websecurity-1/3
DESCRIPTION
my old training slides - basic web application security - 1/3TRANSCRIPT
Web Application SecurityWeb Application has become the #1 target
71% of attacks target the Application Layer (Gartner)
Most Web Applications are Vulnerable
95% of Web Applications have some sort of vulnerability (Imperva)
78% of easily exploitable weaknesses occur in Web Applications (Symantec)
Internet Security Threat Report Symantec 2011
4,595 Web Attacks blocked per day in 2011
1,100,000 identities exposed per breach
Targets are 50% big businesses and 50% small to medium
403,000,000 unique variants of Malware
55,294 malicious web domains
One in every 239 emails contains a virus
Top 5 Most Infected Websites Symantec 2011
Blogs and Web Communication
Hosting/Personal Hosting Sites
Business/Economy
Shopping
Education & Reference
Security Mindset
security requires a particular mindset:
they see the world differently:
a thief (a security oriented profession)
they can’t walk into a store without noticing and counting how many CCTV installed and towards what directions. any possible blind spot?
security engineersthinking like an attacker or criminalif you don’t see the world that way
you will never notice most security problems
“many security challenges require a vast understanding of both the security and
the programming concepts behind them”being a programmer will give you some advantages
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
browser cache/hosts file/DNS
example.com
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
browser cache/hosts file/DNS
example.com
93.184.216.119
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
browser cache/hosts file/DNS
example.com
93.184.216.119
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
TCP/IP����������� ������������������ connection3����������� ������������������ way����������� ������������������ handshake
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
TCP/IP����������� ������������������ connection3����������� ������������������ way����������� ������������������ handshake
1 SYN u����������� ������������������ there����������� ������������������ bro?
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
TCP/IP����������� ������������������ connection3����������� ������������������ way����������� ������������������ handshake
1 SYN u����������� ������������������ there����������� ������������������ bro?
2Yup!!!����������� ������������������ SYN-ACK
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
TCP/IP����������� ������������������ connection3����������� ������������������ way����������� ������������������ handshake
1 SYN u����������� ������������������ there����������� ������������������ bro?
2Yup!!!����������� ������������������ SYN-ACK
3 ACK cool!!!
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
HTTP����������� ������������������ Protocol
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
HTTP����������� ������������������ ProtocolGET /
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
HTTP����������� ������������������ ProtocolGET /
200 OK
index.html content
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
HTTP����������� ������������������ Protocol$ telnet vps 80Trying 188.241.112.26...Connected to webfirewall.xjutsu.com.Escape character is '^]'.GET / http/1.1Host: vps
HTTP/1.1 200 OKDate: Mon, 07 Oct 2013 15:17:05 GMTServer: Apache/2.2.16 (Ubuntu)Last-Modified: Fri, 04 Oct 2013 01:23:15 GMTETag: "71d88de-0-4e7e02584e6c0"Accept-Ranges: bytesContent-Length: 0Vary: Accept-EncodingCache-Control: max-age=10800Content-Type: text/html
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
HTTP����������� ������������������ ProtocolGET /
200 OK
index.html content
GET /images/banner.jpg
200 OK
HTTP ProtocolInternetClient Server: example.com
Browser Proxy LB/Cache Web DB/Storage
TCP/IP����������� ������������������ connection
FIN bye,����������� ������������������ i’m����������� ������������������ done!
Sayonara!!!����������� ������������������ FIN-ACK
HTTP ProtocolClient Server
HTTP Request
GET /index.html HTTP/1.1Host: www.example.com
Request Line• request method• requested resource• HTTP version used
Request Header• general headers• request headers• entity headers
OptionalContent
HTTP ProtocolClient Server
HTTP Response
HTTP/1.1 200 OKDate: Mon, 23 May 2005 22:38:34 GMTServer: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)Last-Modified: Wed, 08 Jan 2003 23:11:55 GMTEtag: "3f80f-1b6-3e1cb03b"Content-Type: text/html; charset=UTF-8Content-Length: 131Connection: close
<html> ....
HTTP Protocol: HTTP ResponseHTTP/1.1 200 OKDate: Mon, 23 May 2005 22:38:34 GMTServer: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)Last-Modified: Wed, 08 Jan 2003 23:11:55 GMTEtag: "3f80f-1b6-3e1cb03b"Content-Type: text/html; charset=UTF-8Content-Length: 131Connection: close
<html> ....
Status Lin
e
• HTTP Vers
ion
• Status Code
• Status Des
cription
Headers• general headers• response headers• entity headers
OptionalContent
HTTP Protocol
Stateless Protocol
each request independent transaction
unrelated to any previous request
to overcome this issue at application level
cookies are used
HTTP Protocol
Cookies
are text files stored by client browser
maintain session by storing information
are non executable
SYN Flood Attack
SYN Flood. The attacker sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources.
HTTP Host Header Attack
under certain condition it is possible, because of mistake by developers trusting client
side HTTP headers
~$ telnet attack.comGET / HTTP/1.1Host: evil.com
HTTP Host Header AttackOnly possible if attacked page/server using caching mechanism
not easy as the attacked page showing cache page
send malicious HTTP “Host” header in some duration of time (infinitely?)
until cache timeout, newly page generated with possibly injected malicious “Host”?
HTTP Host Header AttackReal example (a true story):
a friend developing SaaS application, currently providing service to the “world”
after some consent - agreed to do some simple test possibility of having vulnerable code
“HTTP Host” mostly used by SaaS application to dynamically load custom pages according to domain/url
HTTP Host Header AttackReal example (a true story): FIRST simple test (using curl)~$ curl -H "Host: evil" http://ww3.linktrackr.com
<br /><b>Notice</b>: Undefined offset: 1 in <b>/var/www/linktrackr/public_html/index.php</b> on line <b>23</b><br />
~$not FQDN
HTTP Host Header AttackReal example (a true story): FIRST simple test (using curl)~$ curl -H "Host: evil" http://ww3.linktrackr.com
<br /><b>Notice</b>: Undefined offset: 1 in <b>/var/www/linktrackr/public_html/index.php</b> on line <b>23</b><br />
~$• unexpected
php error/notice
• information disclosure (document root path)
Real example (a true story): the (dangerous) PHP code
HTTP Host Header Attack
• unexpected php error/
notice,
expecting “.” (dot) in HTTP_POST
but none sent
• using HTTP_HOST to define different
route/page
HTTP Host Header AttackIn one of famous locally developed PHP framework:
yet, it is not easy in this case:
possible with local/server cache
app/protected/config/common.conf.php:
$config['APP_URL'] = 'http://'.$_SERVER['HTTP_HOST'].$config['SUBFOLDER'];
Basic - Authenticationuse combination of username and password to authenticate user
start with GET request without any authentication credentials
server respond with “401 Authorization Required”
browser pop-up requesting for credentials
browser sent requested resource with “Authorization” line
Basic - Authenticationusing BURPSuite to intercept :
possible to have control of traffic that is exchanged between a web browser and a web servers
manipulate data before it is sent
help to map/monitor data exchanged between browser and web server in order to find possible vulnerabilities
Basic - Authenticationbrowser pop-up requesting for credentials, and after submit:
GET /__wslab__/auth/ HTTP/1.1Host: 188.241.117.154User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveAuthorization: Basic YWRtaW46cEBzc3cwcmQ=
Basic - Authenticationbrowser pop-up requesting for credentials, and after submit:
GET /__wslab__/auth/ HTTP/1.1Host: 188.241.117.154User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveAuthorization: Basic YWRtaW46cEBzc3cwcmQ=
Base 64 ~$ echo "YWRtaW46cEBzc3cwcmQ=" | base64 -d
admin:p@ssw0rd
~$
Basic - Authenticationdata/credentials being passed over plain text
solution “Basic Auth” over SSL/HTTPS
data sent in encrypted format
value of “Authorization” will not be visible
however still vulnerable to client side attack - MiTM
vulnerable via brute - force attack
Digest Authenticationimprovement over Basic - Authentication
data is not passed over cleartext but in encrypted format
improvement over Basic - Authentication
originally specified by RFC2069
later replaced by RFC2617
Digest Authentication
Authentications
Exercise: by using your browser pointing to burp-suite as a http proxy, open following sites:
basic: http://188.241.117.154/__wslab__/auth
digest: http://188.241.117.154/__wslab__/authd
Session HijackingHTTP is stateless protocol
session/cookies used to maintain a session
exploitation of valid web application session to gain unauthorized access
session fixation
session sidejacking
Broken Session Management
Session Management Flaws
session ID is just a good as credentials to an attacker
session ID is typically exposed on the network, in browser, in logs ...
Typical Impact
User accounts compromised or user sessions hijacked
Session Fixationsession fixation
sending a malicious crafter link that contains a particular session id
victim user clicked the link sent and login
attacker use same link with the same fixed session to gain access
http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID
Session Fixationcross-subdomain cooking
a sub domain been compromised - news.example.com
visiting news.example.com set session cookies with “*.example.com” to victim browser
when the victim visit www.example.com, and login, the cookies previously set will be sent with the request
Session Fixation: Preventionsdo not accept session identifiers from GET / POST variables
implement identity confirmation
new session id after successfully login
second level of authentication
store session identifier in HTTP cookies
using SSL/TLS session identifier
Session Sidejackingwhen attacker uses packet sniffing to read network traffic to steal session cookies
unsecured WiFi hotspots
unsecured Web Application
only use HTTPS during authentication
using HTTP for the rest of the site after authenticated
Session Sidejackingseveral exploits tools:
Firesheep - mozilla extension, made easy for user of un-encrypted public WiFi to be attacked by session hijackers
WhatsApp sniffer - able to display messages from other WhatsApp users connected to same network
DroidSheep - listens to HTTP protocol sent via wireless and extract session id from these HTTP packets
Session Sidejacking: PreventionsEncryptions of data traffic between both parties - SSL/TLS
Long session ID - eliminate possibility of guessing a valid session key
regenerate session ID after successfully authenticated a user
secondary check/authentication of a valid user
Session Hijacking
Exercise: open http://demo.testfire.net
using burp-suite / firefox - firebug
study the HTTP headers - request/respond
login ID : sjoe/jsmith/cclay/sspeed
password : demo1234
Security Misconfiguration
Web application rely on secure foundation
everywhere from the OS up through the App Server
including all the libraries/tools you are using
do you change all credentials regularly in production env?
do you remove all example comes together with tools you are using?
Security MisconfigurationTypical Impact
install backdoor through missing OS or server patch
XSS/SQL injection/etc flaws due to missing application library/framework patches
Un-authorized access to defaults accounts or un-used but accessible functionality due to poor installation related to tools used or server configuration
Security MisconfigurationProtection
verify system’s configuration management
secure configuration “hardening” guideline
must cover entire platform and application
keep up with patches for all components
Deactivate unnecessary stuff
Missing Funct Level Action ControlCommon Mistakes:
Displaying only authorized links and menu choices
Attackers simply forges direct access to “unauthorized” pages
Typical Impact
perform privileged actions
Access other users accounts and data
Missing Funct Level Action ControlProtection
Restrict access to authenticated users (if not public)
Enforce any user role based permissions (if private)
Completely disallow request to unauthorized page types:
config files
log files, etc