Network Security Exercise #8

Transcription

1 Computer and Communication Systems Lehrstuhl für Technische Informatik Network Security Exercise #8 Falko Dressler and Christoph Sommer Computer and Communication Systems Institute of Computer Science, University of Innsbruck, Austria

2 How can I become a hacker? Network Security Exercise #8 2

3 How can I become a hacker? Network Security Exercise #8 2

4 Google Hacking Always make sure that no mission-critical data can be accessed from the web. Under no circumstance should such data be reachable by web crawlers. filetype:pwd service filetype:bak inurl:"config.inc.php" filetype:properties inurl:db intext:password "VNC Desktop" inurl:5800 "This file was generated by Nessus" Network Security Exercise #8 3

5 How do attackers find their targets? Ping sweeps Port scanning TCP Connect SYN FIN ACK NULL Scan, UDP SCAN nmap -st ss sf sa SN <host> Determining the operating system Stack fingerprinting, TCP window size, patterns in ACK field,... nmap -O <host> Countermeasures block ICMP? No! filter ports install port scan detector Network Security Exercise #8 4

6 How do attackers find their targets? Banner grabbing daemons are verry chatty, telling visitors a lot about themselves or the system they re running on thus, attackers can scan... horizontally, i.e., for a given service vertically, i.e., for any vulnerable service countermeasures shut daemons up make daemons show misleading banners install port scan detector Network Security Exercise #8 5

7 Top 10 vulnerabilities Open Project (OWASP) OWASP Top Ten 2010? Network Security Exercise #8 6

8 Top 10 vulnerabilities Open Project (OWASP) OWASP Top Ten 2010 Network Security Exercise #8 6

9 debug information and standard paths verbose error messages reveal sensitive information standard paths are prime targets for brute force attacks phpinfo phpmyadmin install.php Network Security Exercise #8 7

10 debug information and standard paths verbose error messages reveal sensitive information standard paths are prime targets for brute force attacks phpinfo phpmyadmin install.php Network Security Exercise #8 7

11 PHP: register_globals legacy convenience flag: allows shortening $_GET["User"] or $_SESSION["User"] to access of local variable $User vulnerability: allows setting default values of local variables by those passed by web site visitor never rely on code relying on enabled register_globals flag Network Security Exercise #8 8

12 PHP: register_globals ancient history? Network Security Exercise #8 9

13 PHP: register_globals ancient history? Network Security Exercise #8 9

14 SQL Injections Still vulnerability No. 1 Missing input validation of user data (e.g., from GET and POST requests) allows executing arbitrary SQL statements Network Security Exercise #8 10

15 SQL Injections Still vulnerability No. 1 Missing input validation of user data (e.g., from GET and POST requests) allows executing arbitrary SQL statements Yes, Cookies are user data, too Network Security Exercise #8 10

16 Defending against SQL Injections All user input is evil Use white lists, not black lists At the very least, use system-provided functions for escaping user input Use prepared statements SQL statement with variable content is prepared (think: compiled) before execution SELECT userid, pass FROM users WHERE (userid=?) Parameters are filled in at run time Faster and completely invulnerable to SQL injection Network Security Exercise #8 11

17 XSS - Cross Site Scripting non persistent Cross Site Scripting inject malicious code via GET or POST to page destination page renders malicious code no permanent change victim has to execute GET/POST, e.g., by clicking on link persistent Cross Site Scripting malicious code is permanently stored target page will render malicious code can thus target every future visitor Network Security Exercise #8 12

18 Warding against XSS All user input is evil Use white lists, not black lists At the very least, use system-provided functions for escaping user input As the client: disable client-side code execution in web browser Network Security Exercise #8 13

19 Session Hijacking Attacker tries to take over a session that was established between victim and server. Takes over identity of victim. Session fixation Attacker tries to assign victim a chosen, known session ID Session sidejacking Overhearing of session ID, e.g., via sniffing XSS Malicious code instructs victim s browser to transmit session ID to attacker Network Security Exercise #8 14

20 Warding against Session Hijacking Choose Session IDs that cannot be guessed Do not use (only) session ID for authenticating requests Use tuple of session ID and IP address (no!) Network Security Exercise #8 15

21 Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: Network Security Exercise #8 16

22 Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: Network Security Exercise #8 16

23 Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: <a href=" Network Security Exercise #8 16

24 Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: <a href=" <img src=" Network Security Exercise #8 16

25 Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: <a href=" <img src=" <form action=" ><input type="hidden"... Network Security Exercise #8 16

26 Warding against CSRF do not rely (only) on automatically transmitted credentials, e.g., by embedding part of the credential in each authorized link. make user re-enter password for triggering hard-to-undo actions Network Security Exercise #8 17

27 Insecure Direct Object References Users allowed to access object via direct reference (photo_id=123) No further authorization checks performed Attacker can manipulate object reference (photo_id=124) to circumvent checks Network Security Exercise #8 18

28 More vulnerabilities Failure to Restrict URL Access Only authorization check is knowledge of URL, e.g., Insufficient Transport Layer Security TLS not used for every sensitive transaction sensitive transaction = every transaction containing full set of credentials opens possibility of session hijacking Unvalidated Redirect Forwards Trusted site can be made to redirect to an untrusted one Network Security Exercise #8 19

29 Sources S. McClure et al., Das Anti-Hacker-Buch, bhv, minutes Network Security Exercise #8 20