hacking exposed: web application - frank.itlab.us» hacking exposed: web application »...
TRANSCRIPT
» Hacking Exposed: Web Application
» Countermeasure
» Conclusion
» Current Problem
» Case Study
» Overview
Contents:
2©2003 Foundstone Inc.
Who Am I?
» Yen-Ming Chen
– Managing Director of Asia (was Principal Consultant)
– Joined Foundstone in year 2000.
– Served Fortune 8 clients for consulting engagement
– Specialized in Web Application Assessment, Wireless Network
Assessment, Product Security Assessment, and Survivability
– Assessed Hundreds of Web Applications
– Articles in SecurityFocus, DevX, SysAdmin, PCWeek and other medias
– Co-authorship: HE 3rd edition, HE of web app, Win XP professional and
HackNote Web security
– MSIN from CMU Information Networking Institute (1999)
3©2003 Foundstone Inc.
Agenda
» Overview
» Current Problem
» Case Study
» Countermeasure
» Conclusion
» Overview
» Countermeasure
» Conclusion
» Current Problem
» Case Study
» Overview
Contents:
5©2003 Foundstone Inc.
Overview
» What is Web Application?
» Web Server vs. Web Application
» Web Application Vulnerability Study
6©2003 Foundstone Inc.
World Wide Web
» World Wide Web Created by Tim-Berners Lee in 1989
» Key Concepts:
– Hypertext and Hyperlink(Text with links)
– Browser (User interface to access different resource)
» Goal: To Use One Program (Browser) To Access Different Type of
Resources, and Links to Other Resources
» Now: Backbone of E-Commerce
7©2003 Foundstone Inc.
What is Web Application?
» Application based on WWW Architecture
» Usually a multi-tier architecture
» Requires: Browser, Web Server and Backend Server
8©2003 Foundstone Inc.
Web Application Architecture
Web Browser
Database
Web Server
Application
Legacy Server
Other Server
Application
Application
9©2003 Foundstone Inc.
Web Server vs. Web Application
» Web Application:
– Using programming language (e.g. ASP, PHP, Java, .Net, Perl or C) to
implement business logic and serve the client
» Web Server:
– Serves client request and forward to proper application for further
processing (e.g. IIS, Apache, thttpd and etc.)
» Web Application does not run without Web Server
» Web Server does run without Web Application (Serving static content)
» Web Application should contain:
– Web Server and underlying OS
– Web Application Code
– Backend Server
10©2003 Foundstone Inc.
Web Server Vulnerability
» Vulnerability on the web server program itself
» Can be identified by:
– Port scan for web related ports (TCP 80, 443 and etc)
– Vulnerability scanner (Whisker.pl, N-Stealth, Nikto.pl and others)
» Example:
– IIS
• File system traversal vulnerability
• Unicode and superflous decode vulnerability
• Various buffer overflow in ISAPI filters (.ida, .printer, WebDAV and etc)
» Impact:
– Usually the attacker can take over the system running the web server
11©2003 Foundstone Inc.
Web Application Vulnerability
» Vulnerability on web application itself
» Can be identified by:
– Source code review
– Application testing
• Automatic scanner
• Manual testing
» Example:
– SQL or command Injection
– E-Shop lifting
– Passport reset password flaw
» Impact:
– Data confidentiality and integrity breached
– System compromised
12©2003 Foundstone Inc.
Web Application Vulnerability Study
» Studied 129 web application reviewed from year 2000 till 2003
» Extracted data:
– SIC code (Standard Industry Classification Code)
– Business Sensitive Information: Yes or No
– Finding Title
– Risk
– Finding Category
13©2003 Foundstone Inc.
Application Profile
Distribution of Industry
Healthcare 5%
Financial service
9%Others 12%
IT
softw are/service
74%
Healthcare
Financial service
Others
IT softw are/service
Distribution of Industry
Healthcare 5%
Financial service
9%Others 12%
IT
softw are/service
74%
Healthcare
Financial service
Others
IT softw are/service
14©2003 Foundstone Inc.
Business Sensitive Information?
Sensit ive Informat ion
71%
29%
Yes
No
Sensit ive Informat ion
71%
29%
Yes
No
15©2003 Foundstone Inc.
Number of Vulnerability
454Median No.
111Lowest No.
172121Highest No.
4.884.704.82Average No.
449174623Total No.
Business Sensitive
Information: No
Business Sensitive
Information: Yes
General
Sensitive Information Does Not Imply Better Security!
16©2003 Foundstone Inc.
Vulnerability by Risk Level
Vulnerabilities by Risk Level
High
28%
Low
19%
Medium
53%
High
Low
Medium
Vulnerabilities by Risk Level
High
28%
Low
19%
Medium
53%
High
Low
Medium
17©2003 Foundstone Inc.
Web Application Vulnerability Group
» Vulnerability means a vulnerable state that could be exploited
» The vulnerable state could be a program or part of the software
development lifecycle
» So the vulnerabilities are grouped by:
– Application Design
– Application Implementation
– Application Deployment
– Infrastructure Configuration
18©2003 Foundstone Inc.
General Risk Level by Vulnerability Type
design
implementation
infrastructure/...
deployment
High
Low0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
High
Medium
Low
design
implementation
infrastructure/...
deployment
High
Low0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
High
Medium
Low
19©2003 Foundstone Inc.
General Risk Level by Vulnerability Type
» Highest Risk: Implementation
» Highest Medium Risk: Infrastructure/Configuration
20©2003 Foundstone Inc.
Risk Level by Vulnerability Type
design
implementation
infrastructure/...
deployment
High
Low0.00%10.00%20.00%30.00%40.00%50.00%
60.00%
70.00%
High
Medium
Low
design
implementation
infrastructure/...
deployment
High
Low0.00%10.00%20.00%30.00%40.00%50.00%
60.00%
70.00%
High
Medium
Low
21©2003 Foundstone Inc.
Risk Level by Vulnerability Type
» Highest probability in “High” Risk: Application Design
» Highest expectation score: Application Implementation
» Highest probability in “Medium” Risk: Infrastructure/Configuration
22©2003 Foundstone Inc.
More Detailed Results
» Will be available in a coming research paper
» Stay tuned ……
» Current Problem
» Countermeasure
» Conclusion
» Current Problem
» Case Study
» Overview
Contents:
24©2003 Foundstone Inc.
Current Problem
» Web Application Vulnerability
» Finding Web Application Security
25©2003 Foundstone Inc.
Web Application Vulnerability
» Application Design
» Application Implementation
» Application Deployment
» Infrastructure Configuration
26©2003 Foundstone Inc.
Application Design
» Vulnerability in the stage of application design
» Examples:
– Weak password (policy)
– No protection (Encryption) on confidential data
– Bad choice on using cryptography
– Weak authentication/authorization mechanism
27©2003 Foundstone Inc.
Application Implementation
» Code defect – Happens during implementation
– Input validation problems
• Buffer overflow
• Code/SQL/Command Injection/execution
• Cookie/data manipulation
• File system traversal
• Exception handling
– Application logic problems
• Function state not maintained
• Logic error
28©2003 Foundstone Inc.
Application Deployment
» Transition of application state (e.g. from test to production)
– Did not strip out information
• Test/Guest accounts
• Test information
• Debug configuration
• Account/Password information
– No audit/test before deployment
• Deployed bugged version
– Expose test environment
29©2003 Foundstone Inc.
Infrastructure/Configuration
» Configuration problems on servers
– Patch level is not up to date!
– Weak user password (inherited from the design phase)
– Weak permissions
– Bad/debug configuration
» Configuration problems on network
– Did not properly block incoming traffic
– No blocking of out-going traffic
– No security between Web server and internal servers
30©2003 Foundstone Inc.
Find Web Application Vulnerability
How Do You Find Web Application Vulnerability Today?
Raise Your Hand If You Use Automatic Tool!
Raise Your Hand If You Use Manual Test!
Raise Your Hand If You Don’t Use Any of Them!
31©2003 Foundstone Inc.
What’s Wrong with Automated Tools?
» Assessment Plan
» Accuracy
» Flexibility
» Accountability and Traceability
32©2003 Foundstone Inc.
Assessment Plan
» Do You know what will be tested?
» Do you have control to add or delete the test?
» Who is making the plan?
» What is the methodology?
» What is the knowledge base?
33©2003 Foundstone Inc.
Common Methodology
» Check for server vulnerability
» Crawl (Find the web application)
» Identify input field
» Search for vulnerability
– Buffer overflow
– SQL injection
– Cross-site scripting
– File system traversal
– Information disclosure
» Search for logical vulnerability (Does not apply on automated tools!)
– State management
– Authorization or Access Control
34©2003 Foundstone Inc.
Accuracy
» How accurate is the result?
– Can any tool identify “ANY” of the case study we are going to talk about?
» Is it confused by your customized error page?
» Can it login into your HTML Form-based authentication application?
» Can it assess authorization or access control problem?
35©2003 Foundstone Inc.
Flexibility
» How easy can you modify the test item?
» How easy can you add/create a test item?
» How often is the test item being updated?
36©2003 Foundstone Inc.
Accountability & Traceability
» Can you verify or reproduce any single vulnerability found?
» How easy/hard would that be?
» Can you identify what is the risk brought to you by the vulnerability?
» Can you change/define how the risk is calculated?
37©2003 Foundstone Inc.
Challenge
Can Any Scanner Identify
Any Of The Case Studies
We Are Going To Show You?
» Case Study
» Countermeasure
» Conclusion
» Current Problem
» Case Study
» Overview
Contents:
39©2003 Foundstone Inc.
E-Shoplifting
» Target
» Find the Price
» Change the Price
40©2003 Foundstone Inc.
Target
43©2003 Foundstone Inc.
To Encrypt or Not To Encrypt?
» Use Encryption Wrong Would HURT You!
» Case I: Vernam Cipher with Repeated Key
» Case II: DES with wrong mode
44©2003 Foundstone Inc.
Case Study – Vernam Cipher
» Mission: A web interface to file repository in the firm
» User permissions
» Directory and filename obfuscated
» Result: Arbitrary file retrieval
» How we broke it?
» First problem: Test user account in production environment (test/test)
» Second problem: Using Vernam cipher (XOR algorithm) in the wrong way
(repeat using the same key) to obfuscate directory/file names
» Third problem: Server patch not up to date (IIS with +.htr source code
disclosure)
» All the problems gave us file system traversal on the system with
all the directory and filename obfuscated.
45©2003 Foundstone Inc.
Case Study – DES with Wrong Mode
» Mission: Online Banking
– User Account and Password
– Encrypted with DES
» Result: Chosen ciphertext attack
» How:
– DES (or other block ciphers) can use different “modes”
– The application use the mode without Message Authentication Check
– Found a pair of plaintext to ciphertext:
• Account: 12345678901234
• Encrypted: 5E7BEAD93BC906FFBE343ED7FCE0C8DD
– Use the first half “5E7BEAD93BC906FF” and you can access the account
“12345678” (For balance report)
46©2003 Foundstone Inc.
Service Dependency
» Bad Session Management
47©2003 Foundstone Inc.
Case Study – Bad Session Management
» Mission: Web Application Assessment
» A Web authentication system for internal expense application
» Use cookie to maintain user session state
» Encrypt and encode the cookie very well
» Result?
» We can modify any user’s password, information and answers to secret
question!
» We can view arbitrary expense report in the system
» How we broke it?
» Overlooked service dependency: “Modify user information” function does
not use the encrypted cookie to maintain the session.
» Expense system program does not correspond user identity with expense
report
48©2003 Foundstone Inc.
Edit Profile
49©2003 Foundstone Inc.
Change LogonID
50©2003 Foundstone Inc.
Passport Password Reset Problem
» Application Function State Management Problem
» Original Function Flaw
1. User chooses to reset the password
2. User fills in information about the account
3. User answers the secret question in user profile
4. User is redirected to "emailpwdreset.srf" and the system sends an email to
an email address specified by user with the link to reset the password
» What is wrong?
– The state should be kept from step 1 to step 4
– However, due to coding error, the state is not maintained
– You can jump directly to step 4 and reset any user’s password
» Reference info: “Untrustworthy Passport”, Yen-Ming Chen,
SecurityFocus Guest Feature.
51©2003 Foundstone Inc.
Application Deployment
» What can go wrong when you deploy your application?
» Network configuration
» Server configuration
» Application configuration
» Case Study: Bad Configuration Management
» Case Study: Bad Extranet Configuration Management
52©2003 Foundstone Inc.
Case Study – Bad Configuration
Management» Mission: Web Application Assessment
» E-Commerce application
» Depends on another authentication service
» Allows user to store credit card information and perform financial transactions (e.g. online shopping)
» Result:
» Test interface on the Internet that exposes whole credit card number while production site discloses only last 4 digits (trick: special merchant ID!)
» Cookie replay (problem of the authentication service)
» Malicious file can be uploaded by merchant!
» How:
» Bad Configuration Management
» Bad design and implementation
» Service dependancy
53©2003 Foundstone Inc.
Case Study -- Bad Extranet Configuration
» Mission: Web Application Assessment
– Application Server Resides in Extranet for Partners
» Result:
– No Findings in Web Application
– Break into the Intranet via Extranet
» How:
– Found a Web Server Broken by Honker Union (China) on the same subnet
– Own the Server via Unicode + Privilege Escalation
– Found Windows Domain Trust Relationships with Intranet Domain
– Become Domain Admin of the Intranet
» Countermeasure
» Countermeasure
» Conclusion
» Current Problem
» Case Study
» Overview
Contents:
55©2003 Foundstone Inc.
Principles
» Defense in Depth
» Deny by Default
» Least Privilege
56©2003 Foundstone Inc.
Software Development Lifecycle
» Requirement defined
» Design
» Prototype
» Implement
» Test
» Deploy
Security Should be Everywhere!
57©2003 Foundstone Inc.
Requirement Defined
» Except Software and Business Requirements,
» Define Security Requirements
– Policy
– Procedure
– Audit Plan
– Incident Response Plan
58©2003 Foundstone Inc.
Design
» Design with Security in mind
» Principles: CIA
– Confidentiality
– Integrity
– Availability
» Education
– Equip your developers with security knowledge
• Secure Coding
• Secure Development
• Security Testing
59©2003 Foundstone Inc.
Prototype & Implement
» Educate your developer for secure coding practice!
– Avoid using dangerous functions!
– Do not leave information in the comment!
– Maintain the state!
60©2003 Foundstone Inc.
Audit & Test
» Periodically audit/test your web application
» Audit/Test before each major release
» Both manual/automated audits should be used
» Full source code level audit should be conducted at least once
» Optional source code level after first release
» Measuring your web application security
61©2003 Foundstone Inc.
Deployment
» Build a secure server baseline image for deployment
– Strengthen passwords
– Apply least privilege principle
– Erase example/sample files and applications
– Erase unnecessary services
» Use tools to strengthen your servers
– IISLockdown tool for IIS
62©2003 Foundstone Inc.
Deployment – Cont’d
» Separate your test and production environment
– Sanitize the application before deployment!
– Protect the test environment
» Secure your network configuration
– Apply deny by default principle
– Block both incoming traffic and outgoing traffic
• Web server only listens and responds to incoming requests, it does not
initiate a request to the Internet (unless there is a worm!)
– Secure communication between important servers
• Use IPSec to secure communication between web server and other
important servers (e.g. database or DC)
» Conclusion
» Countermeasure
» Conclusion
» Current Problem
» Case Study
» Overview
Contents:
64©2003 Foundstone Inc.
What We Did Not Talk About
» Web client-side security problem
– Vulnerabilities on browsers
• IE arbitrary code execution (too many)
• Browser hijacking
65©2003 Foundstone Inc.
Bright Future?
» E-commerce based on WWW (That’s where money is!)
» WWW has to be public service (Threat level up!)
» Security problems exist for Web applications (The Risk is TRUE!)
» You can secure your web application with simple principles
» Both manual and automatic audit/test should be used
Question and Answer
Thank You!
Yen-Ming Chen
Foundstone Inc.