Abusing Locality in Shared Web Hosting. Nick Nikiforakis

Similar documents
Breaking Web Applications in Shared Hosting Environments. Nick Nikiforakis Katholieke Universiteit Leuven

Abusing Locality in Shared Web Hosting

Two Novel Server-Side Attacks against Log File in Shared Web Hosting Servers

Web application security

Using Foundstone CookieDigger to Analyze Web Session Management

What is Web Security? Motivation

Application Security Testing

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Last update: February 23, 2004

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Check list for web developers

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

The Top Web Application Attacks: Are you vulnerable?

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Common Criteria Web Application Security Scoring CCWAPSS

Where every interaction matters.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Cross Site Scripting in Joomla Acajoom Component

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

SAP: Session (Fixation) Attacks and Protections

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Network Security Exercise #8

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Cross-Site Scripting

Ruby on Rails Secure Coding Recommendations

A Survey on Security and Vulnerabilities of Web Application

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Lecture 11 Web Application Security (part 1)

Web Application Report

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Implementation of Web Application Firewall

Hack Proof Your Webapps

HP WebInspect Tutorial

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Thick Client Application Security

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Security Testing with Selenium

Hacker Intelligence Initiative, Monthly Trend Report #17

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

INSTANT MESSAGING SECURITY

CEH Version8 Course Outline

Gateway Apps - Security Summary SECURITY SUMMARY

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Top 10 Web Application Security Vulnerabilities - with focus on PHP

(WAPT) Web Application Penetration Testing

Magento Security and Vulnerabilities. Roman Stepanov

Web Security CS th November , Jonathan Francis Roscoe, Department of Computer Science, Aberystwyth University

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Locking down a Hitachi ID Suite server

Sitefinity Security and Best Practices

Web App Security Audit Services

Performance Evaluation of Shared Hosting Security Methods

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

CYBERTRON NETWORK SOLUTIONS

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WEB APPLICATION SECURITY

CS 558 Internet Systems and Technologies

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

05.0 Application Development

Chapter 1 Web Application (In)security 1

Intrusion detection for web applications

Rational AppScan & Ounce Products

Protecting Web Applications and Users

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Last Updated: July STATISTICA Enterprise Server Security

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Web Application Security

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Data Breaches and Web Servers: The Giant Sucking Sound

Web Application Security

Web Application Vulnerability Testing with Nessus

Web Application Vulnerabilities and Avoiding Application Exposure

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Using Nessus In Web Application Vulnerability Assessments

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

OWASP AND APPLICATION SECURITY

Introduction to Computer Security

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Transcription:

Abusing Locality in Shared Web Hosting Nick Nikiforakis Nick Nikiforakis Brucon 19 th September 2011

PhD student at KUL About me Applied security research Low-level countermeasures for unsafe languages Web application security Published in academic/industry and hacking conferences http://www.securitee.org

In one sentence Two novel server-side session attacks against Web applications hosted in a shared-hosting environment, which target a Web application s logic instead of authenticated users Bypass authentication mechanisms Elevate privileges Conduct, previously impossible, attacks

Roadmap Shared Hosting Session Identifiers Session Attacks Standard (client-side) Session Snooping, Session Poisoning (server-side) Who is affected Existing Protection mechanisms Conclusion

Shared Hosting 124,953,126 active domains[1] 121,121 registered today Hosting companies Shared Hosting Virtual Dedicated Hosting Dedicated Hosting [1] http://www.domaintools.com/internet-statistics/

Shared Hosting Prices Shared Hosting Starting at 3.64 Euro/month Virtual Dedicated Hosting Starting at 21.89 Euro/month Dedicated Hosting Starting at 45.97 Euro/month 6X

Shared Hosting Many users share one server Typically: 1 Virtual Host Setting/User User is confined to a small number of directories All web applications run with the privileges of the Web Server

Downsides of Shared Hosting More Limits Less Control Less Performance LESS SECURITY!

Sessions

HTTP & HTTPS The two workhorse protocols are by design stateless No native-tracking mechanism provided Inability to enforce access control Mechanisms HTTP Authentication Client-side SSL certificates Session identifiers

Session Identifiers Generate pseudo-random identifier (token) and bind that with a specific user Give this token to the user Every time that the user visits the page, make the distinction based on that token Indispensable feature of the modern WWW All Web-programming languages support it

Session Cookie Ways to communicate the session identifier to the user: As a cookie PHPSESSID=qwertyuiop; As a GET parameter http://www.mysite.com/index.php?id=qwertyuiop

Well-known session attacks Session Hijacking Through XSS XSSed contains more than 300,000 records Sniffed Traffic Open WiFi, TOR Exit nodes Most recent-tool, FireSheep Session Fixation Get a valid session Let the user populate it Then use it again

Sessions and the Server

Behind the scenes session_start(), creates a file that will contain all the values that the programmer will set in the $_SESSION[] array The filename consists of a standard prefix and the session_id itself Set-Cookie: PHPSESSID= qwertyuiop Filename: sess_qwertyuiop Stored in the default session store /tmp, /var/lib/php5,

What does the session file look like $_SESSION[ loggedin ] = 1; $_SESSION[ user ] = admin ; $_SESSION[ num ] = 4.5; loggedin i:1; user s:5: admin num d:4.5

Behind the scenes User With Session GET /index.php Cookie: PHPSESSID=12345678. Open file: $Session_store/$Prefix_ 12345678 Populate $_SESSION[] array with values from this file

Facts By default, all PHP scripts share a common session store The session file accessed by PHP is based on the session id provided by the user A Web application can t distinguish between sessions that it created and sessions that other applications created

Results An attacker with a single malicious PHP script can: 1. force a co-located web application to use sessions that it didn t create 2. Open session files that he didn t create and make arbitrary changes

Results An attacker with a single malicious PHP script can: 1. force Session a co-located Poisoning web application to use sessions that it didn t create 2. Open Session session files Snooping that he didn t create and make arbitrary changes

if (isset( $_SESSION[ isadmin ]) ){ //Administrative panel [ ] } $_SESSION[ isadmin ] = True;

Session Poisoning 1. An attacker creates a new session 2. Populates this session with common variable names $_SESSION[ loggedin ] = 1 $_SESSION[ isadmin ] = 1 $_SESSION[ user ] = admin $_SESSION[ userid ] = 0

Session Poisoning 3. Forces the session cookie to all of the websites/web applications located on the same server 4. If an application uses the same naming of variables then the attacker can circumvent the logic of the application E.g, if (isset($_session[ isadmin ]))

Session Snooping 1. The attacker visits a co-located website, creates an account and does an exhaustive browsing of the website 2. He prints out his session identifier 3. He instructs his own scripts to load the session file with the session identifier of the website in question i. Legitimate operation of session_id()

Session snooping 4. He looks at the values that the website has set in the session identifier 5. He edits/adds values which will enable him to elevate his rights $_SESSION[ userid ] = 45;

Session snooping 4. He looks at the values that the website has set in the session identifier 5. He edits/adds values which will enable him to change/elevate his rights $_SESSION[ userid ] = 45; $_SESSION[ userid ] = 44;

Mass Attacks Attacker Methodology Obtain list of websites located on the same physical server as you Create a session and set many common keywords Browse all the different websites, always forcing the session cookie that you created

Specific targets Attacker Methodology Place yourself on the same server as your victim Browse their website extensively and then load their session in your PHP snooping script Change values at will Reload page

Hopefully DEMO!

Attacks made possible Expanding the attack surface Programmers trust their own input SQL, XSS, Local/Remote file inclusion SELECT fname,lname,email from users where userid = $_SESSION[ userid ]; $_SESSION[ userid ] = -1 UNION ALL SELECT ;

Attacks made possible Evading Web application firewalls Session values that are used in SQL requests are never in the URL or body of the request Evade logging Attack vector is not present in the attacker s request, thus it will never show in any kind of logging

Roadmap Shared Hosting Session Identifiers Session Attacks Standard (client-side) Session Snooping, Session Poisoning (server-side) Who is affected Existing Protection mechanisms Conclusion

Who is affected? Everyone hosted on a shared hosting environment who is not actively protecting their sessions Open source applications forum-software, picture galleries, web admin panels, CMS Custom scripts

Teaching Programmers Chapter 8: Sessions work great with no additional tweaking.

Common session stores How popular is the use of common session stores? Crawl phpinfo pages on 500 websites 89.71% kept the default values /tmp /var/lib/php4 C:\PHP\sessiondata

Case Study: CMS Content Management Systems Enable non-programmers to create professional, dynamic and powerful websites

CMS: Results 9 out 10 used sessions to maintain state 2 out of 9 used the default PHP session functionality Concrete5 & WolfCMS 22.2% Vulnerable The non-vulnerable ones used the database to store their sessions

Roadmap Shared Hosting Session Identifiers Session Attacks Standard (client-side) Session Snooping, Session Poisoning (server-side) Who is affected Existing Protection mechanisms Conclusion

Suhosin Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Patch to protect core Extension to protect applications

Suhosin Session Defaults Session data can be encrypted transparently. The encryption key used consists of this user defined string (which can be altered by a script via ini_set()) and optionally the User-Agent, the Document-Root and 0-4 Octects of the REMOTE_ADDR.

Other server solutions suexec, suphp, fastcgi One common goal Run applications with specific user privileges instead of nobody web user We can no longer open other peoples session files and snoop around (Session Snooping) 16-35x overhead But?

Can we go around these? If the session store is still common, yes Create and poison session Change permissions of session file to 0777 Force site to use the specific session id This will work because your file is available to all other users

Roadmap Shared Hosting Session Identifiers Session Attacks Standard (client-side) Session Snooping, Session Poisoning (server-side) Who is affected Existing Protection mechanisms Conclusion

Take away In an shared hosting environment where: Each Web application runs as a different user Isolation enforced by the OS A Web shell won t help you touch other Web applications Abusing the common session storage to perform Session Poisoning and Session Snooping, will

Conclusion Session management functionality of PHP was NOT designed with shared hosting in mind Two novel server-side attacks against session identifiers Bypass authentication Impersonate users Perform, previously impossible, attacks

Thank you Questions? Contact: nick.nikiforakis [AT] cs.kuleuven.be http://www.securitee.org http://demo1.cz.cc http://sessionattacker.cz.cc

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information