Exploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending:Common Web Application
Vulnerabilities
©2016 – Cypress Data Defense, LLC
Senior Security ConsultantSANS Instructor Denver OWASP Chapter LeadCertifications
CISSP, GWAPT, GSSP-Java, CISM
Contact [email protected]@skosten
Introduction: Steve Kosten
©2016 – Cypress Data Defense, LLC
IntroductionA1: InjectionA3: Cross-Site Scripting (XSS)A8: Cross-Site Request Forgery (CSRF)
Agenda
©2016 – Cypress Data Defense, LLC
Using real attack toolsIllegal to attack targets without written contractual consentObey all state and federal lawsCypress Data Defense assumes no liability
Disclaimer
©2016 – Cypress Data Defense, LLC
A1: Injection
©2016 – Cypress Data Defense, LLC
Text-based attacks that exploit the syntax of the targeted interpreter.Almost any source of data can be an injection vector, including internal sources. Injection flaws occur when an application sends untrusted data to an interpreter.
A1: Injection
©2016 – Cypress Data Defense, LLC
A1: SQL Injection
©2016 – Cypress Data Defense, LLC
XKCD
©2016 – Cypress Data Defense, LLC
110 million customer recordsEmail, Mailing addresses, other Personally Identifiable Information (PII)
In The News (Target)
©2016 – Cypress Data Defense, LLC
50 million customer recordsEmail, DOB, Password Hashes, Challenge Questions & Answers
In The News (Living Social)
©2016 – Cypress Data Defense, LLC
130 million credit card numbers$200 million loss
In The News (Heartland)
©2016 – Cypress Data Defense, LLC
Command Injection
Inline SQL
A1: Example (1)
rs = statement.executeQuery("Select EmployeeId, LastName, FirstName, PhoneNumber " +"From Employees " +"Where EmployeeId = " + request.getParameter("employeeId"))
Runtime.getRuntime().exec(String.format("myTestProcess.exe %s", request.getParameter("employeeId")))
©2016 – Cypress Data Defense, LLC
sqlmap DEMOhttp://sqlmap.org/ Written in Python
Exploitation DEMO
©2016 – Cypress Data Defense, LLC
Parameterized QueriesA1: Solution
©2016 – Cypress Data Defense, LLC
XSS
Cross-Site Scripting
©2016 – Cypress Data Defense, LLC
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper encoding.
Execute scripts in the victim’s browserHijack user sessionsDeface web sitesRedirect the user to malicious sites.
A3: Cross-Site Scripting (XSS)
©2016 – Cypress Data Defense, LLC
In The News (Sears)
©2016 – Cypress Data Defense, LLC
Site defaced to contain flashing images designed to cause seizures Some victims required hospital care
In The News (EF)
©2016 – Cypress Data Defense, LLC
Primaries web site had XSS in the blog pagesPayloads injected to redirect users to Hillary Clinton’s election web site
In The News (Obama)
©2016 – Cypress Data Defense, LLC
HTML Context
URL Context
JavaScript Context
Reflected Example
<td><%= request.getParameter("Name") %></td>
<a href='<%= String.format("details.aspx?id=%s", request.getParameter("Name")) %>'></a>
<a href='<%= String.format("javascript:redirect ('{%s}')", request.getParameter("Name")) %>'>View</a>
©2016 – Cypress Data Defense, LLC
Browser Exploitation Framework (BeEF)http://beefproject.com/Written in Ruby
Exploitation DEMO
©2016 – Cypress Data Defense, LLC
Encoding, encoding, encodingValidation is not the solution
Contexts to considerHtml, Url, JavaScriptHtmlAttribute, Css, Xml, XmlAttribute
Mitigations
©2016 – Cypress Data Defense, LLC
Recommended encoding librariesOWASP Java Encoder
HTTP Security HeadersSourceClear Headlines
X-XSS-ProtectionContent-Security-Policy (CSP)
Mitigations (2)
©2016 – Cypress Data Defense, LLC
CSRF
Cross Site Request Forgery
©2016 – Cypress Data Defense, LLC
Researcher earns $10,000 bug bountyCSRF vulnerability allowing attackers to:
Add payment methodsModify email addressesChange security questionsAdd privileged users
In The News
©2016 – Cypress Data Defense, LLC
Admin console vulnerable to CSRF allowing attackers to perform the following:
Modify automatic renewalsEdit zone filesName server management
In The News (GoDaddy)
©2016 – Cypress Data Defense, LLC
• 2012: Multiple manufacturers• 4.5 Million Routers Compromised in Brazil
In The News
©2016 – Cypress Data Defense, LLC
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information.
Audit logs will show the user made the transaction User has no knowledge of the transaction
Cross-Site Request Forgery
©2016 – Cypress Data Defense, LLC
Multiple Authenticated Sessions
Cross-Site Request Forgery (CSRF) Example
©2016 – Cypress Data Defense, LLC
Payload on attack page
Cross-Site Request Forgery (CSRF) Example (2)
<form id="csrfForm" action="http://localhost:8080/csrf/content/vulnerable/changepassword" method="POST" >
<input type="hidden" name="newPassword" value="StorageRoomB" />
<input type="hidden" name="confirmPassword" value="StorageRoomB" />
</form>
©2016 – Cypress Data Defense, LLC
Request triggered from authenticated session
Cross-Site Request Forgery (CSRF) Example (3)
POST /csrf/content/vulnerable/changepassword HTTP/1.1Host: localhost:8080Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2Content-Type: application/x-www-form-urlencodedContent-Length: 53
newPassword=StorageRoomB&confirmPassword=StorageRoomB
©2016 – Cypress Data Defense, LLC
200 Response from web site
Cross-Site Request Forgery (CSRF) Example (4)
HTTP/1.1 200 OK
<div class="alert alert-dismissable alert-success"><span>Your password was successfully changed.</span>
</div>
©2016 – Cypress Data Defense, LLC
Simple Javascript Post
Exploitation DEMO
©2016 – Cypress Data Defense, LLC
CSRF MitigationsRandom nonce for each requestAnti-Forgery TokensCSRF Guard (OWASP Project)
Mitigations
©2016 – Cypress Data Defense, LLC
Payload with incorrect csrf token
Cross-Site Request Forgery (CSRF) Solution (1)
<form id="csrfForm" action="http://localhost:8080/csrf/content/vulnerable/changepassword" method="POST" >
<input type="hidden" name="newPassword" value="StorageRoomB" />
<input type="hidden" name="confirmPassword" value="StorageRoomB" />
<input type="hidden" name="_csrf"
value="103ae2a3-d4d6-46e9-8ba6-92188ff998c2" />
</form>
©2016 – Cypress Data Defense, LLC
Request with invalid token submitted
Cross-Site Request Forgery (CSRF) Solution (2)
POST /csrf/content/vulnerable/changepassword HTTP/1.1Host: localhost:8080Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2Content-Type: application/x-www-form-urlencodedContent-Length: 53
newPassword=StorageRoomB&confirmPassword=StorageRoomB&_csrf=103ae2a3-d4d6-46e9-8ba6-92188ff998c2
©2016 – Cypress Data Defense, LLC
403 response from web site
Cross-Site Request Forgery (CSRF) Example (3)
HTTP/1.1 403 Forbidden
<div class="alert alert-dismissable alert-danger"><span>java.lang.NullPointerException</span>
</div>
©2016 – Cypress Data Defense, LLC
Questions?Contact Info
SteveTwitter: @skostenEmail: [email protected]
Thanks for attending!