The document discusses threats from hijacking web servers and clients, including keyloggers, browser compromise, cross-site scripting (XSS) attacks, and real-world examples of XSS exploitation. It also provides an overview of DenyAll, a French web application firewall vendor, including their clients, partners, and global presence.
Report
Share
Report
Share
1 of 30
More Related Content
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
1. Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Operations
2. DenyAll & RECRO-NET French WAF vendor pioneer since 2001 Headquarter – Paris More than 200+ large clients all over the World 40% of EurostoXX 50 35% CAC40 Partnership with major players RECRO-NET ( Middle-East, Central Europe ) HP ( Iberia, South America ) British Telecom, Orange Business Services ( Western Europe, North America, APAC ) Recently listed as prime European WAF player by Forrester “ Web Application Firewall : 2010 And Beyond’’ - Chenxi Wang – februrary 2010
4. DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc. SOCIETE GENERALE, etc. SH&Co, etc. BNPP, etc. SOCIETE GENERALE, etc. ACCOR - SOCIETE GENERALE - AREVA – etc. Accor, etc. BNP PARIBAS INSURANCE - ACCOR – etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP, etc. IP LIMITED, etc. SOCIETE GENERALE LUX – EBRC - CACEIS – etc. DANSKE BANK – KOPENHAGEN-FUR – etc. AKTIA BANK, etc. SENTOR – SVERIGE – etc TOYOTA BANK – etc. SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc. GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc. ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc. BNP PARIBAS UK - ARVAL UK – etc. . LA POSTE – DZ BANK – PETERCAM -etc INPS, etc
6. Why Application Security ? 75% of all attacks are directed to the Web applications layer 2/3 of all Web applications are vulnerable In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported. Most web site owners fail to scan effectively for the common flaws. Application patching is much slower than Operating System patching.
7. Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
8. Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
10. What is a keylogger Program reporting every keystroke Can be stored on a file Can be sent over the network Recent Keyloggers add many more features Window names and field values Mouse activity reports Screenshots and “video”-like records Operating from the compromised computer Encryption is inefficient No detection possible from the server-side Applications can be seamlessly compromised
11. Example : A simple keylogger Really simple ~100 lines (including comments) Based on common windows techniques SetWindowsHookEx(WH_KEYBOARD_LL,…) Public Code at : http://batcheur.tuxfamily.org/?p=16 Really efficient Runs fine on windows 7 (with UAC) Undetected by anti-viruses
14. Code Injection Makes a process execute arbitrary code This process may be your browser Most common techniques SetWindowsHookEx Seen before, undetected CreateRemoteThreadEx & ( LoadLibrary | WriteProcessMemory) The most basic, detected and blocked SetThreadContext Relies on the DebugActiveProcess API Undetected, requires debug rights Widely documented… and used.
15. Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n IE user interface Bars, menus etc. Browser Control Navigation, history Exposes ActiveX interface Rendering MIME handling Code download Security IP Handler HTTP & FTP Windows UI Handles components Base API Calls NTDLL API Native API OS user-mode components ~200.000 function calls at IE launch You cannot monitor everything
16. Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigation Control display Alter security policy Communicate…
17. An example Legitimate action Bank client JV (account 5204320422040001) Transfer 100 $ to bank client JM (5204320422040003) Malware injected into the browser Modifies content Founds transferred to bank user JC (5204320422040005)
20. What is Cross-Site Scripting Client-Side executed code injection A variant of HTML injections Based on Javascript code execution Two possible vectors Volatile XSS: generated through a malicious link Persistent XSS: malicious code is stored on the server Oldy but goody In the wild for more than 10 years Improved together with browser & Javascript capabilties
21. Impacts of XSS Full control of compromised browser through Javascript Cookie theft Information gathering regarding the client browser Redirection to alternate/concurrent/malicious site Portscan from the client Proxy on client’s network Flashmob DDoS Exploitation of Javascript capabilities Propagation thanks to Javascript web transactions capabilities Dynamic/Polymorphic code generation
22. Dangers of XSS Hard to detect Volatile XSS can only be detected through log file analysis Persitent XSS tracking getting more complicated with polymorphic code Numerous advanced Javascript obfuscation techniques More and more powerful Complete control of remote browsers Networking operations (see CSRF) Next generation of botnets Considered as the buffer overflow of the beginning of teh 21st century Unrecognized Most people think XSS is limited to cookie theft Bang. You’re dead.
23. 101 XSS exploitation Usual PoC Inject <script>alert(‘XSS’)</script> Volatile and harmless XSS Used in most pentest Generates a popup in the « compromised » browser
24. Real XSS Exploitation Method Up to 4 players game The Hacker : the very bad guy The Goat : XSS vulnerable website The Victim : innocent user which browser will be compromised The Relay : a compromised or malicious website (optional) 3 players games rules The Hacker finds an XSS vulnerability on The Goat and exploits it Designs a script which will be executed on The Victim The Victim goes to the compromised page in The Goat Via malicious link (volatile) Directly on the page (persistent) The script is executed by The Victim Script may enforce the connection to The Relay to send back information
25. 4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits XSS vulnerability 3 . Victim goes on compromised page 4 . Malicious Javascript is loaded on Victim 6 . Victim sends information to Relay 7 . Information sent back to Hacker 5 . Victim executes Javascript 8 . Relay sends new commands to Victim
26. PoC – The XSS Popup Command sent to the client: alert(« Gotcha »)
27. Portscan A Javascript Porstcanner is loaded in an invisible iFrame Victim performs the scan Results are sent through a request Made in the invisible iFrame Collected on the malicious server Victims sees nothing Portscan victim doesn’t have any clue regarding the real attacker
28. Redirection The victim is silently redirected to another web page Could be a similar page Used to steal authentication credentials Could be a competitve Made in the invisible iFrame Collected on the malicious server Victims sees nothing Portscan victim doesn’t have any clue regarding the real attacker
30. (Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai, United Arab Emirates Tel: 04-3754306 E-mail: middle-east@recro-net.com www.recro-net.com