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/10.jpg)
AUGUST 2008 10
Putting too much faith in automated scanners
Their limitations – intuitiveness
Low hanging fruit
False positives and false negatives
508 Compliance / CAPTCHA
Out-maneuvering IPS and WAFS
Dangers of injecting code in production environments
Problems with Automated Scans
![Page 11: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/11.jpg)
AUGUST 2008 11
Spidering
Complex business logic
Complex session handling
Semantics
Detecting Sensitive Data
Asynchronous dynamic code execution
Horizontal and vertical escalation
Mashups, Ajax bridges, widgets, RSS feeds
Emerging technologies such as Air and Silverlight
More Problems With Automated Scans
![Page 12: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/12.jpg)
AUGUST 2008 12
Validation of automated scanners
Application profiling
Examining known attack vectors
Looking for compromise
Fuzzing
Approaching a Better Solution: Taking a Closer Look
![Page 13: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/13.jpg)
AUGUST 2008 13
Application Fingerprinting
COTS
The mindset of application developers:
Server Side Code Developer
Client Side Code Developer
System Administrator (SA)
Database Administrator (DBA)
Application Profiling
![Page 14: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/14.jpg)
AUGUST 2008 14
Catalog application, then vulnerability detection
The checklist
Examining Known Vectors
![Page 15: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/15.jpg)
AUGUST 2008 15
Obfuscation
Lazy-Loading
Compromise
Browser/Server Security tradeoffs
Client Side: Why scanners have difficulties in handling Advance JavaScript
![Page 16: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/16.jpg)
AUGUST 2008 16
Decompiling Bytecode / (It is not HTML)
Complex Session Management
Client Side: Why scanners can’t handle Applets
![Page 17: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/17.jpg)
AUGUST 2008 17
Upload/download of files
Effective screening of content/control
Open boundary conditions
Embedded objects, action scripts, plug-ins, Active-X
Who’s responsible for the content supplied
Blacklists, Whitelists, Regex, selective lists
Server Side: Input/output of content is getting more complex
![Page 18: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/18.jpg)
AUGUST 2008 18
Response Analysis
Blacklisting
Encoding tactics
Problems in dealing with Rich Internet Apps (Flash, RSS, Widgets)
Whitelisting drawbacks: bypassing Regex
Employ input and output validation with both Whitelists and Blacklists
Good input validation, poor output validation
Server Side: Scanners Lack of Filter Enumeration and Evasion
![Page 19: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/19.jpg)
AUGUST 2008 19
XML parsing, manipulation, appending files, lack of tools
AJAX -Extended Footprint (traditional Web application with Web services)
Complexity of analysis in Web Services
![Page 20: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/20.jpg)
AUGUST 2008 20
Inter-protocol exploitation and communication
Forced directory browsing - access control
Backend Web services
API reverse engineering
Authorization, session management, horizontal and vertical escalation, AJAX
Difficulties in Testing Application Logic
![Page 21: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/21.jpg)
AUGUST 2008 21
XSS, SQL, Command, HTML Injection
SMTP
Browser types, versions and plug-ins, ActiveX
Server configurations
Interpretation of Error handling (database errors, stack traces)
Encoding Tactics
Attacking the Admin
Multilayer, 2nd Order Attacks, Edge Cases
Sophistication in Combining Attacks Vectors
![Page 22: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/22.jpg)
AUGUST 2008 22
Parsing the database
Script calls
Embedded AJAX
RSS
Flash
CSRF
Active-X calls
Outbound calls
Botnets
Mastering the DOM- polymorphic JavaScript
Most Scanners Don’t Look for Infestation
CSRF
![Page 23: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/23.jpg)
AUGUST 2008 23
Looking for Hooking Events Onload and OnFocus, eval()
Looking for user events such as, OnMouseOver
Making HTTP connections to offsite
OnKeyEvent
Asynchronous Stream Injections With Dynamic Script Execution
The Javascript Interpreter (Caffeine Monkey, SpiderMonkey) Obfuscation, whitespacing
Infestation DetectionFirewall
![Page 24: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/24.jpg)
AUGUST 2008 24
Pros and Cons
File Fuzzing
Fuzzing APIs
HTTP Server Responses Codes
Code Paths
Difficulties in Fuzzing Analysis
![Page 25: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/25.jpg)
AUGUST 2008 25
The machine and the human element
Machine to machine
Code maintenance
Preventing your app from becoming a part of a Botnet
SDLC process
Regression testing
Dealing with 0-day attacks
Closing Remarks
![Page 26: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/26.jpg)
AUGUST 2008 26
Demonstration: Bypassing Defense in Depth
![Page 27: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/27.jpg)
AUGUST 2008 27
Webmail Application Test: Combining Server & Client Attack Vectors
![Page 28: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/28.jpg)
AUGUST 2008 28
Webmail Application Test: IE Recognizes File as a HTML
![Page 29: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/29.jpg)
AUGUST 2008 29
Webmail Application Test: Session Cookie is Displayed
![Page 30: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/30.jpg)
AUGUST 2008 30
GMail Web Application Test: Screenshot of Attached file
![Page 31: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/31.jpg)
AUGUST 2008 31
GMail Web Application Test: IE Recognizes File as an HTML
![Page 32: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/32.jpg)
AUGUST 2008 32
GMail Web Application Test: Javascript Fires
![Page 33: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/33.jpg)
AUGUST 2008 33
Yahoo Mail Web Application Test:Creating an Email
![Page 34: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/34.jpg)
AUGUST 2008 34
Yahoo Mail Web Application Test:Contents of ‘Instructions.doc’
![Page 35: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/35.jpg)
AUGUST 2008 35
Yahoo Mail Web Application Test:Screenshot of Attached File
![Page 36: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/36.jpg)
AUGUST 2008 36
Yahoo Mail Web Application Test:Norton AV Scans File Before Download
![Page 37: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/37.jpg)
AUGUST 2008 37
Yahoo Mail Web Application Test:Javascript Fires
![Page 38: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/38.jpg)
AUGUST 2008 38
Yahoo Mail Web Application Test:Redirection to Another Site
![Page 39: Web 2.0 Hacking](https://reader038.vdocuments.us/reader038/viewer/2022102711/554c59aab4c9053e308b4ef6/html5/thumbnails/39.jpg)
AUGUST 2008 39
Q u e s t i o n s ??