websecurity-1/3

Web Application Security

for Beginners - Part 1adzmely mansor

[email protected]

Web Application Securitysome stats

Web Application SecurityWeb Application has become the #1 target

71% of attacks target the Application Layer (Gartner)

Most Web Applications are Vulnerable

95% of Web Applications have some sort of vulnerability (Imperva)

78% of easily exploitable weaknesses occur in Web Applications (Symantec)

Internet Security Threat Report Symantec 2011

4,595 Web Attacks blocked per day in 2011

1,100,000 identities exposed per breach

Targets are 50% big businesses and 50% small to medium

403,000,000 unique variants of Malware

55,294 malicious web domains

One in every 239 emails contains a virus

Top 5 Most Infected Websites Symantec 2011

Blogs and Web Communication

Hosting/Personal Hosting Sites

Business/Economy

Shopping

Education & Reference

Website Attackers by CountryIncapsula August 2012

MindSet

Mindsetdifferent people see things differently

Security Mindset

security requires a particular mindset:

they see the world differently:

a thief (a security oriented profession)

they can’t walk into a store without noticing and counting how many CCTV installed and towards what directions. any possible blind spot?

engineers/programmersthinking about how things can be made to work

security engineersthinking about how things can be made to fail

security engineersthinking like an attacker or criminalif you don’t see the world that way

you will never notice most security problems

“many security challenges require a vast understanding of both the security and

the programming concepts behind them”being a programmer will give you some advantages

HTTP Protocolthe fundamental

why bother?•facilitates debugging

•improves understanding of security

HTTP Protocol•application layer (TCP/IP)•client - server•set of rules on how data is

transmitted

HTTP ProtocolInternetClient Server: example.com

Browser Proxy LB/Cache Web DB/Storage



browser cache/hosts file/DNS

example.com



browser cache/hosts file/DNS

example.com

93.184.216.119



TCP/IP�� connection3�� way�� handshake




1 SYN u�� there�� bro?





2Yup!!!�� SYN-ACK





2Yup!!!�� SYN-ACK

3 ACK cool!!!



HTTP�� Protocol



HTTP�� ProtocolGET /




200 OK

index.html content



HTTP�� Protocol$ telnet vps 80Trying 188.241.112.26...Connected to webfirewall.xjutsu.com.Escape character is '^]'.GET / http/1.1Host: vps

HTTP/1.1 200 OKDate: Mon, 07 Oct 2013 15:17:05 GMTServer: Apache/2.2.16 (Ubuntu)Last-Modified: Fri, 04 Oct 2013 01:23:15 GMTETag: "71d88de-0-4e7e02584e6c0"Accept-Ranges: bytesContent-Length: 0Vary: Accept-EncodingCache-Control: max-age=10800Content-Type: text/html




200 OK

index.html content

GET /images/banner.jpg

200 OK



TCP/IP�� connection

FIN bye,�� i’m�� done!

Sayonara!!!�� FIN-ACK

HTTP ProtocolClient Server

HTTP Request

HTTP Response


HTTP Request

GET /index.html HTTP/1.1Host: www.example.com

Request Line• request method• requested resource• HTTP version used

Request Header• general headers• request headers• entity headers

OptionalContent

HTTP Response

HTTP/1.1 200 OKDate: Mon, 23 May 2005 22:38:34 GMTServer: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)Last-Modified: Wed, 08 Jan 2003 23:11:55 GMTEtag: "3f80f-1b6-3e1cb03b"Content-Type: text/html; charset=UTF-8Content-Length: 131Connection: close

<html> ....

HTTP Protocol: HTTP ResponseHTTP/1.1 200 OKDate: Mon, 23 May 2005 22:38:34 GMTServer: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)Last-Modified: Wed, 08 Jan 2003 23:11:55 GMTEtag: "3f80f-1b6-3e1cb03b"Content-Type: text/html; charset=UTF-8Content-Length: 131Connection: close

<html> ....

Status Lin

e

• HTTP Vers

ion

• Status Code

• Status Des

cription

Headers• general headers• response headers• entity headers

OptionalContent

HTTP Protocol

Stateless Protocol

each request independent transaction

unrelated to any previous request

to overcome this issue at application level

cookies are used

HTTP Protocol

Cookies

are text files stored by client browser

maintain session by storing information

are non executable

RFC 2616RFC 2965HTTP Protocol

&Handling Statelessness

Exercise

explain “3 way handshake” and how it works?

SYN Flood Attack

SYN Flood Attack

SYN Flood. The attacker sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources.

SYN Flood Mitigation

RFC 4987: TCP SYN Flooding Attacks and Mitigations

SYN Flood Attack

http://www.digitalattackmap.com

http://www.arbornetworks.com/threats

HTTP Headerattack vector

HTTP Host Header Attack

under certain condition it is possible, because of mistake by developers trusting client

side HTTP headers

~$ telnet attack.comGET / HTTP/1.1Host: evil.com

HTTP Host Header Attackusing HTTP Host header blindly

HTTP Host Header AttackOnly possible if attacked page/server using caching mechanism

not easy as the attacked page showing cache page

send malicious HTTP “Host” header in some duration of time (infinitely?)

until cache timeout, newly page generated with possibly injected malicious “Host”?

HTTP Host Header AttackReal example (a true story):

a friend developing SaaS application, currently providing service to the “world”

after some consent - agreed to do some simple test possibility of having vulnerable code

“HTTP Host” mostly used by SaaS application to dynamically load custom pages according to domain/url

HTTP Host Header AttackReal example (a true story): FIRST simple test (using curl)~$ curl -H "Host: evil" http://ww3.linktrackr.com

 Notice: Undefined offset: 1 in /var/www/linktrackr/public_html/index.php on line 23 

~$not FQDN

http://ww3.linktrackr.com/

HTTP Host Header AttackReal example (a true story): FIRST simple test (using curl)~$ curl -H "Host: evil" http://ww3.linktrackr.com

 Notice: Undefined offset: 1 in /var/www/linktrackr/public_html/index.php on line 23 

~$• unexpected

php error/notice

• information disclosure (document root path)

Real example (a true story): the (dangerous) PHP code

HTTP Host Header Attack

• unexpected php error/

notice,

expecting “.” (dot) in HTTP_POST

but none sent

• using HTTP_HOST to define different

route/page

HTTP Host Header AttackIn one of famous locally developed PHP framework:

yet, it is not easy in this case:

possible with local/server cache

app/protected/config/common.conf.php:

$config['APP_URL'] = 'http://'.$_SERVER['HTTP_HOST'].$config['SUBFOLDER'];

Exercise:http://188.241.117.154/__wslab__/wcp/

HTTP Authentication

Basic - Authentication

Basic - Authenticationuse combination of username and password to authenticate user

start with GET request without any authentication credentials

server respond with “401 Authorization Required”

browser pop-up requesting for credentials

browser sent requested resource with “Authorization” line

Basic - Authenticationusing BURPSuite to intercept :

possible to have control of traffic that is exchanged between a web browser and a web servers

manipulate data before it is sent

help to map/monitor data exchanged between browser and web server in order to find possible vulnerabilities

Basic - Authenticationinitial GET request:

Basic - Authenticationserver respond with “HTTP/1.1 401 Authorization Required”

Basic - Authenticationbrowser pop-up requesting for credentials, and after submit:


GET /__wslab__/auth/ HTTP/1.1Host: 188.241.117.154User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveAuthorization: Basic YWRtaW46cEBzc3cwcmQ=


GET /__wslab__/auth/ HTTP/1.1Host: 188.241.117.154User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveAuthorization: Basic YWRtaW46cEBzc3cwcmQ=

Base 64 ~$ echo "YWRtaW46cEBzc3cwcmQ=" | base64 -d

admin:p@ssw0rd

~$

Basic - Authenticationdata/credentials being passed over plain text

solution “Basic Auth” over SSL/HTTPS

data sent in encrypted format

value of “Authorization” will not be visible

however still vulnerable to client side attack - MiTM

vulnerable via brute - force attack

Digest Authentication

Digest Authenticationimprovement over Basic - Authentication

data is not passed over cleartext but in encrypted format

improvement over Basic - Authentication

originally specified by RFC2069

later replaced by RFC2617

Digest Authentication

Authentications

Exercise: by using your browser pointing to burp-suite as a http proxy, open following sites:

basic: http://188.241.117.154/__wslab__/auth

digest: http://188.241.117.154/__wslab__/authd

Session/Cookie Hijacking

Session HijackingHTTP is stateless protocol

session/cookies used to maintain a session

exploitation of valid web application session to gain unauthorized access

session fixation

session sidejacking

Broken Session Management

Session Management Flaws

session ID is just a good as credentials to an attacker

session ID is typically exposed on the network, in browser, in logs ...

Typical Impact

User accounts compromised or user sessions hijacked

Session Fixationsession fixation

sending a malicious crafter link that contains a particular session id

victim user clicked the link sent and login

attacker use same link with the same fixed session to gain access

http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID

Session Fixationcross-subdomain cooking

a sub domain been compromised - news.example.com

visiting news.example.com set session cookies with “*.example.com” to victim browser

when the victim visit www.example.com, and login, the cookies previously set will be sent with the request

Session Fixation: Preventionsdo not accept session identifiers from GET / POST variables

implement identity confirmation

new session id after successfully login

second level of authentication

store session identifier in HTTP cookies

using SSL/TLS session identifier

Session Sidejackingwhen attacker uses packet sniffing to read network traffic to steal session cookies

unsecured WiFi hotspots

unsecured Web Application

only use HTTPS during authentication

using HTTP for the rest of the site after authenticated

Session Sidejackingseveral exploits tools:

Firesheep - mozilla extension, made easy for user of un-encrypted public WiFi to be attacked by session hijackers

WhatsApp sniffer - able to display messages from other WhatsApp users connected to same network

DroidSheep - listens to HTTP protocol sent via wireless and extract session id from these HTTP packets

Session Sidejacking: PreventionsEncryptions of data traffic between both parties - SSL/TLS

Long session ID - eliminate possibility of guessing a valid session key

regenerate session ID after successfully authenticated a user

secondary check/authentication of a valid user

Session Hijacking

Exercise: open http://demo.testfire.net

using burp-suite / firefox - firebug

study the HTTP headers - request/respond

login ID : sjoe/jsmith/cclay/sspeed

password : demo1234

Security Misconfiguration

Security Misconfiguration

Web application rely on secure foundation

everywhere from the OS up through the App Server

including all the libraries/tools you are using

do you change all credentials regularly in production env?

do you remove all example comes together with tools you are using?

Security MisconfigurationTypical Impact

install backdoor through missing OS or server patch

XSS/SQL injection/etc flaws due to missing application library/framework patches

Un-authorized access to defaults accounts or un-used but accessible functionality due to poor installation related to tools used or server configuration

Security MisconfigurationProtection

verify system’s configuration management

secure configuration “hardening” guideline

must cover entire platform and application

keep up with patches for all components

Deactivate unnecessary stuff

Missing Function Level Action Control

Missing Funct Level Action ControlCommon Mistakes:

Displaying only authorized links and menu choices

Attackers simply forges direct access to “unauthorized” pages

Typical Impact

perform privileged actions

Access other users accounts and data

Missing Funct Level Action ControlProtection

Restrict access to authenticated users (if not public)

Enforce any user role based permissions (if private)

Completely disallow request to unauthorized page types:

config files

log files, etc

Exercise

open: http://demo.testfire.net

Task 1: Forcefully browse your way into an Administration area

Task 2: Log into that Admin area

Task 3: Download any confidential document

Missing Funct Level Action Control

websecurity-1/3

Documents

web attacks

malicious web domainsone

synack3 ack cool

infected websites symantec

failsecurity engineersthinking

vast understanding

worksecurity engineersthinking

mindsetmindsetdifferent