Hacking 101 (Session 2)
- 1. HACKING 101
Henallux, 28th November 2014
Olivier Houyoux
Technology Security Architect @ Nitroxis Sprl
- 2. SCHEDULE FOR THE DAY
1. Why are we here?
2. Real Life Examples
3. Owasp – Top 10 (2013)
4. Demo Web Hacking Simulation Walkthrough
5. Summary
6. Questions
- 3. DO WE NEED WEB APP.
SECURITY?
Well managed infrastructure
Important data on web applications
Malware spreading
- 9. OPEN WEB APPLICATION
SECURITY PROJECT
Make software security visible
Cheat Sheets, Tutorials, Testing guides…
Tools (WebGoat, WebScarab, …)
Library (ESAPI)
…
- 10. OWASP TOP 10
Broad consensus about what the most critical web
application security flaws are.
- 11. OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards
- 12. WEBGOAT
is a deliberately insecure web application designed to
teach web application security lessons.
- 13. A1 – INJECTION
User input injected without checking
SQL
LDAP
Command
XPATH
…
- 14. A1 – SQL INJECTION EXAMPLE 1
Connection conn = pool.getConnection();
String sql = "select * from user where username=‘" + username + "’
and password=‘" + password + "’";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
- 15. A1 – SQL INJECTION EXAMPLE 1
Connection conn = pool.getConnection();
String sql = "select * from user where username=‘" + username + "’
and password=‘" + password + "’";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
- 16. A2 – BROKEN AUTHENTICATION
User / Password
Brute force attack
Birthday paradox
Weak management functions
Change or recover password
- 17. A2 – SESSION MANAGEMENT
1. Session Hijacking
Stealing authenticated user’s session ID
2. Session Fixation
Forcing user’s session ID
- 20. A2 – SESSION FIXATION EXAMPLE
public class LoginServlet extends HttpServlet {
…
public void doPost(HttpServletRequest request,
HttpServletResponse response) {
String user = request.getParameter("user");
String pass = request.getParameter("password");
…
HttpSession session = request.getSession(true);
…
}
…
}
- 21. A2 – SESSION FIXATION EXAMPLE
public class LoginServlet extends HttpServlet {
…
public void doPost(HttpServletRequest request,
HttpServletResponse response) {
String user = request.getParameter("user");
String pass = request.getParameter("password");
…
HttpSession session = request.getSession(true);
…
}
…
}
- 22. A3 – CROSS-SITE SCRIPTING (XSS)
Untrusted data sent to victim without validation and / or
escaping
XSS allows attackers to execute script in browsers to:
hijacking users’ sessions,
redirecting user to malicious site,
…
1. Reflected XSS
2. Stored XSS
- 23. A3 – XSS EXAMPLE
<form name="update" method="post" action="...">
<input type="text" value="<%=userBean.getName()%>"/>
</form>
- 24. A3 – XSS EXAMPLE
<form name="update" method="post" action="...">
<input type="text" value="<%=userBean.getName()%>"/>
</form>
- 25. A3 – XSS EXAMPLE
<form name="update" method="post" action="...">
<input type="text" value="<%=userBean.getName()%>"/>
</form>
<input type="text" value="who_cares"/><script>...</script>"/>
- 26. A4 – INSECURE DIRECT OBJECT REF.
Reference to internal object like
file,
directory,
database key
without
access control check,
other protection.
- 27. A4 –DIRECT OBJECT REF. EXAMPLE
String query = "select * from accounts where account = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, request.getParameter("account"));
ResultSet rs = stmt.executeQuery();
- 28. A4 –DIRECT OBJECT REF. EXAMPLE
String query = "select * from accounts where account = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, request.getParameter("account"));
ResultSet rs = stmt.executeQuery();
http://foo.com/app/accountInfo?account=notmyaccount
- 29. A5 – SECURITY MISCONFIGURATION
Secure configuration defined and deployed for the:
application,
frameworks,
application server,
web server,
database server,
platform.
- 31. A5 – MISCONFIGURATION EXAMPLE
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" … />
</GlobalNamingResources>
<Service name="Catalina »>
<Connector port="80" protocol="HTTP/1.1" … />
<Connector port="443"
protocol="org.apache. … .Http11Protocol" … />
</Service>
</Server>
- 32. A5 – MISCONFIGURATION EXAMPLE
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" … />
</GlobalNamingResources>
<Service name="Catalina »>
<Connector port="80" protocol="HTTP/1.1" … />
<Connector port="443"
protocol="org.apache. … .Http11Protocol" … />
</Service>
</Server>
- 33. A6 – SENSITIVE DATA EXPOSURE
Protect sensitive data such as
credit cards,
authentication credentials
…
Apply extra protection (encryption at rest or in transit) and
precautions when exchanged with browser.
- 34. A6 – DATA EXPOSURE EXAMPLE 1
An application encrypts credit card numbers in a database
using automatic database encryption.
However, this means it also decrypts this data
automatically when retrieved, allowing an SQL injection
flaw to retrieve credit card numbers in clear text.
- 35. A6 – DATA EXPOSURE EXAMPLE 2
A site simply doesn’t use SSL for all authenticated pages.
Attacker simply monitors network traffic (like an open
wireless network), and steals the user’s session cookie.
- 36. A7 – MISSING ACCESS CONTROL
Verify function level acces:
before making functionality visible in GUI ✓
when each function is accessed ✗
- 37. A7 – ACCESS CONTROL EXAMPLE
@Stateless
public class OrderBean implements Order {
public String getDetail(String id) {
…
}
public String approve(String id) {
…
}
…
}
- 38. A7 – ACCESS CONTROL EXAMPLE
@Stateless
public class OrderBean implements Order {
public String getDetail(String id) {
…
}
public String approve(String id) {
…
}
…
}
- 39. A8 – CROSS-SITE REQUEST FORGERY
2. User visits forum.com 1. User authenticates to bank.com
3. Page contains tag
<img
src=bank.com/transfer.jsp?account=atta
cker&amount=300000>
4. User’s browser makes GET request
bank.com/transfer.jsp?account=attacker&
amount=300000
without user knowing
- 40. A8 – CSRF EXAMPLE
Nearly everything is susceptible to CSRF, so no need to
hunt the bug …
- 41. A9 – USING VULNERABLE COMPONENTS
Common Vulnerabilities and Exposures database (https://cve.mitre.org)
- 42. A10 – UNVALIDATED REDIRECT
1. Lure the user into clicking a redirect link
http://www.trusted.com/redirector?to=http://www.evil.com
2. Code does not perform any validation
String location = (String) request.getParameter(« to »);
response.sendRedirect(location);
3. User thinks (s)he’s accessing trusted.com but is in fact
at evil.com
- 43. SUMMARY
LAYERS OF DEFENSE IN DEPTH
Policies, Procedures,
Awareness
Physical
Perimeter
Internal Network
Host
App
Data
- 44. AND NOW …
bWAPP
OWASP Top 10
CWE 25
Mitigations (SANS, OWASP Cheat Sheets, …)
Web Services (SOAP & REST)
Mobile
And more …
- 46. FOLLOW US ON …
nitroxis Nitroxis.BE
@Nitroxis_sprl
Nitroxis sprl
Training and Certification for
information Security
Professionals
- 47. ADD DEPTH TO YOUR INFORMATION SYSTEM
Olivier Houyoux Technology Security Architect
Version 1.1
Date 28/11/2014
Mail Contact (at) nitroxis.be
Website www.nitroxis.be