Live Hacking. Threats & Countermeasures in Action (SEC411) Ofer Maor CTO Hacktics Ltd.

Live Hacking Threats & Countermeasures in Action (SEC411) Ofer Maor CTO Hacktics Ltd.

Agenda Introduction to Application Hacking Demonstration of Attack Tool Common Web Application Attacks & Countermeasures Live Bank Hacking Demo Questions & Answers

About Hacktics Security Services Company Provides wide range of services with focus on the application security field Relies on vast experience in application level penetration testing and secure development Hacktics offers unique expertise in the technology and methodology of application security, together with out of the box thinking abilities and a keen understanding of the operational patterns of Hackers.

Introduction to Application Hacking

Overview Today, most organizations create, use and externalize distributed applications implementing business processes. The increasing numbers of such applications combined with the improved security in the infrastructure layer drives hackers to turn to application attacks. According to Gartner, over 75% of attacks today take place in the application layer.

What Is Application Hacking? Taking advantage of application-level vulnerabilities to attack the site Attacks relate to the semantics and meaning of application messages, such as HTTP requests, SQL Queries or proprietary requests. Differs from infrastructure attacks focusing on identifying unauthorized services (port scanning) and abusing known vulnerabilities.

Application vs. Infrastructure Not easily replicated (no script kiddies!), though still easily exploitable Target the organization s core business operations rather than technology Allows launching direct attacks rather than needing to break several circles of defense Used by attackers with specific agenda (criminals, industrial espionage, etc.).

Vulnerabilities Mitigation No prepared patch to easily deploy Fixing the vulnerability requires recoding, turning it into a costly procedure Design Mistake Fix Cost Increase (Gartner): 1x During Design 6.5x During Development 15x During Testing 100x After Deployment to Production - DRAFT -

Technical vs. Logical Technical flaws relate to the specific technical implementation of the application Logical flaws relate to the way business processes were developed, unrelated to the development infrastructure New security features added to development infrastructure help decrease the number of technical flaws, whereas logical flaws are still a prominent problem

Web Application Penetration Tool

Application Hacking Techniques Applications expect the client to behave in a certain predefined manner (only user controlled data is validated) The client, however, can be easily controlled by the malicious user (attacker) Easily done using friendly GUI based tools Interactive Interception Proxies Browser Plug-ins etc.

Interception Proxy Demo

Common Web Application Attacks & Countermeasures (With Live Demo!)

Topics Reconnaissance (Active/Passive) Parameter Tampering Session Hijacking Scripts Injection Cross Site Scripting Flow Bypassing (Forceful Browsing) SQL Injection

Passive Reconnaissance Understanding the Application Requests Monitoring Structure & Flow Mapping Searching Code for Comments Identifying Development Infrastructure Retrieving Internet Resources Google Hacking

Active/Malicious Reconnaissance Generate Exceptions & Errors Unreferenced URLs Default Components Administrative Interfaces Configuration/Log Files Source Code Disclosure Known Vulnerabilities Backup/Old Files File Access Components

Active/Malicious Reconnaissance Result of Failing Key Secure Design Principles: Input Validation Exception Management Mitigation: Properly handle all exceptions Disable detailed error messages, if present Avoid storing any redundant files/information on production machines

Parameter Tampering Overview The basic, most simple form of application level attack Is targeted directly at the business logic of the application Often does not require much knowledge of application attacks and can be achieved with no tools

Parameter Tampering The Problem Attackers may alter the value of parameters sent from the browser which were assumed by the developers to remain as is Potential Damage Attacker may gain access to unauthorized data, commit unauthorized transactions, go out of normal value boundaries, etc.

Parameter Tampering Result of Failing Key Secure Design Principles: Input Validation Authentication Authorization Session Management Mitigation: Never trust user submitted data Check authenticity and authorization for every operation performed.

Session Hijacking Overview Session Hijacking is an attack in which the attacker successfully takes control over a user s session, after obtaining a valid session identifier Potential Damage Through this attack the attacker is able to gain access to the system as if the attacker was authenticated to it, without ever knowing the authentication credentials of the attacked user

Session Hijacking Hacker s request was accepted as it contained a valid cookie

Session Hijacking Result of Failing Key Secure Design Principles: Proper Session Management Input Validation Mitigation: Always use a reliable session management mechanism (such as the one in ASP/ASP.Net) Protect your site from script attacks

Scripts Injection Overview A way to perform script-based attacks without being limited by browser security The attacker takes advantage of a component in the system which displays to users information previously inserted by other users The attacker embeds a script into the input, which is then executed on the browsers of other users

Scripts Injection The script, now from the web site s domain, was now able to access sensitive information and send it to the attacker

Scripts Injection The Problem No input validation takes place when data is received No output sanitation is performed when data is sent back to other users Potential Damage Cookie Theft Session Hijacking (Simple Exploit) Taking over entire browsing session (viewing users data and performing operations on their behalf) Improved Phishing Attacks

Cross Site Scripting (XSS) Overview Similar to Scripts Injection, Cross Site Scripting takes advantage of the same principal of making the remote server send the malicious script to the client Unlike with Scripts Injection, however, the client is part of the attack process, as the script itself is not permanently stored on the remote system The key elements of the problem, as well as the potential damage and mitigation are identical to those of the scripts injection attack.

Cross Site Scripting (XSS) The script, sent by the attacked client to the server was then received again by the client, now with the proper security context, and was able to send the cookie to the attacker

XSS Code Example A Search page: <HTML><TITLE>Search Results</TITLE><BODY> <% SearchTerm = Request.QueryString( SearchStr ) Querying DB Based on the Search Term If SearchRS.EOF Then Search yielded no results Response.Write( No results found for ) Response.Write(SearchTerm) Else Display all records End If %> </BODY></HTML>

XSS Code Example With input string XXX, the result is: <HTML><TITLE>Search Results</TITLE><BODY> No results found for XXX </BODY></HTML>

XSS Code Example However, with a script injected, the result is: <HTML><TITLE>Search Results</TITLE><BODY> No results found for <SCRIPT>Alert( Test )</SCRIPT> </BODY></HTML>

Scripts Injection/XSS Result of Failing Key Secure Design Principles: Input Validation Output Sanitation Mitigation: The Quick and Dirty way prevent users from inserting HTML meta characters such as <, >, ;, etc. Better yet, perform HTML encoding of all non alphanumeric characters, such as: < < > > " etc.

Flow Bypassing Overview Common Logical Attack (Using Forceful Browsing Techniques) Useful against step-based applications such as wizards or redirection-based applications Allows attackers to overcome specific authentication or authorization mechanisms

Flow Bypassing The Problem Specific operations which require more than one request to be completed to not properly enforce the flow of the operation Potential Damage Attacker can use this to overcome specific requests in the flow that relate to security, allowing Authentication Circumvention Authorization Circumvention Operation Validity Verification etc.

Flow Bypassing Result of Failing Key Secure Design Principles: Authentication Authorization Session Management Mitigation: Enforce flow of multi-step operations Rely on session for storing flow information Reverify authorization when committing the operation

SQL Injection Overview Most powerful web application attack targeting the data itself Takes advantage of common usage of Dynamic SQL Queries Allows an attacker to maliciously modify the query sent by the application to the server

SQL Injection The Problem When using Dynamic SQL, the syntax and parameters are concatenated together, thus allowing injection of SQL syntax through parameters Potential Damage Access of Unauthorized Data Data Alteration Server Takeover Denial of Service (Server Availability/Data Destruction) More

SQL Injection Code Sample I Login Page Code: SqlStr = "SELECT UserID FROM Users WHERE Username = '" & Request.QueryString("User") & "' AND Password = '" & Request.QueryString("Pass") & "'" Set MyConn = Server.CreateObject( ADODB.Connection ) MyConn.Open my_conn, dbuser, dbpass Set AuthRS = Server.CreateObject( ADODB.Recordset ) AuthRS.Open SqlStr, MyConn If LoginRS.EOF Then Response.Write("Invalid Login") Else Perform Authenticated Code End If

SQL Injection Code Sample I When normal users log in, the following query is created: SELECT * FROM Users WHERE Username = Hack AND Password = Tics However, an attacker can type in x OR 1 = 1 as the password, yielding the following query: SELECT * FROM Users WHERE Username = Hack AND Password = X OR 1 = 1 Returning a non empty record set, the attacker is logged on

SQL Injection Code Sample II Data Retrieval Code: SqlStr = "SELECT * FROM Packages WHERE Desc LIKE " & "'%" & Request.QueryString("SearchStr") & "%'" Set MyConn = Server.CreateObject( ADODB.Connection ) MyConn.Open my_conn, dbuser, dbpass Set PkgsRS = Server.CreateObject( ADODB.Recordset ) Pkgs.Open SqlStr, MyConn If LoginRS.EOF Then Response.Write( No Packages Match Search. ) Else Display all vacation packages information End If

SQL Injection Code Sample II With a normal search, the query received is: SELECT * FROM Products WHERE ProdDesc LIKE %Ios% The attacker, however, can add a UNION SELECT statement to the parameter, turning the query into the following one: SELECT * FROM Products WHERE ProdDesc LIKE %XXX XXX UNION SELECT Username, Password FROM Users --%

SQL Injection Result of Failing Key Secure Design Principles: Input Validation Authorization Cryptography Sensitive Data Access Limitations Mitigation: The Quick and Dirty way perform input validation to remove meta character, and turn every single quote into double quote Better yet, avoid using dynamic SQL. User Parameterized Queries instead

SQL Injection Using Parameterized Queries in C# // Defining the Query with @PkgID as its parameter String StrQry = SELECT * FROM Packages Where PkgID = @PkgID ; // Creating the connection and the SQL Command SqlConnection MyConn = new SqlConnection(ConnectionString); SqlCommand MyQry = new SqlCommand(StrQry, MyConn); // Creating and setting the parameter MyQry.Parameters.Add(new SqlParameter( @PkgID, SqlDbType.Int)); MyQry.Parameters[ @PkgID ].Value = Request.QueryString[ PkgID ]; // And Execute MyConn.Open(); SqlDataReader SqlDR = MyCmd.ExecuteReader();

Rockefeller Center - Ice skating אחד המקומות היפים בחורף הניו יורקי

Volare מסעדה איטלקית קטנה ונה דרת 147 West 4th Street New York, New York 10012-1010

Thank You! For Additional Information: Email: Web: www.hacktics.com