Download Web Application Security: Common Vulnerabilities and Evasion Techniques and more Slides Cryptography and System Security in PDF only on Docsity! Introduction Bill Pennington Principal Consultant, Guardent Tested over 300 web applications of the past 3 years docsity.com
1 IF a
Wi STE!
Mary |
YOULL HAE
taal
> A
docsity.com
Why your Firewall doesn’t matter Standard rant docsity.com Top 5 Vulnerabilities SQL insertion XSS Session Hijacking Parameter manipulation Unbounded file calls docsity.com Cross site scripting, Why you should care. XSS is not an attack on the server, it is an attack on the users of your application So what? Identity theft User masquerading Reputation Risk docsity.com XSS continued… Transient generally requires user interaction What can happen? Possibilities are only restricted by the client Cookie theft most common example But I filter “<“ and “>” Jscript entities “&{alert(‘Test')};” docsity.com Session Hijacking HTTP is stateless so application designers must build a way to track state Cookies and URL strings are the most common ways to track state Both are easily exploitable docsity.com Session Hijacking continued… Generally the next thing to occur after XSS Please people logout means logout! Examples of common session tracking issues docsity.com Do you know where your data is? Building an exclusionary filter is difficult because your data is all over the place docsity.com
Data Flow example
> —___
Customer
t+} patabase
www.badapp.com
>
Marketing
Database
docsity.com
Designing a proper filter Make all filters default deny Don’t try to exclude “bad stuff” Try to get a good idea where your data is going Log all filter violations docsity.com Evasion is the art of blending in so you will not be noticed; of course this age old technique of survival is still useful today. evade 1. to escape or avoid somebody or something, usually by ingenuity or guile 2. to avoid doing something unpleasant, especially something that is a moral or legal obligation 3. to avoid dealing with or responding directly to something 4. to be difficult or impossible for somebody to find, obtain, or achieve (formal) docsity.com Filter Bypassing is a technique to evade detection by filtering systems. Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system. Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination. docsity.com Most filter systems are very simple as the flow chart shows. Seven forms of ingenuity: URL Encoded Strings Double Hex Encoding Unicode Encoded String Long URLs Case Sensitivity XSS Filter-Bypass Manipulation Null Character Injection Evade: 1. to escape or avoid somebody or something, usually by ingenuity or guile… docsity.com IIS Double Hex Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = “%” Character) Round 2 Decoding: scripts/..%5c../winnt becomes: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding. docsity.com The Unicode Slash In unicode, “%c0%af”, is the equivilent to a slash (“/”). Therefore the common URL IIS exploit: scripts/..%c0%af../winnt becomes: scripts/../../winnt Once again, directory path traversal is now possible using path obfuscation through Unicode. docsity.com Double Slash Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd. Can be used to move under the radar of IDS systems and still function properly. docsity.com Method Switching Many web applications do not properly perform HTTP Request Method sanity checking. Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms. Most web servers do not log "POST" data and thus forensic analysis is harder to perform. The Request Method: GET /cgi-bin/some.cgi can become: POST /cgi-bin/some.cgi docsity.com The Method token indicates the method to be performed on the resource identified by the Request-URI. HTTP 1.1 Methods OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT docsity.com Using your “HEAD” The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data. Scans and web application attacks can be made to be more effective using this technique. docsity.com URL Encoded String The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: "...Only alphanumerics [0-9a- zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL." docsity.com XSS Filter-Bypass Manipulation This technique is used pass various types of client-side scripting language through implemented security filters. The idea is to be able to achieve client-side execution of a client-side script. There are several techniques used to perform this attack. docsity.com Test the Filters Submit all the raw HTML tags you can find, and then view the output results. Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler). This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited. docsity.com Decimal HTML Entities Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript. <IMG SRC=“java
script:js_expression"> \09 \10 \11 \12 \13 have all been seen to work docsity.com Hex HTML Entities Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript. <IMG SRC=“java
script:js_expression"> docsity.com Padding HTML Entities Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript. <IMG SRC=“java	script:js_expression"> docsity.com STYLE JavaScript Import Using the @import feature in CSS may be used to perform JavaScript protocol SRCing. <style TYPE="text/css"> @import url(javascript:alert('Javascript is executed')); </style> docsity.com STYLE URL Import Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource. <STYLE type=text/css> @import url(http://www.test.com); </STYLE> docsity.com LINK Style Sheet The “LINK” tag can be used to import JavaScript from a remote HTTP resource. <LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js"> docsity.com AND CURLY <IMG SRC="&{javascript_expression};"> <IMG SRC="&{alert(‘alert’)};"> Syntax must be exact. docsity.com Dangerous HTML Tags “All HTML is to be considered dangerous, but these tags are the most insidious.” <APPLET> <BODY> <EMBED> <FRAME> <FRAMESET> <HTML> <IFRAME> <IMG> <LAYER> <ILAYER> <META> <OBJECT> <SCRIPT> <STYLE> docsity.com Dangerous HTML Attributes (HTML Tags with these attributes.) SRC LOWSRC STYLE HREF docsity.com One tool to rule them all...
| Connection || Headers || WebAuth
Address|http://www.google.com
Method [GET Limit (25 _¢ [Spider] [Ripper] (RipURL
Welcome to WhiteHat Arsenal 1.07 Beta Evaluation
Os
v1.07
aA
| 231erqe |S}
Discove
Release.
WhiteHat
Utilities A
Encode/Encrypt
{.____s i $ i
By: WhiteHat Security, Inc.
Copyright 2002 WhiteHat Secunlty, Inc. ALL RIGHTS RESERVED.
Introduction
WhiteHat Arsenal 1.07 Beta Release
WhiteHat Arsenal is designed to be the next generation of professional web application security audit
software. Architected from the ground up to be a generic web application security productivity tool, WhiteHat
Arsenal nrovides security professionals and weh annlication develoners access to the tools thev need to
docsity.com
Conclusion docsity.com Questions docsity.com