Hacking 101

Web Application Security Presented by: Joseph Seaman, CISSP, CISA, GSEC Jseaman@entint.com October 8, 2003 Agenda • Top Ten Web Vulnerabilities • Tools • Resources Know Your Enemy It is said that if you know both the, enemy and yourself, you will fight a hundred battles without danger of defeat; if you are ignorant of the enemy but only know yourself, your chances of winning and losing are equal; if you know neither the enemy nor yourself, you will certainly be defeated in every battle. SUN TZU ON THE ART OF WAR – THE OLDEST MILITARY TREATISE IN THE WORLD Chinese general, circa 500 B.C. The Game is Afoot Security is a Process • Security goes beyond establishing a firewall and implementing SSL. • Includes IDS, Policy, Standards, Awareness, Audit, Testing, Testing, and Testing. • Do not assume someone else is taking care of it. • Sweat the easy stuff!!! Web Application Security cuts through many different aspects of an organization’s information security infrastructure. Top 10 List • • • • • • • • • • Unvalidated Parameters Broken Access Control Broken Account and Session Management Cross-site Scripting(XSS) Flaws Buffer Overflows Command Injection Flaws Error Handling Problems Insecure Use of Cryptography Remote Administration Flaws Web and Application Server Misconfiguration 1. Unvalidated Parameters Parameters should validate: •Data Type(string, Integer, real etc) •Allowed character set •Minimum and maximum length •Whether null is allowed •Whether the parameter is required or not •Whether duplicates are allowed •Numeric range •Specific legal values(enumeration) •Specific patterns( regular expressions) 2. Broken Access Control Specific Access control issues •Insecure ID’s •Forced Browsing Past Access Control Checks •Path Traversal •File Permissions •Client Side caching 3. Broken Account and Session Management Critical areas: •Password Change Controls •Password Strength/Storage •Protecting Credentials in Transit •Session ID Protection •Account Lists •Browser Caching •Trust Relationships •Backend Authentication Session ID Overview • Session IDs are commonly stored in cookies and/or URLs, and hidden fields of web pages (or some combination) • Session ID generated by WEB SERVER (IIS, etc.) when the user first hits the site or by WEB APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs in Session IDs in Hidden Fields 6 Common Problems • Weak Algorithm – Many web sites today are currently using linear algorithms based on easily predictable variables such as time or IP address. No Form of Account Lockout – Can perform Session ID brute force attacks without a single complaint from the web server. Short Key Space – Even the most cryptographically strong algorithm still allows an active Session ID to be easily determined if the size of the string’s key space is not sufficiently large. • • 6 Common Problems • • Indefinite Expiration on Server– allow an attacker unlimited time to guess a valid Session ID. Transmitted in the Clear – For those situations where SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work out. Insecure Retrieval – By tricking the user’s browser into visiting another site, attacker can retrieve stored Session ID information and quickly exploit before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc. • 4. Cross-site Scripting(XSS) Flaws •This technique is used pass various types of client-side scripting language through implemented security filters. •The idea is to be able to achieve client-side execution of a client-side script. •There are several techniques used to perform this attack. 5. Buffer Overflows Many system put limits on how much data a variable can store or a system can handle. Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. URL’s such as: http://www.myweb.com/cgi?param=filename Replaced with: http://www.myweb.com/cgi?param=<5K_of_Data> 6. Command Injection Flaws Includes system calls, shell commands and SQL calls(SQL injection) •Limit use of shell commands •Validate data against malicious content •Treat supplied parameters as data •Limit privileges Command Injection Using Hex By URL hex encoding URL strings, it may be possible to circumvent filter security systems and IDS. http://www.myweb.com/cgi?file=/etc/passwd Can become: http://www.myweb.com/cgi?file=/%2F%65%74%63 %2F%70%61%73%73%77%64 Double Hex Encoding Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = “%” Character) Round 2 Decoding: scripts/..%5c../winnt becomes: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding. The Unicode Slash • In unicode, “%c0%af”, is the equivilent to a slash (“/”). • Therefore the common URL IIS exploit: scripts/..%c0%af../winnt • becomes: scripts/../../winnt Directory path traversal is now possible using path obfuscation this time through Unicode. 7. Error Handling Problems •Define policy •Limit only what is necessary •Invalid account •Incorrect password 8. Insecure Use of Cryptography Common mistakes include: •Insecure storage of keys, certificates, and passwords •Improper storage of secrets in memory •Poor sources of randomness •Poor choice of algorithm •Failure to encrypt critical data •Attempting to invent a new encryption algorithm •Failure to include support for encryption key changes and other required maintenance procedures 9. Remote Administration Flaws •Restrict access through front door •Use VPN or SSL whenever possible •Segment and Filter access •Use strong authentication 10. Web and Application Server Misconfiguration •Configure all security mechanisms •Turn off all unused services •Set up roles, permissions, and accounts •Logging and alerts •Monitor for latest vulnerabilities •Patch, Patch, Patch •Vulnerability Scanning Dangerous HTML Tags • “All HTML is to be considered dangerous, but these tags are the most insidious.” – – – – – – – – – – – – – –