Post on 16-Nov-2020
Live Hacking
Threats & Countermeasures in Action (SEC411)
Ofer Maor
CTO
Hacktics Ltd.
Agenda
• Introduction to Application Hacking
• Demonstration of Attack Tool
• Common Web Application Attacks &
Countermeasures
• Live Bank Hacking Demo
• Questions & Answers
About Hacktics
• Security Services Company
• Provides wide range of services with focus on the
application security field
• Relies on vast experience in application level
penetration testing and secure development
Hacktics offers unique expertise in the technology and methodology of application security, together with out of the box thinking abilities and a keen understanding of the operational patterns of Hackers.
Introduction to
Application Hacking
Overview
• Today, most organizations create, use and
externalize distributed applications implementing
business processes.
• The increasing numbers of such applications
combined with the improved security in the
infrastructure layer drives hackers to turn to
application attacks.
• According to Gartner, over 75% of attacks today
take place in the application layer.
What Is Application Hacking?
• Taking advantage of application-level
vulnerabilities to attack the site
• Attacks relate to the semantics and meaning of
application messages, such as HTTP requests,
SQL Queries or proprietary requests.
• Differs from infrastructure attacks focusing on
identifying unauthorized services (port
scanning) and abusing known vulnerabilities.
Application vs. Infrastructure
• Not easily replicated (no script kiddies!), though
still easily exploitable
• Target the organization’s core business
operations rather than technology
• Allows launching direct attacks rather than
needing to break several circles of defense
• Used by attackers with specific agenda
(criminals, industrial espionage, etc.).
Vulnerabilities Mitigation
• No prepared patch to easily deploy
• Fixing the vulnerability requires recoding, turning
it into a costly procedure
• Design Mistake Fix Cost Increase (Gartner):
– 1x – During Design
– 6.5x – During Development
– 15x – During Testing
– 100x – After Deployment to Production
- DRAFT -
Technical vs. Logical
• Technical flaws relate to the specific technical
implementation of the application
• Logical flaws relate to the way business
processes were developed, unrelated to the
development infrastructure
• New security features added to development
infrastructure help decrease the number of
technical flaws, whereas logical flaws are still a
prominent problem
Web Application
Penetration Tool
Application Hacking Techniques
• Applications expect the client to behave in a
certain predefined manner (only user controlled
data is validated)
• The client, however, can be easily controlled by
the malicious user (attacker)
• Easily done using friendly GUI based tools
– Interactive Interception Proxies
– Browser Plug-ins
– etc.
Interception Proxy Demo
Common Web Application
Attacks & Countermeasures
(With Live Demo!)
Topics
• Reconnaissance (Active/Passive)
• Parameter Tampering
• Session Hijacking
• Scripts Injection
• Cross Site Scripting
• Flow Bypassing (Forceful Browsing)
• SQL Injection
Passive Reconnaissance
• Understanding the Application
• Requests Monitoring
• Structure & Flow Mapping
• Searching Code for Comments
• Identifying Development Infrastructure
• Retrieving Internet Resources
• Google Hacking
Active/Malicious Reconnaissance
• Generate Exceptions & Errors
• Unreferenced URLs
– Default Components
– Administrative Interfaces
– Configuration/Log Files
• Source Code Disclosure
– Known Vulnerabilities
– Backup/Old Files
– File Access Components
Active/Malicious Reconnaissance
• Result of Failing Key Secure Design Principles:
– Input Validation
– Exception Management
• Mitigation:
– Properly handle all exceptions
– Disable detailed error messages, if present
– Avoid storing any redundant files/information on
production machines
Parameter Tampering
• Overview
– The basic, most simple form of application level
attack
– Is targeted directly at the business logic of the application
– Often does not require much knowledge of application
attacks and can be achieved with no tools
Parameter Tampering
• The Problem
– Attackers may alter the value of parameters sent from the browser which were assumed by the developers to
remain as is
• Potential Damage
– Attacker may gain access to unauthorized data,
commit unauthorized transactions, go out of normal value boundaries, etc.
Parameter Tampering
• Result of Failing Key Secure Design Principles:
– Input Validation
– Authentication
– Authorization
– Session Management
• Mitigation:
– Never trust user submitted data
– Check authenticity and authorization for every
operation performed.
Session Hijacking
• Overview
– Session Hijacking is an attack in which the attacker successfully takes control over a user’s session, after
obtaining a valid session identifier
• Potential Damage
– Through this attack the attacker is able to gain
access to the system as if the attacker was authenticated to it, without ever knowing the
authentication credentials of the attacked user
Session HijackingHacker’s request was accepted
as it contained a valid cookie
Session Hijacking
• Result of Failing Key Secure Design Principles:
– Proper Session Management
– Input Validation
• Mitigation:
– Always use a reliable session management
mechanism (such as the one in ASP/ASP.Net)
– Protect your site from script attacks…
Scripts Injection
• Overview
– A way to perform script-based attacks without being limited by browser security
– The attacker takes advantage of a component in the
system which displays to users information previously inserted by other users
– The attacker embeds a script into the input, which is
then executed on the browsers of other users
The script, now from the web
site’s domain, was now able to
access sensitive information
and send it to the attacker
Scripts Injection
Scripts Injection
• The Problem
– No input validation takes place when data is received
– No output sanitation is performed when data is sent back to other users
• Potential Damage
– Cookie Theft � Session Hijacking (Simple Exploit)
– Taking over entire browsing session (viewing users data and performing operations on their behalf)
– Improved Phishing Attacks
Cross Site Scripting (XSS)
• Overview
– Similar to Scripts Injection, Cross Site Scripting takes advantage of the same principal of making the remote
server send the malicious script to the client
– Unlike with Scripts Injection, however, the client is part of the attack process, as the script itself is not
permanently stored on the remote system
– The key elements of the problem, as well as the potential damage and mitigation are identical to those
of the scripts injection attack.
The script, sent by the attacked client to the
server was then received again by the client,
now with the proper security context, and
was able to send the cookie to the attacker
Cross Site Scripting (XSS)
A Search page:
<HTML><TITLE>Search Results</TITLE><BODY>
<%
SearchTerm = Request.QueryString(“SearchStr”)
‘ Querying DB Based on the Search Term
If SearchRS.EOF Then ‘Search yielded no results
Response.Write(“No results found for “)
Response.Write(SearchTerm)
Else
‘ Display all records
End If
%>
</BODY></HTML>
XSS Code Example
<HTML><TITLE>Search Results</TITLE><BODY>
No results found for XXX
</BODY></HTML>
XSS Code ExampleWith input string XXX, the result is:
<HTML><TITLE>Search Results</TITLE><BODY>
No results found for <SCRIPT>Alert(‘Test’)</SCRIPT>
</BODY></HTML>
XSS Code ExampleHowever, with a script injected, the result is:
Scripts Injection/XSS
• Result of Failing Key Secure Design Principles:
– Input Validation
– Output Sanitation
• Mitigation:
– The “Quick and Dirty” way – prevent users from
inserting HTML meta characters such as <, >, ;, etc.
– Better yet, perform HTML encoding of all non alphanumeric characters, such as:
• < � <
• > � >
• “ � "
• etc.
Flow Bypassing
• Overview
– Common Logical Attack (Using Forceful Browsing Techniques)
– Useful against step-based applications such as
wizards or redirection-based applications
– Allows attackers to overcome specific authentication or authorization mechanisms
Flow Bypassing
• The Problem
– Specific operations which require more than one request to be completed to not properly enforce the
flow of the operation
• Potential Damage
– Attacker can use this to overcome specific requests in
the flow that relate to security, allowing
• Authentication Circumvention
• Authorization Circumvention
• Operation Validity Verification
• etc.
Flow Bypassing
• Result of Failing Key Secure Design Principles:
– Authentication
– Authorization
– Session Management
• Mitigation:
– Enforce flow of multi-step operations
– Rely on session for storing flow information
– Reverify authorization when committing the operation
SQL Injection
• Overview
– Most powerful web application attack – targeting the data itself
– Takes advantage of common usage of Dynamic SQL
Queries
– Allows an attacker to maliciously modify the query sent by the application to the server
SQL Injection
• The Problem
– When using Dynamic SQL, the syntax and parameters are concatenated together, thus allowing injection of
SQL syntax through parameters
• Potential Damage
– Access of Unauthorized Data
– Data Alteration
– Server Takeover
– Denial of Service (Server Availability/Data Destruction)
– More…
SQL Injection – Code Sample I
…SqlStr = "SELECT UserID FROM Users WHERE Username = '" & Request.QueryString("User") & "' AND Password = '" & Request.QueryString("Pass") & "'"
Set MyConn = Server.CreateObject(“ADODB.Connection”)MyConn.Open “my_conn”, “dbuser”, “dbpass”
Set AuthRS = Server.CreateObject(“ADODB.Recordset”)AuthRS.Open SqlStr, MyConn
If LoginRS.EOF ThenResponse.Write("Invalid Login")
Else‘ Perform Authenticated Code…
End If…
Login Page Code:
SQL Injection – Code Sample I– When normal users log in, the following query is
created:
– However, an attacker can type in x’ OR ‘1’=‘1 as
the password, yielding the following query:
– Returning a non empty record set, the attacker is logged on
SELECT * FROM Users WHERE Username = ‘HackHackHackHack’AND Password = ‘TicsTicsTicsTics’
SELECT * FROM Users WHERE Username = ‘HackHackHackHack’AND Password = ‘XXXX’’’’ OROROROR ‘‘‘‘1111’’’’====‘‘‘‘1111’
SQL Injection – Code Sample II
Data Retrieval Code:
…SqlStr = "SELECT * FROM Packages WHERE Desc LIKE " &
"'%" & Request.QueryString("SearchStr") & "%'"
Set MyConn = Server.CreateObject(“ADODB.Connection”)MyConn.Open “my_conn”, “dbuser”, “dbpass”
Set PkgsRS = Server.CreateObject(“ADODB.Recordset”)Pkgs.Open SqlStr, MyConn
If LoginRS.EOF ThenResponse.Write(“No Packages Match Search.”)
Else‘ Display all vacation packages information
End If…
SQL Injection – Code Sample II– With a normal search, the query received is:
– The attacker, however, can add a UNION SELECT statement to the parameter, turning the
query into the following one:
SELECT * FROM Products WHERE ProdDesc LIKE ‘%IosIosIosIos%’
SELECT * FROM Products WHERE ProdDesc LIKE ‘%XXXXXXXXXXXX’’’’ UNIONUNIONUNIONUNION
SELECTSELECTSELECTSELECT Username, PasswordUsername, PasswordUsername, PasswordUsername, PasswordFROMFROMFROMFROM Users Users Users Users --------%’
SQL Injection
• Result of Failing Key Secure Design Principles:
– Input Validation
– Authorization
– Cryptography
– Sensitive Data Access Limitations
• Mitigation:
– The “Quick and Dirty” way – perform input validation to
remove meta character, and turn every single quote into double quote
– Better yet, avoid using dynamic SQL.
User Parameterized Queries instead
SQL Injection
…// Defining the Query with @PkgID as its parameterString StrQry = “SELECT * FROM Packages Where PkgID = @PkgID”;
// Creating the connection and the SQL CommandSqlConnection MyConn = new SqlConnection(ConnectionString);SqlCommand MyQry = new SqlCommand(StrQry, MyConn);
// Creating and setting the parameterMyQry.Parameters.Add(new SqlParameter(“@PkgID”, SqlDbType.Int));MyQry.Parameters[“@PkgID”].Value = Request.QueryString[“PkgID”];
// And ExecuteMyConn.Open();SqlDataReader SqlDR = MyCmd.ExecuteReader();…
Using Parameterized Queries in C#
skating- Ice CenterRockefeller
אחד המקו מות היפים
יורקי הניובחורף
Volare
147 West 4th StreetNew York, New York
10012-1010
מסעדה איטלקית קטנה ונה דרת
Thank You!Thank You!
For Additional Information:
Email:
Web: www.hacktics.com