Jeroen van Beek

1

Why bother? Causes of data breaches OWASP◦ Top ten attacks

Now what? Do it yourself Questions?

2

In many cases the web application stores:◦ Personal information◦ Passwords that also might be used elsewhere◦ Credit card details

Media likes hacks◦ You company doesn’t…

Governments enforce data protection◦ NL: Meldplicht Datalekken◦ EU: General Data Protection Regulation a.k.a. GDPR

3

Your companydoesn’t like that

4

GDPR◦ Since 25 May 2018◦ Goal is to give control back to citizens and

residents over their personal data◦ Fines: Lower level Up to €10 million, or 2% of the worldwide annual revenue

of the prior financial year, whichever is higher

Upper level: Up to €20 million, or 4% of the worldwide annual revenue

of the prior financial year, whichever is higher

5

In many cases caused by technical issues:◦ Poor/no input filtering◦ Outdated software with known weaknesses◦ Weak passwords

Non-techies are creating technical solutions:◦ Click and play enterprise website◦ Not aware of security issues

Techies are also no always aware◦ What about you?

In many cases the issues are quite easy to solve◦ If you know what to do…

6

The same issues keep on coming back◦ People make the same mistakes over and over again…

Open Web Application Security Project (OWASP):◦ Free and open◦ Top ten project Documents the 10 most critical webapp security flaws https://www.owasp.org/index.php/Category:OWASP_Top

_Ten_Project Latest version: 2017

◦ Documents solutions For all popular webapp environments

7

8

Key items are not logged◦ Successful and failed logons◦ Application errors

Not all interfaces monitored◦ E.g. API forgotten

Insecure storage of logs◦ Use write-only and / or non-local storage

No follow-up◦ Logs never checked…

9

10

Keep your software up-to-date◦ Patching doesn’t stop at operating system level! Database Web server Third party libraries …

Lots of automated tools available◦ Mapping: nmap, …◦ Scanning: OpenVAS, Nessus, Nexpose, …◦ Exploiting: Metasploit, …◦ Script kiddies can and will do this!

11

Serialization◦ The process of turning an object in memory into a stream of bytes

that can be stored or transmitted.◦ $array = array("a" => 1, "b" => 2, "c" => array("a" => 1, "b" => 2)); a:3:{s:1:"a";i:1;s:1:"b";i:2;s:1:"c";a:2:{s:1:"a";i:1;s:1:"b";i:2;}}

Deserialization◦ The reverse process, turning a stream of bytes into an object in

memory.

Issues◦ Parsers are complex and prone to errors◦ User data in a web app is untrusted◦ Doing something wrong might mean (remote) code execution

13

Vulnerable PyYAML example:import yaml

with open(‘evil.yml') as yaml_file:

contents = yaml.load(yaml_file)

print(contents['foo’])

Exploit:foo: !!python/object/apply:subprocess.check_output[‘whoami’]

Known danger:◦ “Warning: It is not safe to call yaml.load with any data

received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.”

◦ https://searchcode.com/?q=yaml.load…

14

Exploits developed for deserialization libraries of many popular frameworks:◦ Apache Commons Collections (3.x and 4.x)◦ Spring Beans/Core (4.x)◦ Groovy (2.3.x)◦ JRE <= 1.7u21

Other parsers might also be vulnerable Resources:◦ https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-

jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

◦ http://frohoff.github.io/owaspsd-deserialize-my-shorts/

◦ https://github.com/frohoff/ysoserial

◦ https://github.com/NetSPI/JavaSerialKiller

15

Cross Site Scripting◦ Execute scripts in the victim’s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user’s browser using scripting malware

◦ In most cases Javascript based Also applicable to other scripting languages

16

Two types:◦ Reflective: Code injected by e.g. sending phishing email victim.com/get.php?id=<script>alert(123)</script>

E.g. one phishing email per attack◦ Stored: Evil code is e.g. stored in the database, logs Store <script>alert(123)</script> in DB record for

welcome message of CMS

Store once, run for all users◦ Interesting goals for an attacker: Session hijacking (stealing cookies) Privilege escalation (account upgrade by targeting admins)

17

Advanced tools are out there to abuse flaws◦ Tunnel traffic using XSS https://github.com/portcullislabs/xssshell-xsstunnell

Impact is more limited nowadays◦ Browsers implement countermeasures

18

Out of the box installs◦ Next, next, next, finish

Find it using Google:◦ Web front-end for Oracle intitle:iSQL intitle:Release inurl:isqlplus

◦ Indexing of sensitive information intitle:"Index of" .mysql_history filetype:sql "phpMyAdmin SQL Dump” filetype:pdf paspoortnummer koopcontract

◦ Many many useful Google Dorks online https://www.exploit-db.com/google-hacking-

database/

19

Default passwords◦ http://www.defaultpassword.com/

20

iPhone botnet◦ Default SSH password after jailbreak

Routers

21

User can access andmodify object values

Example:◦ Login using your credentials◦ Link refers to

http://app/details?userid=1

◦ Script download of all files userid=[1-9999]

Hashing doesn’t help

22

Server side authorization checks are not performed for all functionality

Attacks:◦ Escalate from anonymous user to authenticated user◦ Escalate from authenticated user to admin

Examples:◦ If /users/user1/admin/ exists, it might be worth

checking if /users/userN/admin/ also exists

Difficult to identify with automated tools

23

Hidden and unchecked parameter:◦ Add to POST data when updating a user: &ctl00%24ContentPlaceHolder1%24dvUser%24cbxUserAdmin=on

24

Problem can also occur with ‘secret’ files:

25

Untrusted XML input is parsed Attacker includes evil entities in XML

XML parser processes evil entities Examples:◦ Local files: <!ENTITY xxe SYSTEM "file:///etc/shadow" >]>◦ URLs: <!ENTITY xxe SYSTEM "https://intranet.lan/secret" >]>◦ DoS: <!ENTITY xxe SYSTEM "file:///dev/random" >]>

26

Blind out of band attacks are possible as well:

27

Secure transport: Sending sensitive information over an

unencrypted link◦ No encryption / obfuscation◦ Weak encryption◦ Downgrade attacks

Check for no encryption / obfuscation◦ Sniff data

GET http://target/INSTALL.pgsql.txt HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0

Host: target

Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx=

28

Secure transport: Weak transport encryption◦ Protocol issues Known flaws is SSLv2,3 / TLSv1.0 SSLv3 and TLSv1.0 still enabled in

many cases (e.g. non-www)

◦ Ciphers E.g. DES, RC4, 3DES based Weak ciphers can be cracked

◦ Weak algorithms E.g. MD5, SHA-1

29

Used in ‘Flame’ malware◦ Signed Windows Updates!◦ Linked to Equation Group / NSA◦ Most targets in the Middle East

30

Secure transport: Downgrade attacks◦ Strip SSL layer: sslstrip http://www.blackhat.com/presentations/bh-dc-

09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

https://moxie.org/software/sslstrip/

◦ Fun! Hijack e.g. Facebook and Twitter sessions: Firesheep https://github.com/codebutler/firesheep

Worked since not all pages were using https at the time

32

Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms

(MD5, SHA-1, RC3, RC4, …) Hard coded keys, and storing keys in

unprotected environments

33

Real-life example

34

same passwords

<password>1<password>2…

different lengthpasswords

How to decode the passwords?◦ Create your own account◦ Password = ‘aaaaaaaa’ Store password hash, e.g. \01\02\03\04\05\06\07\08

◦ Password = ‘bbbbbbbb’ Store password hash, e.g. \02\03\04\05\06\07\08\09

◦ Etc.◦ Find the link password ↔ hash◦ Write a decoder

for (i = 0; i < in.length(); i++)

print (alfabet(in.position(i) + i))

◦ Decode all passwords◦ Dump sensitive information

35

36

37

No rate limiting and lock-out◦ Brute force usernames and passwords

Inadequate password policy◦ Pass = username, password, welcome01 etc.

Predictable / low entropy session IDs◦ Weak implementations typically use: Sequential numbers Hashes of sequential numbers Time elapsed since starting of server / service

◦ Attacker can: Disconnect all users Hijack existing sessions

38

Not invalidating session IDs◦ Or: never expires

Weak enrollment and recovery processes◦ Not so secret questions: The Fappening / Celebgate◦ Protect master secrets with PIN / PUK + no lock-out

https://www.os3.nl/_media/2016-2017/ot-report-digidentity.pdf◦ Enroll 2FA with password only

39

Logical flaws◦ Intel Management Engine (ME / AMT) Low level access to system (KVM) On, even if your PC is switched off Uses webserver(!!) Password check: strncmp (computed_value, user_value, len(user_value))

What’s wrong?

user_value = ‘’ strcomp(‘anything’, ‘’, 0) Nothing matches nothing (length 0): login successful…

40

SQL-injection Also applicable for other languages User input is directly used in a query◦ Manipulation of database query◦ User input ‘search’ = jeroen◦ Backend uses select details from users where name=‘jeroen’◦ Attacker input ‘search’ = jeroen’ or 1=1--◦ Backend uses select details from users where name=‘jeroen’ or 1=1 This is always true: display all records

41

42

43

Advanced tools are out there to abuse flaws◦ Database (bulk) download◦ OS File upload◦ OS File download◦ OS command execution◦ …

sqlmap◦ https://github.com/sqlmapproject/sqlmap◦ Tunnel an SQL injection based OS shell over http!

44

Detection:◦ Detection of well-known attacks using IDS◦ Check web server logs◦ Check network flows◦ Difficult to detect all attacks!

Prevention:◦ Use good practices https://www.owasp.org/index.php/OWASP_Guide_Project

◦ Review and/or test the application before going live Source code review

https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

Penetration test https://www.owasp.org/index.php/OWASP_Testing_Project

https://www.owasp.org/index.php/Appendix_A:_Testing_Tools

45

Hacking is not allowed◦ “Wet Computer Criminaliteit”◦ Testing without breaking in is also not allowed

If you want to test your (organization’s) apps:◦ Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system’s owner

46

Hands on hacking environment◦ Ten web based levels◦ Six platform based levels◦ In each level you can find a password Password gives access to the next level

◦ You need to exploit a weakness to get the password◦ Most OWASP top ten issues are included◦ We’ll show hints on the screen to help you If needed ;)

Work in teams We explicitly allow you to hack the system :)

47

More hands on hacking:◦ Books http://www.webhackingexposed.com/

◦ Certifications https://www.eccouncil.org/programs/certified-

ethical-hacker-ceh/ https://www.offensive-security.com/information-

security-certifications/oscp-offensive-security-certified-professional/

https://www.giac.org/

48

J.C.vanBeek uva.nl

49