Network Security Exercise #8



Similar documents
Where every interaction matters.

Sitefinity Security and Best Practices

(WAPT) Web Application Penetration Testing

Magento Security and Vulnerabilities. Roman Stepanov

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Check list for web developers

Web Application Vulnerability Testing with Nessus

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

OWASP Top Ten Tools and Tactics

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Learn Ethical Hacking, Become a Pentester

Testing the OWASP Top 10 Security Issues

Web Application Security

Hack Proof Your Webapps

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

OWASP AND APPLICATION SECURITY

OWASP TOP 10 ILIA

CYBERTRON NETWORK SOLUTIONS

Web application security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web Application Report

Web Application Penetration Testing

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Adobe Systems Incorporated

Web-Application Security

The Top Web Application Attacks: Are you vulnerable?

Security Testing with Selenium

Essential IT Security Testing

Cross Site Scripting in Joomla Acajoom Component

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Vulnerability Assessment and Penetration Testing


Data Breaches and Web Servers: The Giant Sucking Sound

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web Application Security

Application Security Testing. Generic Test Strategy

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Criteria for web application security check. Version

elearning for Secure Application Development

What is Web Security? Motivation

OWASP Application Security Building and Breaking Applications

Security features of ZK Framework

Cross-Site Scripting

Penetration Testing. What Is a Penetration Testing?

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Web App Security Audit Services

Attack Vector Detail Report Atlassian

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

How to complete the Secure Internet Site Declaration (SISD) form

Secure development and the SDLC. Presented By Jerry

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Security Assessment through Google Tools -Focusing on the Korea University Website

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Web Application Security Assessment and Vulnerability Mitigation Tests

Overview of the Penetration Test Implementation and Service. Peter Kanters

MANAGED SECURITY TESTING

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

McAfee Certified Assessment Specialist Network

Web Application Security

Last update: February 23, 2004

Web Vulnerability Assessment Report

CS5008: Internet Computing

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Using Free Tools To Test Web Application Security

Web Security - Hardening estudy

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Introduction. Two levels of security vulnerabilities:

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

JVA-122. Secure Java Web Development

Ethical Hacking Course Layout

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

A Very Incomplete Diagram of Network Attacks

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Ethical Hacking as a Professional Penetration Testing Technique

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Intrusion detection for web applications

Application Security Best Practices. Wally LEE Principal Consultant

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Web Application Attacks And WAF Evasion

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Attacks and Defense. Phase 1: Reconnaissance

Transcription:

Computer and Communication Systems Lehrstuhl für Technische Informatik Network Security Exercise #8 Falko Dressler and Christoph Sommer Computer and Communication Systems Institute of Computer Science, University of Innsbruck, Austria 31.05.2012

How can I become a hacker? Network Security Exercise #8 2

How can I become a hacker? Network Security Exercise #8 2

Google Hacking Always make sure that no mission-critical data can be accessed from the web. Under no circumstance should such data be reachable by web crawlers. filetype:pwd service filetype:bak inurl:"config.inc.php" filetype:properties inurl:db intext:password "VNC Desktop" inurl:5800 "This file was generated by Nessus" Network Security Exercise #8 3

How do attackers find their targets? Ping sweeps Port scanning TCP Connect SYN FIN ACK NULL Scan, UDP SCAN nmap -st ss sf sa SN <host> Determining the operating system Stack fingerprinting, TCP window size, patterns in ACK field,... nmap -O <host> Countermeasures block ICMP? No! filter ports install port scan detector Network Security Exercise #8 4

How do attackers find their targets? Banner grabbing daemons are verry chatty, telling visitors a lot about themselves or the system they re running on thus, attackers can scan... horizontally, i.e., for a given service vertically, i.e., for any vulnerable service countermeasures shut daemons up make daemons show misleading banners install port scan detector Network Security Exercise #8 5

Top 10 vulnerabilities Open Project (OWASP) OWASP Top Ten 2010? Network Security Exercise #8 6

Top 10 vulnerabilities Open Project (OWASP) OWASP Top Ten 2010 Network Security Exercise #8 6

debug information and standard paths verbose error messages reveal sensitive information standard paths are prime targets for brute force attacks phpinfo phpmyadmin install.php Network Security Exercise #8 7

debug information and standard paths verbose error messages reveal sensitive information standard paths are prime targets for brute force attacks phpinfo phpmyadmin install.php Network Security Exercise #8 7

PHP: register_globals legacy convenience flag: allows shortening $_GET["User"] or $_SESSION["User"] to access of local variable $User vulnerability: allows setting default values of local variables by those passed by web site visitor never rely on code relying on enabled register_globals flag Network Security Exercise #8 8

PHP: register_globals ancient history? Network Security Exercise #8 9

PHP: register_globals ancient history? Network Security Exercise #8 9

SQL Injections Still vulnerability No. 1 Missing input validation of user data (e.g., from GET and POST requests) allows executing arbitrary SQL statements Network Security Exercise #8 10

SQL Injections Still vulnerability No. 1 Missing input validation of user data (e.g., from GET and POST requests) allows executing arbitrary SQL statements Yes, Cookies are user data, too Network Security Exercise #8 10

Defending against SQL Injections All user input is evil Use white lists, not black lists At the very least, use system-provided functions for escaping user input Use prepared statements SQL statement with variable content is prepared (think: compiled) before execution SELECT userid, pass FROM users WHERE (userid=?) Parameters are filled in at run time Faster and completely invulnerable to SQL injection Network Security Exercise #8 11

XSS - Cross Site Scripting non persistent Cross Site Scripting inject malicious code via GET or POST to page destination page renders malicious code no permanent change victim has to execute GET/POST, e.g., by clicking on link persistent Cross Site Scripting malicious code is permanently stored target page will render malicious code can thus target every future visitor Network Security Exercise #8 12

Warding against XSS All user input is evil Use white lists, not black lists At the very least, use system-provided functions for escaping user input As the client: disable client-side code execution in web browser Network Security Exercise #8 13

Session Hijacking Attacker tries to take over a session that was established between victim and server. Takes over identity of victim. Session fixation Attacker tries to assign victim a chosen, known session ID Session sidejacking Overhearing of session ID, e.g., via sniffing XSS Malicious code instructs victim s browser to transmit session ID to attacker Network Security Exercise #8 14

Warding against Session Hijacking Choose Session IDs that cannot be guessed Do not use (only) session ID for authenticating requests Use tuple of session ID and IP address (no!) Network Security Exercise #8 15

Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: Network Security Exercise #8 16

Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: Network Security Exercise #8 16

Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: <a href="http://www.example.com/profile/delete?confirm=1">... Network Security Exercise #8 16

Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: <a href="http://www.example.com/profile/delete?confirm=1">... <img src="http://www.example.com/profile/delete?confirm=1">... Network Security Exercise #8 16

Cross-Site Request Forgery (CSRF) aka Session Riding problem: Browsers will automatically send a whole range of credentials modus operandi: 1. victim instructs browser to log into web site A 2. web site returns cookie 3. victim s browser stores cookie 4. attacker tricks victim s browser into sending malicious request to web site A 5. victim s browser automatically sends stored cookie 6. malicious request is authenticated successfully, executed attack vectors: <a href="http://www.example.com/profile/delete?confirm=1">... <img src="http://www.example.com/profile/delete?confirm=1">... <form action="http://www.example.com" ><input type="hidden"... Network Security Exercise #8 16

Warding against CSRF do not rely (only) on automatically transmitted credentials, e.g., by embedding part of the credential in each authorized link. make user re-enter password for triggering hard-to-undo actions Network Security Exercise #8 17

Insecure Direct Object References Users allowed to access object via direct reference (photo_id=123) No further authorization checks performed Attacker can manipulate object reference (photo_id=124) to circumvent checks Network Security Exercise #8 18

More vulnerabilities Failure to Restrict URL Access Only authorization check is knowledge of URL, e.g., http://bank.de/admin Insufficient Transport Layer Security TLS not used for every sensitive transaction sensitive transaction = every transaction containing full set of credentials opens possibility of session hijacking Unvalidated Redirect Forwards Trusted site can be made to redirect to an untrusted one https://bank.com/i.php?forward=bank.vu/i.php Network Security Exercise #8 19

Sources S. McClure et al., Das Anti-Hacker-Buch, bhv, 2006 http://www.xkcd.com http://www.owasp.org/ http://www.ligattsecurity.com/solutions/hacker-in-15- minutes Network Security Exercise #8 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information