Alberto Moro - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Alberto Moro

Description:

... strings (%n, %s) to retrieve memory information, DoS, code execution... DoS problem again, and the hacker's countermeasures: Open Proxies, anonymous p2p ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 32
Provided by: informa2
Category:
Tags: alberto | dos | moro

less

Transcript and Presenter's Notes

Title: Alberto Moro


1
Alberto Moro
  • Bruteforcing Web Applications

2
Bruteforcing WebApps
  • Introduction
  • Why BF WebApps?
  • BF Problems
  • What BF
  • Strategies
  • Countermeasures
  • References

3
Introduction
  • What is Bruteforcing?
  • Cryptanalysis method of defeating a
    cryptographic scheme by trying a large number of
    possibilities
  • What is a Web Application?
  • A Web application is generally comprised of a
    collection of scripts, that reside on a Web
    server and interact with databases or other
    sources of dynamic content
  • Ex search engines, Webmails, shopping carts,
    portal systems, etc.

4
Introduction
  • Bruteforcing Web Applications
  • Method of enumerate (preferable automatically)
    all possible solutions for a given HTTP problem

HTTP requests (GET/POST)?
HTTP responses
Web Server
Auditor
5
Why BF WebApps?
  • Most popular attacks are against Web Servers
  • BF is a very good method for knowing more about
    your enemy
  • Helps in looking for well know and new
    vulnerabilities
  • Allows automation -gt distributed multi
    threating attacks
  • Depending of the attack, when performed, many
    IDS/IPS won't be noticed

6
BF Problems
  • Each environment is different
  • You are not sure a priori what you should BF
  • Key space varies from applications
  • Responses are not homogeneous between servers or
    applications
  • The analyst must have always the final word, we
    need all the responses for each possible solution

7
What BF
  • Credentials
  • Application user names
  • Passwords
  • URLs for discovering unlinked files and
    directories. Locate
  • Administrative panels
  • Default server scripts
  • Badly secured internal pages

8
What BF
  • Variable values
  • Changing for new ones
  • The application could take us to another worlds
    )?
  • Injecting special data for discovering well known
    vulnerabilities or new ones
  • Cross-Site Scripting
  • SQL Injections
  • Path transversal
  • Fuzzing inject lot of data in different parts of
    the request, format strings (n, s) to retrieve
    memory information, DoS, code execution...

9
What BF
  • SessionIDs
  • Stored in the user cookies
  • As parameter in the URL
  • Into hidden input fields
  • If the attack is successful, it will be possible
    to impersonate another users

10
Strategies
  • Enumerating resources
  • For each possible input, grab the response. If
    the response is a solution, then discard the
    rest.
  • Enumerating users
  • Try a lot of user names via dictionaries and
    discard bad responses (user doesn't exists try
    again)?
  • Enumerating files
  • Check response codes or returned text for every
    possible request. (200OK, 404Not Found)?

11
Strategies
  • Attacking user's accounts
  • One user, multiple passwords
  • One password, multiple users (reverse BF)?
  • SessionIDs
  • Limit the key space
  • Weak algorithms Request a lot of IDs and study
    possible sequential patrons
  • Short IDs BF most of the key space

12
Strategies
  • Access to unlinked parts of the application
  • BF the variables present in the URLs
  • http//www.server.com/inbox?uId124653
  • Stored inside hidden fields ltform
    methodpostgt ltinput typeuId value124653gt lt/for
    mgt
  • Or inside the cookies
  • Cookie SESSIONID4032FE640CEB482AB432E1
    uId12564

13
Strategies
  • Limiting the key space
  • Password reminder application that sends the user
    an email link like this
  • http//www.server.com/validate/00546489432441
  • http//www.server.com/validate/41246489432436
  • http//www.server.com/validate/26146489432451
  • Keyspace of 1,000,000,000,000,000 limited to
    1,000,000 possible combinations
  • 00046489432400
  • ...
  • 99946489432499

14
Examples
15
Examples


Codes Lines Words Requests
16
Examples
17
Examples
200 OK
301 Moved
403 Forbidden
18
Examples
19
Examples
20
Examples
21
Examples
22
Examples
23
Examples
24
Examples
25
Countermeasures
26
Countermeasures
  • Weak Passwords discovering
  • Account lockouts
  • User lockout. Problem with legitimate
    user'sApplication layer Denial of Service
    (DoS)?
  • IP Blocking. Problem ISP Proxies, NAT... DoS
    problem again, and the hacker's countermeasures
    Open Proxies, anonymous p2p networks (tor),
    distributed attacks, etc.
  • Slow down responses incremental timeouts
  • Captcha

27
Countermeasures
  • Popular Client-Side languages (java, javascript
    and vbscript) calculations
  • Good practices maintain good password policies
  • Complexity
  • Minimum password length
  • Aging

28
Countermeasures
  • User names enumeration
  • Don't give too much information to the attacker
    (or customer)?
  • SessionIDs
  • Use strong cryptography algorithms
  • Well known vulnerabilities
  • Well known programming practices )?
  • Other attacks
  • Web Application Firewalls (WAF) like ModSecurity

29
References
  • Burp Intruder PortSwiggerhttp//www.portswigger
    .net/intruder/
  • Bruteforce-Force Exploitation of Web Application
    Session IDs - David Endler -iDefensehttp//www.cg
    isecurity.com/lib/SessionIDs.pdf
  • Anti Brute Force Resource Metering -
    NGSSsoftwarehttp//www.ngssoftware.com/papers/NIS
    R-AntiBruteForce ResourceMetering.pdf
  • Brute force attack - Wikipediahttp//en.wikipedia
    .org/wiki/Brute_force_attack
  • Crowbar New generation web application brute
    force attack tool - Senseposthttp//www.sensepos
    t.com/research/crowbar/crowbar0861.pdf

30
References
  • ModSecurity Web Application Firewallhttp//www.mo
    dsecurity.org/

31
Thank You
Write a Comment
User Comments (0)
About PowerShow.com