SlideShare a Scribd company logo

Web Application Hacking

Download as PPT, PDF
SensePost
SensePost

Presentation by Haroon Meer at ReCon in 2005. This presentation is about web application security. Various web application attacks like XSS, SQLi and directory traversal are discussed. The wikto and crowbar tools developed by sensepost are also discussed.

Related slideshows

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
1 of 26
 
Hacking Web Applications Why its still a walk in the park!
Agenda about SensePost why do we care about web-apps ? so what exactly is…. testing && test automation its all fixed with Web-Services… (or not..) the road ahead ? questions ?
about us about SensePost small independent Info. Sec company > 50% of our business international Fairly well published Security Focus BlackHat RSA Books (Special Ops, Nessus, STC, ANS..) about me joined SensePost in 2001 have not slept since… across the board fiddler & coffee drinker
Why do we care about web apps? “ Cool shellcode gets you the chicks” but we like web apps because… ubiquity if the company you are targeting is big enough, they have (at least one) they are everywhere because: So easy to do So easy to do (badly/wrong/insecurely) exposed by their nature rapid deployment complex business logic  point n click actually tricksy to do it right…
So what exactly is a.... ? Directory Traversal Attacks: As simple as it gets.. open(fHandle, "$user_input") open(fHandle, "results.txt") open(fHandle, "../../../../../../../../../etc/passwd") ? Who would be so stupid ? *cough* root : Sanitization problem. : $user_input (shoulda been 8.3 filename) : white-listing VS. blacklisting http://victim2k/showcode.asp
So what exactly is a.... ? Canonicalization Clearly a big word! simply? simplification.. deny access to c:tuffecret permit access to c:tuffublic ???? access to c:tuffublic.ecret http://victim2k/showcode.asp Do people still make this mistake? *cough*
So what exactly is.... ? Information Disclosure Is it a big deal? <…> Production code should not fail verbosely.. e.printStackTrace(); CGI::fatalsToBrowser; {mnemonix + &quot;Web Application Disassembly with ODBC Error Messages&quot;}
So what exactly is.... ? Information Disclosure Is it a big deal? <…> Production code should not fail verbosely.. e.printStackTrace(); CGI::fatalsToBrowser; {mnemonix + &quot;Web Application Disassembly with ODBC Error Messages&quot;}
So what exactly is.... ? Command Execution Simplest example: <http://netcheck> Root cause: Still just sanitization pops up in the weirdest places.. <.mailto:?.> [hackrack + login page!!!] [lets re-look at that directory traversal problem? :>]
So what exactly is.... ? Command Execution Simplest example: http://netcheck Root cause: Still just sanitization pops up in the weirdest places.. <.mailto:?.> [hackrack + login page!!!] [lets re-look at that directory traversal problem? :>]
So what exactly is.... ? Command Execution Simplest example: http://netcheck Root cause: Still just sanitization pops up in the weirdest places.. <.mailto:?.> [hackrack + login page!!!] [lets re-look at that directory traversal problem? :>]
So what exactly is.... ? Parameter Passing An old favorite.. Typical example? <…> Even bigger problem when multiple parties are involved.. <html> <form method= &quot;POST&quot; action= &quot;http://www.book.com/cgi-bin/buy.cgi&quot; > <input type= &quot;text&quot; name= &quot;quantity&quot; size= &quot;3&quot; > <INPUT TYPE= &quot;hidden&quot; NAME= &quot;TOTAL_PRICE&quot; VALUE= &quot;$500&quot; > <input type= &quot;submit&quot; value= &quot;Submit&quot; name= &quot;submit&quot; > </form> </html>
So what exactly is.... ? Parameter Passing An old favorite.. Typical example? <…> Even bigger problem when multiple parties are involved..
So what exactly is.... ? SQL Injection everybody loves OR 1=1 Basic problem *yawn* sanitization SELECT * FROM FOO WHERE NAME='BAR' SELECT * FROM FOO WHERE NAME='BAR' AND blah, blah, blah http://sql It gets worse ? xp_cmdshell.. old security architecture books! crown jewels? How far do you want to take it today ? (dns tunnels / sing?)
So what exactly is.... ? Cross Site Scripting Isnt that just lame ? Yes: because it requires interaction because it kills the signal to noise ratio on mail lists No: because if your banking app is vuln... Overview: <…>
So what exactly is.... ?
So what exactly is.... ? State-Tracking Always working off the back foot.. tokens a whole new can of worms... being tracked consistently across the app? token predictability ? <…> token theft ? <xss gets teeth?>
So what exactly is.... ? State-Tracking Always working off the back foot.. tokens a whole new can of worms... being tracked consistently across the app? token predictability ? <…> token theft ? <xss gets teeth?>
Test Automation Evolution from everyone's Perl scripts to a few: webproxy, Scarab, Paros Still manual, still resource intensive.. Attempts at automation.. How do they spider without logout ? Delete Customer buttons? Calendar / halting problems ? Authentication vs. Authorization
Test Automation Some tools we use (and give away ;>) Wikto: Do we need another cgi scanner ? depends.. is 200 == 404 ? GET /Scripts/showcode.asp wikto sends 2 requests: [a] GET /Scripts/moomoomoo.asp [b] GET /Scripts/showcode.asp compare contents and then report.. {now with netsquare integration ;>}
Test Automation Some tools we use (and give away ;>) E-or: Manually mirror, and selectively fuzz sendraw != MSIE snapshots + text compare (broken again :() spend time on the real analysis <..> Crowbar... <..> Todo...
Test Automation Some tools we use (and give away ;>) E-or: Manually mirror, and selectively fuzz sendraw != MSIE snapshots + text compare (broken again :() spend time on the real analysis <..> Crowbar... <..> Todo...
Finally… WebServices && The Future Same old, same old? Where are we focusing our efforts? (token bfs?) MS + ASP.Net Education! Still going to be around for a while..
Crowbar – BETA!
Application level E-Or – the process User walks the target application Proxy writes requests and responses to file User reads file, configures which actions and variables to fuzz User configured state information such as Cookies in HTTP headers Each action and variable is fuzzed using IE as a rendering tool Screenshots of each reply is taken, rendered text is saved from browser User can now watch the responses as a “movie”, pausing anywhere User can reply the request

More Related Content

Web Application Hacking

  • 1.  
  • 2. Hacking Web Applications Why its still a walk in the park!
  • 3. Agenda about SensePost why do we care about web-apps ? so what exactly is…. testing && test automation its all fixed with Web-Services… (or not..) the road ahead ? questions ?
  • 4. about us about SensePost small independent Info. Sec company > 50% of our business international Fairly well published Security Focus BlackHat RSA Books (Special Ops, Nessus, STC, ANS..) about me joined SensePost in 2001 have not slept since… across the board fiddler & coffee drinker
  • 5. Why do we care about web apps? “ Cool shellcode gets you the chicks” but we like web apps because… ubiquity if the company you are targeting is big enough, they have (at least one) they are everywhere because: So easy to do So easy to do (badly/wrong/insecurely) exposed by their nature rapid deployment complex business logic  point n click actually tricksy to do it right…
  • 6. So what exactly is a.... ? Directory Traversal Attacks: As simple as it gets.. open(fHandle, &quot;$user_input&quot;) open(fHandle, &quot;results.txt&quot;) open(fHandle, &quot;../../../../../../../../../etc/passwd&quot;) ? Who would be so stupid ? *cough* root : Sanitization problem. : $user_input (shoulda been 8.3 filename) : white-listing VS. blacklisting http://victim2k/showcode.asp
  • 7. So what exactly is a.... ? Canonicalization Clearly a big word! simply? simplification.. deny access to c:tuffecret permit access to c:tuffublic ???? access to c:tuffublic.ecret http://victim2k/showcode.asp Do people still make this mistake? *cough*
  • 8. So what exactly is.... ? Information Disclosure Is it a big deal? <…> Production code should not fail verbosely.. e.printStackTrace(); CGI::fatalsToBrowser; {mnemonix + &quot;Web Application Disassembly with ODBC Error Messages&quot;}
  • 9. So what exactly is.... ? Information Disclosure Is it a big deal? <…> Production code should not fail verbosely.. e.printStackTrace(); CGI::fatalsToBrowser; {mnemonix + &quot;Web Application Disassembly with ODBC Error Messages&quot;}
  • 10. So what exactly is.... ? Command Execution Simplest example: <http://netcheck> Root cause: Still just sanitization pops up in the weirdest places.. <.mailto:?.> [hackrack + login page!!!] [lets re-look at that directory traversal problem? :>]
  • 11. So what exactly is.... ? Command Execution Simplest example: http://netcheck Root cause: Still just sanitization pops up in the weirdest places.. <.mailto:?.> [hackrack + login page!!!] [lets re-look at that directory traversal problem? :>]
  • 12. So what exactly is.... ? Command Execution Simplest example: http://netcheck Root cause: Still just sanitization pops up in the weirdest places.. <.mailto:?.> [hackrack + login page!!!] [lets re-look at that directory traversal problem? :>]
  • 13. So what exactly is.... ? Parameter Passing An old favorite.. Typical example? <…> Even bigger problem when multiple parties are involved.. <html> <form method= &quot;POST&quot; action= &quot;http://www.book.com/cgi-bin/buy.cgi&quot; > <input type= &quot;text&quot; name= &quot;quantity&quot; size= &quot;3&quot; > <INPUT TYPE= &quot;hidden&quot; NAME= &quot;TOTAL_PRICE&quot; VALUE= &quot;$500&quot; > <input type= &quot;submit&quot; value= &quot;Submit&quot; name= &quot;submit&quot; > </form> </html>
  • 14. So what exactly is.... ? Parameter Passing An old favorite.. Typical example? <…> Even bigger problem when multiple parties are involved..
  • 15. So what exactly is.... ? SQL Injection everybody loves OR 1=1 Basic problem *yawn* sanitization SELECT * FROM FOO WHERE NAME='BAR' SELECT * FROM FOO WHERE NAME='BAR' AND blah, blah, blah http://sql It gets worse ? xp_cmdshell.. old security architecture books! crown jewels? How far do you want to take it today ? (dns tunnels / sing?)
  • 16. So what exactly is.... ? Cross Site Scripting Isnt that just lame ? Yes: because it requires interaction because it kills the signal to noise ratio on mail lists No: because if your banking app is vuln... Overview: <…>
  • 17. So what exactly is.... ?
  • 18. So what exactly is.... ? State-Tracking Always working off the back foot.. tokens a whole new can of worms... being tracked consistently across the app? token predictability ? <…> token theft ? <xss gets teeth?>
  • 19. So what exactly is.... ? State-Tracking Always working off the back foot.. tokens a whole new can of worms... being tracked consistently across the app? token predictability ? <…> token theft ? <xss gets teeth?>
  • 20. Test Automation Evolution from everyone's Perl scripts to a few: webproxy, Scarab, Paros Still manual, still resource intensive.. Attempts at automation.. How do they spider without logout ? Delete Customer buttons? Calendar / halting problems ? Authentication vs. Authorization
  • 21. Test Automation Some tools we use (and give away ;>) Wikto: Do we need another cgi scanner ? depends.. is 200 == 404 ? GET /Scripts/showcode.asp wikto sends 2 requests: [a] GET /Scripts/moomoomoo.asp [b] GET /Scripts/showcode.asp compare contents and then report.. {now with netsquare integration ;>}
  • 22. Test Automation Some tools we use (and give away ;>) E-or: Manually mirror, and selectively fuzz sendraw != MSIE snapshots + text compare (broken again :() spend time on the real analysis <..> Crowbar... <..> Todo...
  • 23. Test Automation Some tools we use (and give away ;>) E-or: Manually mirror, and selectively fuzz sendraw != MSIE snapshots + text compare (broken again :() spend time on the real analysis <..> Crowbar... <..> Todo...
  • 24. Finally… WebServices && The Future Same old, same old? Where are we focusing our efforts? (token bfs?) MS + ASP.Net Education! Still going to be around for a while..
  • 26. Application level E-Or – the process User walks the target application Proxy writes requests and responses to file User reads file, configures which actions and variables to fuzz User configured state information such as Cookies in HTTP headers Each action and variable is fuzzed using IE as a rendering tool Screenshots of each reply is taken, rendered text is saved from browser User can now watch the responses as a “movie”, pausing anywhere User can reply the request