Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ......
Transcript of Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ......
![Page 1: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/1.jpg)
Top Ten Web Attacks
Saumil Shah
Net-SquareBlackHat Asia 2002, Singapore
![Page 2: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/2.jpg)
TodayÕs battleground Ð the WebTodayÕs battleground Ð the Web
¥ Web sites and web applications rapidlygrowing.
¥ Complex business applications are nowdelivered over the web (HTTP).
¥ Increased Òweb hackingÓ activity.
¥ Worms on the web.
¥ How much damage can be done?
¥ Firewalls?
![Page 3: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/3.jpg)
Typical Web Application set-upTypical Web Application set-up
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartextor SSL)
HTTP reply(HTML,
Javascript,VBscript,
etc)
Plugins:¥Perl¥C/C++¥JSP, etc
Databaseconnection:¥ADO,¥ODBC, etc.
SQLDatabase
¥Apache¥IIS¥Netscape etcÉ
Firewall
![Page 4: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/4.jpg)
Traditional HackingÉLimitationsTraditional HackingÉLimitations
¥ Modern network architectures are gettingmore robust and secure.
¥ Firewalls being used in almost all networkroll-outs.
¥ OS vendors learning from past mistakes (?)and coming out with patches rapidly.
¥ Increased maturity in coding practices.
![Page 5: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/5.jpg)
Utility of FirewallsUtility of Firewalls
WebServer DB
DB
Web app
Web app
Web app
Web app
Sun RPC
NT ipc$
wu-ftpd
XXXXXXXX
XXXX
¥ Hacks on OSnetwork servicesprevented byfirewalls.
![Page 6: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/6.jpg)
Utility of FirewallsUtility of Firewalls
WebServer DB
DB
Web app
Web app
Web app
Web app
XXXX
¥ Internal back-endapplication serversare on a non-routable IP network.(private addresses)
![Page 7: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/7.jpg)
Utility of FirewallsUtility of Firewalls
WebServer DB
DB
Web app
Web app
Web app
Web app
XXXX
¥ Outbound accessrestricted. Whywould a web servertelnet out?
![Page 8: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/8.jpg)
Futility of FirewallsFutility of Firewalls
¥ E-commerce / Web hacking is unfettered.
¥ Web traffic is the most commonly allowed ofprotocols through Internet firewalls.
¥ Why fight the wall when youÕve got an opendoor?
¥ HTTP is perceived as ÒfriendlyÓ traffic.
¥ Content/Application based attacks are stillperceived as rare.
![Page 9: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/9.jpg)
The Web HackerÕs ToolboxThe Web HackerÕs Toolbox
Essentially, all a web hacker needs is É
¥ a web browser,
¥ an Internet connection,
¥ É and a clear mind.
![Page 10: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/10.jpg)
Classifying Web HacksClassifying Web Hacks
Web Hacks fall under the following categories:
¥ URL Interpretation attacks
¥ Input Validation attacks
¥ SQL Injection attacks
¥ Impersonation attacks
¥ Buffer Overflow attacks
![Page 11: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/11.jpg)
Firewalls cannot preventÉFirewalls cannot preventÉ
WebServer
WebClient
web servermis-configuration
¥ URL InterpretationAttacks.
![Page 12: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/12.jpg)
Firewalls cannot preventÉFirewalls cannot preventÉ
WebServer
Web app
WebClient Web app
Web app
Web app
poorcheckingof userinputs
URLInterpretationattacks
¥ Input Validationattacks.
![Page 13: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/13.jpg)
Firewalls cannot preventÉFirewalls cannot preventÉ
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
InputValidationattacks
Extend SQLstatements
URLInterpretationattacks
¥ SQL QueryPoisoning
![Page 14: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/14.jpg)
Firewalls cannot preventÉFirewalls cannot preventÉ
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
Reverse-engineeringHTTP cookies.
InputValidationattacks
SQL querypoisoning
URLInterpretationattacks
¥ HTTP sessionhijacking.
¥ Impersonation.
![Page 15: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/15.jpg)
Why is Web Hacking so deadly?Why is Web Hacking so deadly?
¥ Ports 80 and 443 are usually allowedthrough firewalls.
¥ A single URL works its way into maycomponents.
¥ And in most cases, the only defense isÒsecure codingÓ.
![Page 16: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/16.jpg)
The URL as a cruise missileThe URL as a cruise missile
WebServer DB
DB
Web app
Web app
Web app
Web app
http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7
![Page 17: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/17.jpg)
Web Hacks - net effectsWeb Hacks - net effects
Web Hacks cause three types of effects:
¥ Extra information disclosure. (paths, etc.)
¥ Source code and arbitrary file contentdisclosure.
¥ Extra data disclosure (e.g. return all rows)
¥ Arbitrary command execution.
![Page 18: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/18.jpg)
The Web HackerÕs ToolboxThe Web HackerÕs Toolbox
Some desired accessories would be É
¥ a port scanner,
¥ netcat,
¥ vulnerability checker (e.g. whisker),
¥ OpenSSL, É etc.
![Page 19: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/19.jpg)
Hacking over SSLHacking over SSL
¥ SSL Myth: ÒStrong 128 bit crypto stopshackers dead in their tracksÓ
¥ Using netcat and OpenSSL, it is possible tocreate a simple two-line SSL Proxy!
¥ Listen on port 80 on a host and redirectrequests to port 443 on a remote hostthrough SSL.
SSLweb
server
webclient
openssl
nc
![Page 20: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/20.jpg)
The Top 10 Web Hacking TechniquesThe Top 10 Web Hacking Techniques
1. URL Misinterpretation
2. Directory Browsing
3. Retrieving Ònon-webÓ Files
4. Reverse Proxying
5. Java Decompilation
![Page 21: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/21.jpg)
The Top 10 Web Hacking TechniquesThe Top 10 Web Hacking Techniques
6. Source Code Disclosure
7. Input Validation
8. SQL Query Poisoning
9. Session Hijacking
10.Buffer Overflows
![Page 22: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/22.jpg)
1. URL Misinterpretation1. URL Misinterpretation
¥ The web server fails to parse the URLproperly.
¥ e.g. the Unicode / Superfluous decodeattack.
¥ Mismatched resource mappings in theconfiguration.
¥ e.g. +.htr, .JSP, Java remote commandexecution, etc.
![Page 23: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/23.jpg)
1. URL Misinterpretation1. URL Misinterpretation
Countermeasures:
¥ Usually require a vendor supplied fix.
¥ Thorough inspection of the web serverconfiguration and bindings.
![Page 24: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/24.jpg)
2. Directory Browsing2. Directory Browsing
¥ Ability to retrieve complete directory listingwithin directories on the web server.
¥ Usually happens when the default documentis missing.
¥ Not-so-strict Web server configuration.
![Page 25: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/25.jpg)
2. Directory Browsing2. Directory Browsing
Countermeasures:
¥ Web server configuration lock-down.
¥ Disable serving of directory listings.
¥ Sometimes the error may require a vendorsupplied fix.
![Page 26: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/26.jpg)
3. Retrieving Ònon-webÓ Files3. Retrieving Ònon-webÓ Files
¥ ÒNon-webÓ files can be:¥ Archive files (.zip, .tar.gz, etc)
¥ Backup files (.bak, ~, etc)
¥ Header / Include files (.inc, .asa, etc)
¥ Text files (readme.txt, etc)
¥ Can be retrieved with some guess work.
¥ e.g. if there is a directory called /reports/,look for Òreports.zipÓ.
![Page 27: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/27.jpg)
3. Retrieving Ònon-webÓ Files3. Retrieving Ònon-webÓ Files
Countermeasures:
¥ Eliminate careless presence of such files.
¥ Disable serving certain file types by creatinga resource mapping.
¥ Strict change control measures.
![Page 28: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/28.jpg)
4. Reverse Proxying4. Reverse Proxying
¥ Web proxy servers may work both ways!
¥ Typically meant to allow users from within anetwork to access external web sites.
¥ May end up proxying HTTP requests fromthe outside world to the internal network.
¥ e.g. Compaq Insight Manager
¥ Usually happens when the front end webserver proxies requests to back end appservers.
![Page 29: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/29.jpg)
4. Reverse Proxying4. Reverse Proxying
Countermeasures:
¥ Check the web server proxy configurationthoroughly.
¥ Be careful when creating URL mappings tointernal servers.
![Page 30: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/30.jpg)
5. Java Decompilation5. Java Decompilation
¥ Java Bytecode can be decompiled quiteeffectively.
¥ May disclose sensitive information such aspasswords, application paths, etc.
¥ May also disclose application logic Ð such asgeneration of session IDs, encryption, etc.
¥ Java Archive files (.jar files) may contain filesother than bytecode, such as configurationfiles.
![Page 31: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/31.jpg)
5. Java Decompilation5. Java Decompilation
Countermeasures:
¥ Java bytecode obfuscation.
¥ Elimination of sensitive configurationinformation within bytecode.
¥ Elimination of unnecessary files within .jarfiles.
![Page 32: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/32.jpg)
6. Source Code Disclosure6. Source Code Disclosure
¥ Ability to retrieve application files in anunparsed manner.
¥ Attackers can recover the source code of theweb application itself.
¥ The code can then be used to find furtherloopholes / trophies.
¥ May be caused my many ways:¥ Misconfiguration or vendor errors
¥ Poor application design, etc.
![Page 33: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/33.jpg)
6. Source Code Disclosure6. Source Code Disclosure
Countermeasures:
¥ Vendor supplied fixes.
¥ Locking down the web server configuration.
¥ Secure coding practices.
![Page 34: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/34.jpg)
7. Input Validation7. Input Validation
¥ Root cause of most web hacks.
¥ All inputs received should be validated:¥ data types
¥ data ranges (e.g. -ve or fractional numbers)
¥ buffer sizes and bounds
¥ metacharacters
¥ Tampering with hidden fields.
¥ Bypassing client side checking (e.g.javascript).
![Page 35: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/35.jpg)
7. Input Validation7. Input Validation
Countermeasures:
¥ These are the worst to deal with!
¥ There is no other countermeasure but propercoding practices.
![Page 36: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/36.jpg)
8. SQL Query Poisoning8. SQL Query Poisoning
¥ Parameters from the URL or input fields getused in SQL queries.
¥ An instance of Input Validation attacks.
¥ Data can be altered to extend the SQLquery.¥ e.g. http://server/query.asp?item=3+OR+1=1
¥ Execution of stored procedures.
¥ May even lead to back-end database servercompromise.
![Page 37: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/37.jpg)
8. SQL Query Poisoning8. SQL Query Poisoning
Countermeasures:
¥ Again, no easy fix.
¥ Thorough source code review.
¥ Following the principle of least privilege forthe database application.
¥ Elimination of unnecessary database usersand stored procedures.
![Page 38: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/38.jpg)
9. Session Hijacking9. Session Hijacking
¥ HTTP is inherently a ÒstatelessÓ protocol.
¥ Many web applications are stateful.
¥ Poor mechanisms of state tracking.¥ Hidden fields carrying a session ID
¥ Client side cookies
¥ É with no server side session tracking.
¥ Reverse engineering of the session ID leadsto access of other usersÕ data.
![Page 39: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/39.jpg)
9. Session Hijacking9. Session Hijacking
Countermeasures:
¥ Use server side session ID tracking.
¥ Match connections with time stamps, IPaddresses, etc.
¥ Cryptographically generated session IDs.¥ hard to sequence.
¥ Use web application server sessionmanagement APIs when possible.
![Page 40: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/40.jpg)
10. Buffer Overflows10. Buffer Overflows
¥ Poor bounds checking.
¥ Web server HTTP requests.¥ e.g. ASP buffer overflow, .printer, etc.
¥ Application Input fields.¥ e.g. ColdFusion DoS, etc.
¥ Can cause:¥ Denial of service (crashing the app / service)
¥ Remote command execution (shellcode)
![Page 41: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/41.jpg)
10. Buffer Overflows10. Buffer Overflows
Countermeasures:
¥ Vendor supplied fixes.
¥ Bounds checking within applications.
¥ Source code reviews.
¥ Buffer overflow testing.
![Page 42: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/42.jpg)
Hacking Web enabled DevicesHacking Web enabled Devices
¥ Network equipment, printers, etc. becomingÒweb enabledÓ.
¥ e.g. Cisco IOS HTTP hack, HPWebJetAdmin hack, etc.
¥ May leak sensitive information about anetwork.
¥ May allow proxying of web attacks.
![Page 43: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/43.jpg)
Beating the IDSBeating the IDS
¥ ÒSecure HackingÓ Ð hacking over SSL.
¥ Many ways of writing the same URL.¥ Defeats signature based pattern matching.
¥ Spurious parameters.
¥ Intentionally generating false positives.
![Page 44: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/44.jpg)
Closing ThoughtsClosing Thoughts
¥ Far harder to secure web sites and webapplications.
¥ Need to create a heightened levels ofsecurity awareness.
¥ Use of formal software engineering methodsfor developing web applications.
¥ Use of secure coding practices.
¥ Thorough application testing.
![Page 45: Top Ten Web Attacks - Black Hat · PDF fileTop Ten Web Attacks Saumil Shah Net-Square ... ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)](https://reader038.fdocuments.in/reader038/viewer/2022110223/5ab944f77f8b9ac1058da270/html5/thumbnails/45.jpg)
Closing ThoughtsClosing Thoughts
¥ ÒThere is no patch for carelessnessÓ.
¥ Web Hacking: Attacks and DefenseSaumil Shah, Shreeraj Shah, Stuart McClure
Addison Wesley Ð 2002.