SlideShare a Scribd company logo

Web Application Security and Release of "WhiteHat Arsenal"

Download as PPT, PDF
Jeremiah Grossman
Jeremiah Grossman

Discussion will include the theory surrounding some of the more dangerous web application attacks known, how to test for them quickly and determine possible countermeasures. Insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. It is for these very reasons that WhiteHat Security Inc., is pleased to introduce its new release, "WhiteHat Arsenal", the next generation of professional web security audit software. WH Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make WH Arsenal capable of completing painstaking web security pen-test work considerably faster and more effectively than any of the currently available tools. Imagine employing WH Arsenal to quickly customize and execute just about any web security attack possible and having those penetration attempts logged in XML format for later reporting or analysis. Many experienced web security professionals tend to agree that even the best current web security scanners, which scan only for known vulnerabilities, achieve only very limited success or simply do not work at all. Furthermore, these types of tools often result in an enormous overflow of false positives. WhiteHat understands these frustrating shortcomings and is poised to revolutionize the way in which web applications are penetration tested.

Related slideshows

Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Pentesting for startups
Pentesting for startupsPentesting for startups
Pentesting for startups
 
1 of 44
Black Hat New Orleans Windows Security 2002 “ Web Application Security and Arsenal” Presenter: Jeremiah Grossman Copyright 2002 WhiteHat Security All Rights Reserved
Topics Web Application Security Landscape Why is Web Application Security Important Common Web Application Security Mistakes Web Application Attack Methodologies
Web Application Security Landscape Entertainment Message Boards WebMail Guest Books Voting Polls E-Commerce Shopping Auctions Banking Stock Trading Just Plain Crazy Printers PDA’s Cell Phones System Configuration .NET/Passport
Web Application The Simple Definition A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.
Web Application The “EASIER” Definition If it runs on port 80 or port 443, then is probably a web application.
 
 
 
Why is Web Application Security Important? Easiest way to compromise hosts, networks and users. Widely deployed. No Logs! (POST Request payload) Incredibly hard to defend against or detect. Most don’t think of locking down web applications. Intrusion detection is a joke. Firewall? What firewall? I don’t see no firewall… Encrypted transport layer does nothing. How much easier can it get!? Unicode.
Common Web Application Security Mistakes Trusting Client-Side Data Unescaped Special Characters HTML Output Character Filtering SUID ActiveX/JavaScript Authentication Lack of User Authentication before performing critical task.
Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA!!! Trusting client-side data is #1 cause of vulnerabilities. Identify all input parameters that trust client-side data.
Unescaped Special Characters The Level of Trust : Searches/Queries/Templates Path: http://foo.com/cgi?val=string&file=/html/name.db Or better yet… http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd
Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : ' &quot; ? / , . > < Check for: Unescaped special characters within input strings
HTML Character Filtering Proper handling of special characters > => &gt; < => &lt; &quot; => &quot; & => &amp; Null characters should all be removed. %00
More mistakes… SUID (Does a web application really need root?) Authentication mechanisms using technologies such as JavaScript or ActiveX. Lack of re-authenticating the user before issuing new passwords or performing critical tasks. Hosting of uncontrolled data on a protected domain.
WhiteHat Arsenal GUI Web-Based Interface Session Based Discovery Utilities Active Assessment Encoding/Decoding Reporting
Web Application Penetration Methodologies Information Gathering & Discovery Input/Output Client-Side Data Manipulation
Information Gathering & Discovery Spidering /Site Map Identifiable Characteristics Error and Response Codes File / Application Enumeration
Spidering
Spidering/Site Crawling Site Map Service Map Documentation Hidden Services CGI's and Forms Email addresses
Identifiable Characteristics Comment Lines URL Extensions Meta Tags Cookies Client-Side scripting languages Enormous wealth of information about process flows, debug command, system types and configurations.
Error and Response Codes HTTP Response Headers Server: IBM/Apache 1.3.19 Cookie Characteristics Error Messages Exception Messages (Java / SQL) 404 Error Pages Failed Login Locked Account Database or file non-existent
File/Application Enumeration Commonly referred to as “forced browsing” or “CGI Scanning”.
File/Application Enumeration Sample Files Template Directories Temp or Backup files Hidden Files Vulnerable CGIs
Common Directories
Common Log Files
Common Backup Files
Input/Output Client-Side Data Manipulation URL Manipulation CGI Parameter Tampering HTTP Client-Header Injection Filter/Intrusion Detection Evasion Protocol/Method Manipulation Overflows
Input Manipulation Parameter Tampering &quot;Twiddling Bits.&quot; Cross-Site Scripting Filter-Bypass Manipulation OS Commands Meta Characters Path/Directory Traversal Hidden Form Field Manipulation HTTP Headers
Cross-Site Scripting Bad name given to a dangerous security issue Attack targets the user of the system rather than the system itself. Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site.
Client-Side Scripting Languages DHTML (HTML, XHTML, HTML x.0) Opens all the doors. JavaScript (1.x) Browser/DOM Manipulation Java (Applets) Malicious Applets VBScript Browser/DOM Manipulation Flash Dangerous Third-Party Interactivity ActiveX Let me count the ways… XML/XSL Another Door Opener CSS Browser/DOM Manipulation
The Scenarios Trick a user to re-login to a spoofed page Compromise authentication credentials Load dangerous of malicious ActiveX Re-Direct a user or ALL users Crash the machine or the browser
CSS Danger “The Remote Launch Pad.” Successfully CSS a user via a protected domain. Utilizing a Client-Side utility (JavaScript, ActiveX, VBScript, etc.), exploit a browser hole to download a trojan/virus. User is unknowingly infected/compromised within a single HTTP page load. ActiveX Netcat Anyone?
2 Types of CSS Click on a link to activate <A HREF=“http://www.evil_javascript_link”> Click Here </A> Auto-Execute by viewing HTML <SCRIPT>run evil JavaScript</SCRIPT>
Dangerous HTML “HTML Bad” <APPLET> Malicious Java Applications <BODY> Altering HTML Page Characteristics <EMBED> Embedding Third-Party Applications (Flash, etc.) <FRAME> Directly calling in other uncontrolled HTML <FRAMESET> Directly calling in other uncontrolled HTML <HTML> Altering HTML Page Characteristics <IFRAME> Directly calling in other uncontrolled HTML <IMG> SCRing Protocol attacks and other abuses <LAYER> Directly calling in other uncontrolled HTML <ILAYER> Directly calling in other uncontrolled HTML <META> META Refreshes. (Client-Redirects) <OBJECT> ActiveX (Nuff Said) <SCRIPT> JavaScript/VBScript Loading <STYLE> Style Sheet and Scripting Alterations
Dangerous Attributes “Attributes Bad” ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes) STYLE SRC HREF TYPE
Power of the Dots and Slashes piping input to the command line. Path Directory Traversal http://foo.com/app.cgi?directory=/path/to/data DotDot Slash: http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd Dot Slash: http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd Double DotDot Slash: http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd
More Filter Bypassing Method Alteration (HEAD, PUT, POST, GET, ect.) URL Encode http://www.foo.com/cgi?value=%46%72%68%86 Null Characters http://www.foo.com/cgi?value=file%00.html More… Alternate Case, Unicode, String Length, Multi-Slash, etc.
Authentication & Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forgoing Page Sequencing
Reporting XML/HTML Based Manual Hack Attack Log w/ Descriptor Common Directory Force Browsing Common Log File Force Browsing Backup File Force Browsing Spider Log
Spider XML Log
Attempts XML Log
A few quick things to help secure a web application. Do Not Trust Client-Side Data Escape and filter all input/output data Set-up parameter and request method allow lists. Don’t use what your not expecting to receive.
Thank You! Questions? Jeremiah Grossman [email_address] WhiteHat Security All presentation updates will be available on www.whitehatsec.com and community.whitehatsec.com

More Related Content

Web Application Security and Release of "WhiteHat Arsenal"

  • 1. Black Hat New Orleans Windows Security 2002 “ Web Application Security and Arsenal” Presenter: Jeremiah Grossman Copyright 2002 WhiteHat Security All Rights Reserved
  • 2. Topics Web Application Security Landscape Why is Web Application Security Important Common Web Application Security Mistakes Web Application Attack Methodologies
  • 3. Web Application Security Landscape Entertainment Message Boards WebMail Guest Books Voting Polls E-Commerce Shopping Auctions Banking Stock Trading Just Plain Crazy Printers PDA’s Cell Phones System Configuration .NET/Passport
  • 4. Web Application The Simple Definition A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.
  • 5. Web Application The “EASIER” Definition If it runs on port 80 or port 443, then is probably a web application.
  • 6.  
  • 7.  
  • 8.  
  • 9. Why is Web Application Security Important? Easiest way to compromise hosts, networks and users. Widely deployed. No Logs! (POST Request payload) Incredibly hard to defend against or detect. Most don’t think of locking down web applications. Intrusion detection is a joke. Firewall? What firewall? I don’t see no firewall… Encrypted transport layer does nothing. How much easier can it get!? Unicode.
  • 10. Common Web Application Security Mistakes Trusting Client-Side Data Unescaped Special Characters HTML Output Character Filtering SUID ActiveX/JavaScript Authentication Lack of User Authentication before performing critical task.
  • 11. Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA!!! Trusting client-side data is #1 cause of vulnerabilities. Identify all input parameters that trust client-side data.
  • 12. Unescaped Special Characters The Level of Trust : Searches/Queries/Templates Path: http://foo.com/cgi?val=string&file=/html/name.db Or better yet… http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd
  • 13. Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : ' &quot; ? / , . > < Check for: Unescaped special characters within input strings
  • 14. HTML Character Filtering Proper handling of special characters > => &gt; < => &lt; &quot; => &quot; & => &amp; Null characters should all be removed. %00
  • 15. More mistakes… SUID (Does a web application really need root?) Authentication mechanisms using technologies such as JavaScript or ActiveX. Lack of re-authenticating the user before issuing new passwords or performing critical tasks. Hosting of uncontrolled data on a protected domain.
  • 16. WhiteHat Arsenal GUI Web-Based Interface Session Based Discovery Utilities Active Assessment Encoding/Decoding Reporting
  • 17. Web Application Penetration Methodologies Information Gathering & Discovery Input/Output Client-Side Data Manipulation
  • 18. Information Gathering & Discovery Spidering /Site Map Identifiable Characteristics Error and Response Codes File / Application Enumeration
  • 20. Spidering/Site Crawling Site Map Service Map Documentation Hidden Services CGI's and Forms Email addresses
  • 21. Identifiable Characteristics Comment Lines URL Extensions Meta Tags Cookies Client-Side scripting languages Enormous wealth of information about process flows, debug command, system types and configurations.
  • 22. Error and Response Codes HTTP Response Headers Server: IBM/Apache 1.3.19 Cookie Characteristics Error Messages Exception Messages (Java / SQL) 404 Error Pages Failed Login Locked Account Database or file non-existent
  • 23. File/Application Enumeration Commonly referred to as “forced browsing” or “CGI Scanning”.
  • 24. File/Application Enumeration Sample Files Template Directories Temp or Backup files Hidden Files Vulnerable CGIs
  • 28. Input/Output Client-Side Data Manipulation URL Manipulation CGI Parameter Tampering HTTP Client-Header Injection Filter/Intrusion Detection Evasion Protocol/Method Manipulation Overflows
  • 29. Input Manipulation Parameter Tampering &quot;Twiddling Bits.&quot; Cross-Site Scripting Filter-Bypass Manipulation OS Commands Meta Characters Path/Directory Traversal Hidden Form Field Manipulation HTTP Headers
  • 30. Cross-Site Scripting Bad name given to a dangerous security issue Attack targets the user of the system rather than the system itself. Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site.
  • 31. Client-Side Scripting Languages DHTML (HTML, XHTML, HTML x.0) Opens all the doors. JavaScript (1.x) Browser/DOM Manipulation Java (Applets) Malicious Applets VBScript Browser/DOM Manipulation Flash Dangerous Third-Party Interactivity ActiveX Let me count the ways… XML/XSL Another Door Opener CSS Browser/DOM Manipulation
  • 32. The Scenarios Trick a user to re-login to a spoofed page Compromise authentication credentials Load dangerous of malicious ActiveX Re-Direct a user or ALL users Crash the machine or the browser
  • 33. CSS Danger “The Remote Launch Pad.” Successfully CSS a user via a protected domain. Utilizing a Client-Side utility (JavaScript, ActiveX, VBScript, etc.), exploit a browser hole to download a trojan/virus. User is unknowingly infected/compromised within a single HTTP page load. ActiveX Netcat Anyone?
  • 34. 2 Types of CSS Click on a link to activate <A HREF=“http://www.evil_javascript_link”> Click Here </A> Auto-Execute by viewing HTML <SCRIPT>run evil JavaScript</SCRIPT>
  • 35. Dangerous HTML “HTML Bad” <APPLET> Malicious Java Applications <BODY> Altering HTML Page Characteristics <EMBED> Embedding Third-Party Applications (Flash, etc.) <FRAME> Directly calling in other uncontrolled HTML <FRAMESET> Directly calling in other uncontrolled HTML <HTML> Altering HTML Page Characteristics <IFRAME> Directly calling in other uncontrolled HTML <IMG> SCRing Protocol attacks and other abuses <LAYER> Directly calling in other uncontrolled HTML <ILAYER> Directly calling in other uncontrolled HTML <META> META Refreshes. (Client-Redirects) <OBJECT> ActiveX (Nuff Said) <SCRIPT> JavaScript/VBScript Loading <STYLE> Style Sheet and Scripting Alterations
  • 36. Dangerous Attributes “Attributes Bad” ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes) STYLE SRC HREF TYPE
  • 37. Power of the Dots and Slashes piping input to the command line. Path Directory Traversal http://foo.com/app.cgi?directory=/path/to/data DotDot Slash: http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd Dot Slash: http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd Double DotDot Slash: http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd
  • 38. More Filter Bypassing Method Alteration (HEAD, PUT, POST, GET, ect.) URL Encode http://www.foo.com/cgi?value=%46%72%68%86 Null Characters http://www.foo.com/cgi?value=file%00.html More… Alternate Case, Unicode, String Length, Multi-Slash, etc.
  • 39. Authentication & Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forgoing Page Sequencing
  • 40. Reporting XML/HTML Based Manual Hack Attack Log w/ Descriptor Common Directory Force Browsing Common Log File Force Browsing Backup File Force Browsing Spider Log
  • 43. A few quick things to help secure a web application. Do Not Trust Client-Side Data Escape and filter all input/output data Set-up parameter and request method allow lists. Don’t use what your not expecting to receive.
  • 44. Thank You! Questions? Jeremiah Grossman [email_address] WhiteHat Security All presentation updates will be available on www.whitehatsec.com and community.whitehatsec.com