Download Web Application Security: Vulnerabilities and Evasion Techniques - Docsity.com and more Slides Computer Networks in PDF only on Docsity! Taking Aim at Web Applications Docsity.com Introduction • Bill Pennington – Principal Consultant, Guardent – Tested over 300 web applications of the past 3 years Docsity.com This is Not New • Problems with web applications are the same problems with standalone applications Docsity.com Why your Firewall doesn’t matter • Standard rant Docsity.com Top 5 Vulnerabilities • SQL insertion • XSS • Session Hijacking • Parameter manipulation • Unbounded file calls Docsity.com Cross Site Scripting (XSS) • Found in 98% of applications I test • 2 main types – Transient (URL basedP • http://badapp.com/error.jsp?msg=<SCRIPT>alert("Test" );</SCRIPT> – Sticky – Script placed in a static bit of web content Docsity.com XSS continued… • Transient generally requires user interaction • What can happen? – Possibilities are only restricted by the client – Cookie theft most common example • But I filter “<“ and “>” – Jscript entities “&{alert(‘Test')};” Docsity.com Session Hijacking • HTTP is stateless so application designers must build a way to track state • Cookies and URL strings are the most common ways to track state • Both are easily exploitable Docsity.com Unbound File Calls • Ye Ole’ ../../ • Watch out you don’t display important information (global.asa) • Most application languages will take URL’s as file arguments Docsity.com Do you know where your data is? • Building an exclusionary filter is difficult because your data is all over the place Docsity.com Data Flow example
Internet
—
Customer
Service
Database
www.badapp.com
— =
——SS
Docsity.com
Bypassing poorly designed filters All warfare is based on deception…If he is in superior strength, evade him. –Sun Tzu, The Art of War, 500BC Docsity.com Evasion is the art of blending in so you will not be noticed; of course this age old technique of survival is still useful today. evade 1. to escape or avoid somebody or something, usually by ingenuity or guile 2. to avoid doing something unpleasant, especially something that is a moral or legal obligation 3. to avoid dealing with or responding directly to something 4. to be difficult or impossible for somebody to find, obtain, or achieve (formal) Docsity.com Filter Bypassing is a technique to evade detection by filtering systems. • Filter Bypassing techniques come in many varieties when applied to the many facets of web application security. • The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system. • Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination. Docsity.com Double Hex Encoding • In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability. • The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL. • An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability. • When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL. • IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding. • This secondary decoding was the source of another Vulnerability. Docsity.com IIS Double Hex Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = “%” Character) Round 2 Decoding: scripts/..%5c../winnt becomes: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding. Docsity.com The Unicode Slash • In unicode, “%c0%af”, is the equivilent to a slash (“/”). • Therefore the common URL IIS exploit: scripts/..%c0%af../winnt • becomes: scripts/../../winnt Once again, directory path traversal is now possible using path obfuscation through Unicode. Docsity.com Case Sensitivity • Case sensitivity may play a roll in many security filtration systems. • Alternating case on URL parameters may be used to bypass certain restrictions. http://foo.com/cgi?param=bar http://foo.com/cgi?param=BaR http://foo.com/CGI?param=BAR Docsity.com Method Switching • Many web applications do not properly perform HTTP Request Method sanity checking. • Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms. • Most web servers do not log "POST" data and thus forensic analysis is harder to perform. The Request Method: GET /cgi-bin/some.cgi can become: POST /cgi-bin/some.cgi Docsity.com HTTP 1.1 Methods • OPTIONS • GET • HEAD • POST • PUT • DELETE • TRACE • CONNECT The Method token indicates the method to be performed on the resource identified by the Request-URI. Docsity.com Unicode (UTF-8) Encoded • Unicode is a universal way to represent characters. • However, unicode can also be used to circumvent security mechanisms by representing information in another fashion. • Microsoft IIS has had security issues in the past while supporting unicode. Docsity.com URL Encoded String • The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: • "...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL." Docsity.com XSS Filter-Bypass Manipulation • This technique is used pass various types of client-side scripting language through implemented security filters. • The idea is to be able to achieve client-side execution of a client-side script. • There are several techniques used to perform this attack. Docsity.com Alternate Protocol SRCing • Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect. • <IMG SRC=“livescript:js_expression"> • <IMG SRC=“mocha:alert('test');"> Docsity.com Decimal HTML Entities • Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript. – <IMG SRC=“java
script:js_expression"> • \09 \10 \11 \12 \13 have all been seen to work Docsity.com Hex HTML Entities • Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript. – <IMG SRC=“java
script:js_expression"> Docsity.com STYLE JavaScript X-Type • Variation on the previous example, but by using the “application/x-javascript” MIME- TYPE, the filters may be bypassed. <STYLE TYPE="application/x-javascript"> alert('JavaScript has been Executed'); </STYLE> Docsity.com STYLE JavaScript Import • Using the @import feature in CSS may be used to perform JavaScript protocol SRCing. <style TYPE="text/css"> @import url(javascript:alert('Javascript is executed')); </style> Docsity.com STYLE URL Import • Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource. <STYLE type=text/css> @import url(http://www.test.com); </STYLE> Docsity.com Remote SRCing • A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources. <LAYER SRC="js.html"></LAYER> <LAYER SRC="js.html"></LAYER> Docsity.com AND CURLY • <IMG SRC="&{javascript_expression};"> • <IMG SRC="&{alert(‘alert’)};"> • Syntax must be exact. Docsity.com Dangerous HTML Tags • “All HTML is to be considered dangerous, but these tags are the most insidious.” – <APPLET> – <BODY> – <EMBED> – <FRAME> – <FRAMESET> – <HTML> – <IFRAME> – <IMG> – <LAYER> – <ILAYER> – <META> – <OBJECT> – <SCRIPT> – <STYLE> Docsity.com Why people are better • Recognition of subtle errors • We understand the impact and therefore the risk of a vulnerability • We can find “real” bugs, flaws in logic Docsity.com One tool to rule them all...
-
Ome
a a
te ae
Revises
as
Brute Force
[|
eg
‘cat
pices
wa exce
LIGWHISKER
———— al
Connection || Headers || WebAuth
Address|http://www.google.com Options
Method |GET Limit | 25 + [Spider Ripper] RipURL]
Welcome to WhiteHat Arsenal 1.07 Beta Evaluation
Release.
iteHat
wih
Arsenal
By: White Hat Security, Inc.
Copyright 2002 WhiteHat Secunty, Inc. ALL RIGHTS RESERVED.
Introduction
WhiteHat Arsenal 1.07 Beta Release
WhiteHat Arsenal is designed to be the next generation of professional web application security audit
software. Architected from the ground up to be a generic web application security productivity tool, WhiteHat
Arsenal provides security professionals and web application developers access to the tools they need to
Docsity.com