Mapping Application - Computer Science & Engineering

Download Report

Transcript Mapping Application - Computer Science & Engineering

Web Application Exploits
Computer Science and Engineering
1
Reading
• Required:
– Stuttard and Pinto: Chapter 3
– Review: OWASP: 2013 Top 10 List,
https://www.owasp.org/index.php/Top_10_2013-Top_10
• Recommended: cool tutorials
– Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre,
and Parisa Tabriz, http://googlegruyere.appspot.com/part1#1__setup
– How To Break Web Software - A look at security vulnerabilities in
web software, http://www.youtube.com/watch?v=jXP7b-xby6U
– DEFCON 19: Web Application Analysis With Owasp Hatkit,
http://www.youtube.com/watch?v=JjJQ9b80xsE&feature=relmfu
Computer Science and Engineering
2
• Web security: primary target to attacks
• Web Application technologies
– Client side
– Server side
– Application
– Transfer protocol
• Common vulnerabilities
Computer Science and Engineering
3
Web Application
Architecture
XSS
Malware
Session hijack
Redirection
Communication
…
security
Web
service
Injection attacks
Information leakage
DOS
Unauth. modification
Database
Web server
client
Auth.
service
Access
control
Forged credentials
Unauthorized access
Computer Science and Engineering
4
Client Side
• Request resources – http requests
• Technologies to support functionality
– Browser
•
•
•
•
•
HTML
Hyperlinks
Forms
Scripts
Custom client components
Computer Science and Engineering
5
Server side
• Receive client request, URL query string, HTTP
cookies, or in request body
• Technologies to supply functionality:
– Scripting languages: PHP, VBScript, Perl
– Web application platform: ASP.NET, Java
– Web Servers: Apache, IIS, Netscape Enterprise
– DBMS: Oracle, MySQL, SQL-Server,
– Back-end components
Computer Science and Engineering
6
The HTTP Protocol
•
•
•
•
Hyper Text Transfer Protocol
Stateless
Application layer protocol -- Layered on top of TCP
Client Server Model
– Request-response communication
• Originally developed to retrieve static text-based
resources
Computer Science and Engineering
7
HTTP Request
• Request line
1. HTTP method
2. Requested URL
3. HTTP version
• Header lines
– Host, Referer, Cookie, User-Agent, Connection,
etc.
• Request body
Computer Science and Engineering
8
GET
• Passes all request data in the URL query line
• GET /search?q= Web+Technologies HTTP/1.1
• Host: www.cse.edu…
Computer Science and Engineering
9
Post
•
•
•
•
Passes all data in the HTTP request body
POST /search?HTTP/1.1
Host: www.cse.edu…
q= Web+Technologies
Computer Science and Engineering
10
HTTP Response
• Status line
1. HTTP version
2. Numeric status call indicating the result of the request
3. Txt reason phrase describing the status of the response
• Header lines
– Server (web server software), Pragma (for the browser),
Expires (content), Content-Type, Content-Length
• Response body
Computer Science and Engineering
11
Status Codes
•
•
•
•
•
1xx – Informational
2xx – the request was successful
3xx – the client is redirected to a different resource
4xx – the request contains an error of some kinds
5xx – the server encountered an error fulfilling the
request
Computer Science and Engineering
12
Commons Status Codes
•
•
•
•
•
•
200: OK
302: Location redirection
401: client is unauthorized for the resource
403: forbidden even if the client has the credentials
404: not found
500: internal server error caused by the request
Computer Science and Engineering
13
Issues for HTTP Methods
• GET – retrieves a resources
– Send parameters to the requested resource
– Be Aware! URLs are stored and displayed -> do not
include sensitive data in the query string
• POST – performs an action
– Request parameters sent in the URL query string or
in message body
– Be Aware! Back button use  warning
• Other methods: Head, Trace, Put, etc.
Computer Science and Engineering
14
HTTPS
• HTTP tunneled through SSL
• HTTP Proxies
– Using HTTP
– Using HTTPS
• Proxy is a man-in-the-middle
• Pure TCP level relay
Computer Science and Engineering
15
HTTP Authentication
• Basic: sends user credentials as a Base64-encoded
string in a request header
• NTLM: Challenge-response using Windows NTLM
protocol
• Digest: challenge-response using MD5 and checksum
of a nonce with the user’s credentials
Computer Science and Engineering
16
State and Session
• Client and server exchange and process data
• Application needs to maintain the state of each user
interactions
– Server side structure: session
– Client side: sent by the server and protected from
tampering
• Stateless HTTP  token to identify user sessions
Computer Science and Engineering
17
HTTP Vulnerabilities
• Header-based attacks: not very common
– Headers are simple
– Any command or response that is not valid, ignored
• Header are free form  several options on how to
interpret data
– Buffer overflow may occur
– Client- and server side executables : data may be
passed to other applications
Computer Science and Engineering
18
HTTP Vulnerabilities 2.
• Protocol-based attacks: most common
• Incorrect authentication
– Access directories (username/password) by stolen
credentials
• Authentication travels as clear text
• Challenge response
• Cookes
– Spoofing attacks
Computer Science and Engineering
19
HTTP Vulnerabilities 3.
• Traffic-based attacks
• Denial of Service attacks
• Traffic privacy violations
Computer Science and Engineering
20
Web Application Characteristics
Computer Science and Engineering
21
Functionality
• Server side technologies:
– Scripting languages
– Web application platform
– Web server software
– Databases
– Back-end components
• Client-side technologies:
– Browser Extension technologies
Computer Science and Engineering
22
Application Characteristics
• Understand what application does and how it behaves
– Content
– Functionality
• Find out:
– Application behavior
– Core security mechanisms
– Technologies being used
• Client side
• Server side
Computer Science and Engineering
23
Enumerating Content and
Functionality
• Manual vs. automated browsing
– Walk through the application
– Follow every link
– Navigate through multistage functions
• Web spidering
– Tools to follow all links until no new content is
found
– Can parse static HTML, multi-stage functionality,
form-based navigation, client-side JavaScript
Computer Science and Engineering
24
Robots.txt
• Web servers maintain in root
– Contains list of URLs not available for web spiders
• Can be used by spiders as the seed
– References to sensitive functionality
Computer Science and Engineering
25
Automated Spidering
• E.g., Burp Spider, WebScarab
• General limitations:
– Cannot handle dynamically created menus
– Limited depth to find links
– May fail input validation for multistage functionality
– Unique content is identified by URL  not good for
form-based navigation
– May fail authentication session
Computer Science and Engineering
26
User Directed Spidering
• User walks through the application and uses a spider to
collect and analyze findings
• Good for
– Unusual or complex navigation needs
– User control of input data
– User can login to application and pass authentication
– User can decide on requested functions
Computer Science and Engineering
27
Hacking Steps 1.
• Configure browser to use spider
• Browse the application normally
– Visit every link
– Proceed through multi-stage functions
– JavaScrip enabled/disabled; cookies enabled/disabled
• Review site map to identify non-visited content
• Do an automated spidering
Computer Science and Engineering
28
Discovering Hidden Content
• Not directly linked to or reachable from the main page
– E.g., testing and debugging content, different
functionality for different types of users, backup
copies, archives, old version of files, default
application functionality, log files, etc.
• Added attack points, sensitive content, etc.
• Automated, brute-force attack: Burp Intruder
Computer Science and Engineering
29
Hacking Steps 2
• Make unusual requests and identify response
• Use site map to identify hidden content
• Use brute-force attacks to identify how application handles
requests
• Manually review responses
• Inferencing from published content (e.g., naming)
– Compile list of names of subdirectories
– Identify naming schemes, file extensions
– Review all client side code
– Look at temporary files
• Burp: Content Discovery – automate attack
Computer Science and Engineering
30
Use Public Information
• Find old resources
• Search Engines:
– Advanced Search: resource, login, links, related
– Google domains
– Omitted results
– Cashed versions
– Other domains of the same organization
• Web archives, e.g., WayBack Machine
Computer Science and Engineering
31
Web Server Vulnerabilities
• Web server software vulnerability
– Default content
– Sample and diagnostic scripts
– Standard functionality
• Wikto: a tool that checks for flaws in web servers
– http://sectools.org/tool/wikto/
Computer Science and Engineering
32
Additional Mappings
• Functional paths
– URL query parameters, REST-style URLs
• Discovering Hidden Parameters
– Try default parameter names, e.g, debug, test, hide,
etc.
– Monitor responses to identify anomalies
• Analyzing Applications
– Functionality, behavior, security
• Server side functionality
Computer Science and Engineering
33
Mapping the Attack Surface
• Use the results of the analysis to find vulnerabilities
Computer Science and Engineering
34
SOA Service
Communication
• Simple Object Access Protocol (SOAP)-based
• REST based (no additional messaging layer)
• Communication over HHTP
Computer Science and Engineering
35
Industry standards
• XML
– XML encryption
– XML Signature
– Canonical XML
– Decryption Transformation for XML Signature
• WS-Security
• Security Assertion Markup Language (SAML)
Computer Science and Engineering
36
Next Class
• XML, RDF, Web application security
Computer Science and Engineering
37