Chapter 20 - Computer Science & Engineering

Download Report

Transcript Chapter 20 - Computer Science & Engineering

Web Application Hacker’s
Toolkit
Computer Science and Engineering
1
Review
• Web Applications characteristics
Computer Science and Engineering
2
Functionality
• Server side technologies:
– Scripting languages
– Web application platform
– Web server software
– Databases
– Back-end components
• Client-side technologies:
– Browser Extension technologies
Computer Science and Engineering
3
Application
Characteristics
• Understand what application does and how it behaves
– Content
– Functionality
• Find out:
– Application behavior
– Core security mechanisms
– Technologies being used
Computer Science and Engineering
4
Enumerating Content
and Functionality
• Manual vs. automated browsing
– Walk through the application
– Follow every link
– Navigate through multistage functions
• Web spidering
– Tools to follow all links until no new content is
found
– Can parse static HTML, multi-stage functionality,
form-based navigation, client-side JavaScript
Computer Science and Engineering
5
Automated Spidering
• E.g., Burp Spider, WebScarab
• General limitations:
– Cannot handle dynamically created menus
– Limited depth to find links
– May fail input validation for multistage functionality
– Unique content is identified by URL  not good for
form-based navigation
– May fail authentication session
Computer Science and Engineering
6
User Directed Spidering
• User walks through the application and uses a spider to
collect and analyze findings
• Good for
– Unusual or complex navigation needs
– User control of input data
– User can login to application and pass authentication
– User can decide on requested functions
Computer Science and Engineering
7
APPLICATION HACKING
Computer Science and Engineering
8
Hacking Steps 1.
• Configure browser to use spider
• Browse the application normally
– Visit every link
– Proceed through multi-stage functions
– JavaScrip enabled/disabled; cookies enabled/disabled
• Review site map to identify non-visited content
• Do an automated spidering
Computer Science and Engineering
9
Discovering Hidden
Content
• Not directly linked to or reachable from the main page
– E.g., testing and debugging content, different
functionality for different types of users, backup
copies, archives, old version of files, default
application functionality, log files, etc.
• Added attack points, sensitive content, etc.
• Automated, brute-force attack: Burp Intruder
– Burp Suite Tutorial – The Intruder Tool,
http://www.securityninja.co.uk/hacking/burp-suite-tutorialthe-intruder-tool/
Computer Science and Engineering
10
Hacking Steps 2
• Make unusual requests and identify response
• Use site map to identify hidden content
• Use brute-force attacks to identify how application handles
requests
• Manually review responses
• Inferencing from published content (e.g., naming)
– Compile list of names of subdirectories
– Identify naming schemes, file extensions
– Review all client side code
– Look at temporary files
Computer Science and Engineering
11
Use Public Information
• Find old resources
• Search Engines:
– Advanced Search: resource, login, links, related
– Google domains
– Omitted results
– Cashed versions
– Other domains of the same organization
• Web archives, e.g., WayBack Machine
Computer Science and Engineering
12
Web Server
Vulnerabilities
• Web server software vulnerability
– Default content
– Sample and diagnostic scripts
– Standard functionality
• Wikto: a tool that checks for flaws in web servers
– http://sectools.org/tool/wikto/
• Nikto: checks for potentially dangerous files/CGIs, checks for
outdated versions of over 1200 servers, and version specific
problems, configuration issues, etc. http://sectools.org/tool/nikto
Computer Science and Engineering
13
Additional Mappings
• Functional paths
– URL query parameters
• Discovering Hidden Parameters
– Try default parameter names, e.g, debug, test, hide,
etc.
– Monitor responses to identify anomalies
• Analyzing Applications
– Functionality, behavior, security
• Server side functionality
Computer Science and Engineering
14
Mapping the Attack
Surface
• Use the results of the analysis to find vulnerabilities
Computer Science and Engineering
15
Easy picking: @
• Hidden symbol in URL
• Change IP address (only the info to the right of @
is used)
• Browser vulnerability
– “You are about to log in to the site “cse.sc.edu” with
the username “farkas”, but the website does not require
authentication. This may be an attempt to trick you.”
• Twitter – executable JavaScript after @
16
Who is at risk?
• Client: browsers
– Complex systems
– Plug-ins, extensions
– Server authentication
• JavaScript and paid ads  ease of propagating
malicious code
• Never trust a client on the server side
• Never trust a browser on the client side
17
Improve client security
•
•
•
•
•
Install patches to the browser
Update commonly used plug-ins
Eliminate unused plug-ins
Heed your browser warnings
Make antivirus software watch browser and
downloads
• Clear history, stored files, and cookies
• If a file is not signed and trusted, don’t download it
18
Improve server side
security
• Never execute client input as code
• Never allow client input to pass into the system without
validating it internally
• Scrub client input for any known exploits and suspect
characters
• Keep a layer of indirection between client input received
and the system
• Manage sessions from inside the trust boundary and not on
the client side
• Never encode secrets of functional variables in information
sent to the clies.
19
Web Application
Vulnerabilities
Computer Science and Engineering
20
Biggest Threats to Web
Applications
• Cross-site scripting (XSS)
• Cross-site request forgeries (CSRF)
• Remote file uploads, (buffer overflow, SQL injection,
etc.)
• Trust between the client’s machine and the web
applications.
21
XSS
• Inject client-side script into Web pages
• Client views web page  download script
• Used for bypass access controls such as the same origin
policy
– Permits scripts running on pages originating from the
same site ( scheme, hostname, and port number) to
access each other's Document Object Model with no
specific restrictions
• XMLHttpRequest and Robots.txt
Computer Science and Engineering
22
How to avoid XSS?
•
•
•
•
Scrub all input
Escape output for display
Use trusted solutions when available
Use separate variables for scrubbed input
23
Cross-site request
forgery
• Exploits the trust between server and client machine
• Mostly http requests and responses
• Based on how web pages are delivered along with
images and other web content
Prevent CSRF
• Require verification and stages for sensitive
applications
• Use anti-CSRF tokens in your forms and processing
• Use post as the mean of taking form input
– Get: encodes the data of the form into the url of the
recipient, appending it to the query string of the
request
– Post: encodes it as a message
Unrestricted file upload
• Users may upload malicious files
• Uploaded files can be called by a url (if stored on the
web server)
• Example: php
– Embedded in image files
– Compile php code
26
Avoid file upload
problems
• System should determine file name
• Do not allow users to access the folders where content
is uploaded
• Parse file extensions carefully or set your own file
parser
• White list extensions
• Be secure with the .htaccess file (controls accesses to
the files on the server
27
Adobe Flash
• 99% of all internet connected machines use AdobeFlesh
• No internal automated update capability
• Flash security policy: Same Origin
– Can be modified by XML cross-domain policy
declaration
• Can facilitate XSS, CSRF, DNS rebiding
28
Ways of Attacking
Applications
• Use of a web browser only
• Use of an intercepting web proxy
• Use of a standalone application scanner
Computer Science and Engineering
29
Web Browsers
• Choice of web browser impacts the effectiveness of the
attack
• Most popular browsers:
– Internet Explorer
– Firefox
– Chrome
• Extensions: additional web browser functionalities
Computer Science and Engineering
30
IE
•
•
•
•
•
Declining number of users but still the leader
Native support for ActiveX control
Must work with Windows platform
Anti-XSS filter with IE 8
Extensions:
– HttpWatch: analyzes HTTP requests and responses,
details of headers, cookies, URLs, request
parameters, HTTP status codes, and redirect
Computer Science and Engineering
31
Integrated Testing Suits
• Intercepting proxy
• Achilles proxy: early, basic proxy, standalone
application, displayed each request and response for
editing
• Modern proxies:
– Highly functional tool suits
– Several interconnected tools to facilitate common
tasks of attacks
– Useful for both defense and offense
Computer Science and Engineering
32
Some of the Tools
• Differ widely in their functionalities
• The best one: Burp Suite
• Others:
–
–
–
–
–
–
WebScarab
Paros
Zed Attack Proxy
Andiparos
Fiddler
Etc.
Computer Science and Engineering
33
How the Tools Work
• Several complementary tools that share information
about the target application
IE
Target application
Attacker
Toolkit: monitors interaction between the attacker and the target
application. Stores all requests and responses and all details
about the target application.
Computer Science and Engineering
34
Toolkit Elements
1.
2.
3.
4.
5.
6.
7.
An intercepting proxy
A web application spider
A customizable web application fuzzer
A vulnerability scanner
A manual request tool
Functions for analyzing session cookies and tokens
Other functions and utilities
Computer Science and Engineering
35
1. Intercepting Proxies
• Must configure the attacker’s browser to use an
intercepting proxy (listen at a specified port)
– Can be easily configured for the 3 most popular
browsers
• If you are using a thick client and cannot configure a
proxy you need to modify the OS files to resolve the
hostname used by the application to allow the proxy to
listen on this communication
Computer Science and Engineering
36
1. Intercepting Proxies
• Basic HTTP messages: Intercepting proxy acts as a
normal web proxy
CONNECT
IE
Attacker
Proxy
The web browser send the hostname
of the application.
The proxy resolves the corresponding IP address
and converts the request to a non-proxy equivalent
message.
Computer Science and Engineering
37
1. Normal Web Proxy
• HTTPS messages
IE
CONNECT
Proxy
SSL handshake
Client
After the connection was
established, the proxy acts as a TCP-level
relay between the client and the application.
Computer Science and Engineering
38
1. Intercepting Proxy
• HTTPS messages
IE
CONNECT
Proxy
SSL handshake
Attacker
SSL handshake
After the connection was
established, the proxy acts as a TCP-level
relay between the client and the application.
Computer Science and Engineering
39
SSL Handshake
Phase 1
Security capabilities
1. C  S:
2. S  C:
CLIENTHELLO
SERVERHELLO
[CERTIFICATE]
[SERVERKEYEXCHANGE]
[CERTIFICATEREQUEST]
SERVERHELLODONE
[CERTIFICATE]
CLIENTKEYEXCHANGE
[CERTIFICATEVERIFY]
CHANGECIPHERSPEC
FINISH
CHANGECIPHERSPEC
FINISH
40
Phase 2
Optional server messages
Phase 3
3. C  S:
Client key exchange
Phase 4
Change cipher suite
4. S  C:
Computer Science and Engineering
40
Fake Certificates
• Proxies certificate may not be accepted
– Cross-domain requests
– Users’ trust
• Burp Suite: generates a unique CA certificate for the
current user. Use this to generate new certificates for
the proxy.
Computer Science and Engineering
41
Common features of the
Intercepting Proxies
• Fine-grained intercepting rules
• Detailed history of all requests and responses
• Automated match and replace rules for dynamic
modification of the requests and responses
• Access to proxy’s functionality within the web browser
• Utilities
Computer Science and Engineering
42
2. Web Application
Spider
• Share data with intercepting proxies
• Manual spidering followed by automated spidering
• Challenges:
–
–
–
–
–
–
Form-based navigation
JavaScript enabled navigation
Multistage functions
Authentication and sessions
Parameter-based identifications
Tokens and cookies
Computer Science and Engineering
43
Common Functionalities
of Web Spiders
• Automatic update or the site map based on data
supplied by the proxy
• Parsing proxy data for links
• Fine-grained control over the scope of spidering
• Automatic parsing and analysis of HTML forms,
scripts, comments, images
• Automated and user-guided submission of forms
• Automatic retrieval of the root of all enumerated
directories
Computer Science and Engineering
44
3. Web Application
Fuzzers
• Use automation to perform common attack tasks
• Common features:
– Manually configured probing for common vulnerabilities
– A set of built-in payload and functions to generate arbitrary
payload
– Save attack results and response data
– Customizable functions for viewing and analyzing responses
– Functions tor extracting useful data from the applications
Computer Science and Engineering
45
4. Web Application
Vulnerability Scanners
• Passive scanning: monitoring the requests and
responses passing through the local proxy
– Detect vulnerabilities: clear text password, incorrect cookie,
etc
– Non-invasive, often used for penetration testing
• Active scanning: sending new requests to the target
application
– To tests for XSS vulnerability, HTTP header injection, etc.
– Can be potentially dangerous
Computer Science and Engineering
46
5. Manual request
Tools
• Functionality to issue a single request and view its response
• Can be very useful when need slight modification of the request
based on the responses
• Can be both standalone tool and web browser-based
• Common features:
– Integration with other suit components
– Keep record on all requests and responses
– Multitabbed interface: handle multiple items
Computer Science and Engineering
47
6. Session Token
Analyzer
• Randomness of session cookies
• Burp Sequencer: standard statistical tests
Computer Science and Engineering
48
Testing Workflow
Confirm
vulnerabilities
Recon and analysis
Browser
Interc. Proxy
Passive
scanning
passive
P. history
Scanner
Site map
Repeater
Vulnerabilities
Computer Science and Engineering
active
49
Fuzzer
Spider
Content Disc.
Token analyzer
Vulnerability detection
and exploitation
Alternatives to
Intercepting Proxies
• Non-traditional applications
– Cannot use proxy
• Browser extensions
– Extend functionality
– Does not interfere with the network-layer
communication between the server and the browser
– Allows to submit arbitrary request to the application
Computer Science and Engineering
50
Methodology
1. Recon and analysis
–
–
Map application content
Analyze application
2. Analysis
–
–
–
–
–
–
Application logic: test client side controls and for logic flaws
Access handling: test authentication, session management, access control
Input handling: fuzz all parameters, test specific functionalities
Application hosting: test for shared hosting issues, test the web server
Miscellaneous checks
Information leakage
Computer Science and Engineering
51
Next Class
Buffer overflow and application software insecurity
Computer Science and Engineering
52