INFORMATION SECURITY - PRACTICAL ASSESSMENT - TP2 - BASICS IN WEB EXPLOITATION

INFORMATION SECURITY - PRACTICAL ASSESSMENT - TP2 - BASICS IN WEB EXPLOITATION GRENOBLE INP ENSIMAG http://www.ensimag.fr COMPUTER SCIENCE 3RD YEAR SIF-LOAD - 1ST SEMESTER, 2011 Lecturers: Fabien Duchene - Karim Hossen firstname.lastname [ at ] imag.fr NOTE: Practical assessment regarding the course we had on Thu. 29th, September 2011 and regarding the chapter 1.2. web vulnerabilities https://ensiwiki.ensimag.fr/index.php/fichier: -2011-2012-1-common_vulnerabilities_and_attacks-chapter_1-web.pdf. It is due for Tuesday 18th, October 2011 11pm59. This practical assessment will give you some methods used by security professionals to exploit WEB VUL- NERABILITIES. This is an introduction to such exploitation techniques. Goals: get familiar with the Backtrack pen-testing distribution Exploit web vulnerabilities: path traversal, blind sql injection, stored xss, reflected xss Perform a basic risk analysis 1 Requirements: hypervisor and virtual machine image Download the hypervisor for your platform from http://www.virtualbox.org/wiki/downloads Install it on your laptop Download the virtual machine image from http://car-online.fr/en/files// import it into VirtualBox (follow the instructions at https://ensiwiki.ensimag.fr/index.php/ VirtualBox-) save a snapshot of the virtual machine (in its turned off state) launch the virtual machine Log-on using those credentials (username / password): ensimag-student / ensimag-student (for -2011-2012-TP2-web-application exploitation.7z) Warning: i forgot to change the keyboard mapping (I am used to type in QWERTY..). Thus, at the first logon screen, in case you are using an azerty keyboard, please type ensi,qg)student and then also the same for the password If you want to start the GUI

2 1 s t a r t x For this practical assessment, you will work on the web applications located in http://localhost on the virtual machine IMPORTANT NOTES Deliverables: your report (.txt /.pdf) (accepted languages: french FR-FR or english EN-UK / EN-US) (may be inside your report): how you would rate that assessment: how many (efficient) hours you did spend on that assessment? what you enjoyed? what you did not enjoy? what was easy? what was hard? any suggestion Each time you use a command related to a pentesting tool: write the command and the most relevant part of the output... in your report! In case of an error, or a question, please send an email to your teachers and write the question at https://ensiwiki.ensimag.fr/index.php/5mmmsi-2011-2012-practical_assessment-web_ exploitations_and_basic_risk_analysis Before starting run start assessment.sh (on the virtual machine desktop)

3 1. (Bonus question) What is the name of that guy? (Hint: it might not be as simple as you might think...) 2 Ex 1 - BackTrack? 2. That Backtrack version 5.1: to which operating system family does it belong? [provide YOUR command and its execution result] what is the underlying distribution of that BT5.1? [provide YOUR command and its execution result] 3. Pen-testing executables location: list the content of / [provide YOUR command and its execution result] which directory(ies) do(es) seem particularly interesting for the current practical assessment? then within one of the following subfolders (web, enumeration/www, enumeration/web) of the previous interesting directory, randomly choose 1 tool and briefly describe its purpose. 3 Ex0 - PedrO has the LFI magic! 4. Briefly remind what is a path traversal, and a local file inclusion

4 5. Observe the application http://localhost/ex0. Now we do focus on the inputs that the attacker is able to control. (a) Have a look at that brief reminder of the relevant fields of an HTTP request http://www.w3.org/protocols/rfc2616/rfc2616-sec5.html Which inputs do seems the most relevant in the Request-line and the Request-headers? (among each field of GET, POST parameters, cookies, HTTP request headers) (b) Which entity does send them? (c) Now, we will use the Firefox browser add-on live HTTP headers launch it: Firefox > Tools > Live HTTP Headers capture the HTTP headers of the request GET http://localhost/ex0/ using the Replay function of that add-on, change the fields in the request that you think are most relevant, and observe the difference between the different pages. can you propose a formula giving the changing parts of the webpage output depending of the request inputs? what knowledge did you gain regarding the files that are included when that webpage is rendered? Hint1: Pedro is an international guy, thus his website is available in english and in french. Hint2: have a look at the request headers 6. Goal: performing a LFI attack, get the content of easter-eggs/ex0-secret.b64, that is located somewhere on the webserver (and that is not directly readable by visitors) Tool 0: Firefox browser add-on live HTTP headers (a) indicate the most relevant part of your request query (b) what is the content of the easter-eggs/ex0-secret.b64 file?

5 7. Now instead of that Firefox add, we will use Tool 1: Burp. The goal is the very same than the previous question. Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application (a) write a brief schema explaining the relationships between the browser, burp and the web-server (also write how they are connected (TCP, UDP) and on which ip:port) (b) configure Firefox and Burp to work together: start Burp: Backtrack > Vulnerability Assessment > Web Application Assessment > Web Application Proxies > burpsuite proxy > options > check running on the line where 8080 is written configure Firefox to use Burp as a proxy: in the navigation bar, type about:config configure the values as show below: now from Firefox, load http://localhost/ex0/ Burp will intercept the packet and let you modify it:

6 (c) Modify and Forward the request so that the browser will display the content of eastereggs/ex0-secret.b64 [provide a screenshot of YOUR work] (the upper red rectangle in the screenshot)

7 8. What is the secret message that PedrO did store? (ie the clear-text message from the.b64 file) 4 Ex1 - please XSS and SQLi me! PHPList is A newsletter manager which allows you to add and manage users along with creating and email newsletters. (PHP, MySQL). Ciss Had-Minh is the system administrator of that platform, and he is concerned by its security. Please do your best to find security holes in that application! Run Firefox and load the webpage http://localhost/ and then the ex1 webpage 4.1 Step 0: information gathering tell me who you are... 9. basic information gathering Regarding the webpage http://localhost/ex1/ (a) Perform a full OS detection using nmap [provide YOUR command and its execution result] (b) Using httprint, located in /pentest/enumeration/www/httprint/linux/httprint, perform a basic webserver detection [provide YOUR command and its execution result] (c) Using whatweb, located in /pentest/enumeration/web/whatweb, indicate [provide YOUR command and its execution result] the PHP interpreter version the PHPList newsletter manager version (d) Without being authenticated in the application and without using anything else than Firefox (and without using any plugin nor add-on), explain how you find: the PHPList version on the homepage http://localhost/ex1/ the Web-Server software used, its version and the base operating system What kind of vulnerability did allow you to determine this? 4.2 XSS fever.. we are legion! Ciss heard very few about Cross Site Scripting issues. Explain a bit more to him: 10. (a) Briefly remind the names of the 3 XSS types that we saw during the lecture. (b) Describe the type 1 and 2 within 1 or 2 sentences for each Ciss did considered only the following threat: an administrator would get his session ticket stolen He will consider a XSS as being successful if he is able to run at least one javascript function. 4.2.1 Attack1: Users stealing administrators credentials 11. Observe how normal users (ie non administrator ones) can interact with the application http://localhost/ ex1/, and explain why the Attack1 does not seem possible: (a) which inputs could be controlled by users willing to (un)subscribe to mailing-lists? (b) indicate the tests you made (meaning which concrete attacks you attempted) (c) and for each one how the output is modified

8 4.2.2 Attack2: Administrators stealing credentials of others Quiouteeau is a malicious user and he wants to steal the credentials of St@lqu3uR. His intuition tells him that some stored XSS probably do exist in that PHPList version. Let us discover some of them! 12. 2.1 observation Log on as quiouteeau / iluvs3qr1m@g on http://localhost/ex1/admin create a new user using one of the ensimag login of your group students on http://localhost/ex1/ admin/?page=user using the Firefox add-on Firebug (already installed), right click on an input element, and observe how the input field is formed (a) choose a javascript code to inject either a very simple one such as (also please include your ensimag login) using the XSS Cheat Sheet http://ha.ckers.org/xss.html. There are some elegant ones there! (b) find a form input that is vulnerable to XSS injection. Which one is it? (c) as a POC Proof Of Concept, perform inject the javascript code you chose on that webpage and show that you are able to inject and run code in the context of Quiouteeau [provide a screenshot of YOUR work]

9 13. 2.2. Attack Now perform a stored XSS attack on St@lqu3uR ( password: e-pévé 3L l0v3 r ). Briefly describe each step and provide a screenshot showing your login and that the victim was St@lqu3uR [provide a screenshot of YOUR work] 14. I discovered one of those easy vulnerabilities while playing with that application. However, I am not the first one having discovered that XSS vulnerability. Find the reference on seclist.org and include the URL in your report. 4.3 SQL injection - Where is little bobby tables? Now remove the user thanks to which Quiouteeau stole St@lqu3uR credentials. If necessary use the admin credentials (admin / 1 @#d6ˆminph$ since there seems to be some problems when deleting from non PHPList super-admins on that implementation 15. Remind to Ciss what is a SQL injection. He assumes that his application might be vulnerable to such attacks, since the users are stored in a database supporting the SQL language. 16. Log on again as St@lqu3uR. (a) What does the term Blind SQL injection mean? (b) Identity a SQL injection on http://localhost/ex1/admin/?page=users. Play with the GET parameters. The goal is to find a way (field and a way to format it) to discriminate the results eg: AND 1=1 AND 2=1 include the different values of the field in your report [provide a screenshot of YOUR work](the screenshot has to show the URL and a user with a name of one of the students of your group) Hint: a code auditor told us to have a look at the findby parameter, and that it might not take only string as values.. (c) When the condition is evaluated to false, find a string on the webpage output that will help us to discriminate later. Which one did you choose?

10 4.4 How to jump from a Blind SQLi to a LFI? Note: we will use the PHPList admin login (see previous section) for that part. 17. We are able to perform a Blind SQL injection. Now we would like to include a local file on the server thanks to that. (a) MySQL has the following function http://dev.mysql.com/doc/refman/5.1/en/string-functions. html#function_load-file. Which privilege the PHPList database user has to have? (we will assume that this privilege is granted) (b) we will SQL inject on the using the field you found before (and on the administrator users webpage). However, there is some filtering done on it http://fr2.php.net/htmlspecialchars. Can we use the following characters ( >, =, ) in our SQL injection? (justify for each character) (c) when we perform a String Blind SQL injection, how do we relate this to an integer blind SQL injection? why do we do this? (d) we will assume that the file we will load is ASCII encoded. how can we relate getting the file blind sql injection to a string blind sql injection? (e) since some htmlspecialchars filtering is done, we are however unable to manipulate bytes in their ASCII encoding. What do you propose? FYI, here is a part of the python + SQL code responsible for that file blind sql injection : 1 s u b s t r ( lpad ( bin ( ord ( s u b s t r ( l o a d f i l e (0 x + f i l e. encode ( hex )+ ), +s t r ( charpos +1)+, 1 ) ) ), 8, 0 ), +s t r ( b i t p o s +1)+, 1 )=1

11 18. Using the script located at /home/ensimag-student/desktop/ex1-script/, get the content of the file /root/www/easter-eggs/ex1-lfi.txt [provide YOUR command and its execution result] Note: In case you entered a wrong discriminant, here is the output you would have: 1... [+] / r o o t /www/ e a s t e r eggs /ex1 l f i. t x t length : 0 3... Here is a screenshot of a part of the correct output: One of the easter eggs you might find.. ;) 5 Ex2 - Do you still love the cloud? - Risk analysis The overall objective of that exercise is to perform a risk analysis regarding your data. Stanislas Quastana (Microsoft), 2011, Risques et opportunités de la Consumérisation de l IT - partie 3 - périphériques amovibles, stockage dans le Cloud et données d entreprise https://blogs.technet.com/b/stanislas/archive/2011/09/13/ risques-et-opportunit-233-s-de-la-consum-233-risation-de-l-it-partie-3-p-233-riph-233-riques-amovibles aspx

12 19. Note: I did provide some questions as starting points. This part is not a rigorous risk analysis, see it just as an introduction, for you to be aware of the kind of questions you would have to ask yourself. Those question are not exhaustive, just to help you to go through your thinking. I expect you to enhance it with your additional own questions, and to answer to those questions (the ones I wrote plus your own ones (at least 2 additional questions for each step)). For each question, briefly justify. You will perform a more rigourous risk analysis in the very next question. (a) scope definition: what do we mean by data? (is it just your emails? documents? photos? source code?...) (b) security properties to be ensured: (c) threats: what do YOU care more? (eg: personally I prefer to maintain the confidentiality of my data, thus my backups are encrypted, but if I loose the private key, I might loose the availability property.) thus, prioritize the security properties you want to ensure on your data... your usb key gets stolen your computer is burned several earthquakes destroy the GoogleMail datacenters... (d) vulnerabilities (aka security weaknesses in the OWASP risk rating method) of the systems on which your data are stored? storage: on which peripheral do you store you data? do you rely on cloud services? if so, where are the data stored? in which datacenters?... confidentiality and access control: who can access your data? (the provider, a government agency?...) how to authenticate to access your data? (1 factor authentication (note an authentication factor has one of the following characteristics: what I know (eg: password), what I own (eg: physical token), what I am (eg: biometry))) is the authentication process secure? what kind of data is stored within such a system? when you wipe / delete your data, what are the kind of residual data remaining on that system? (cache, temporary files, logs)? are you aware of how the wiping process is performed?... (e) existing counter-measures (aka security controls in the OWASP risk rating method) Some example questions: do you use an intrusion detection system or your computer? do you rely on a backup solution? does your application provider do? are the data encrypted? is the encryption scheme secure? regarding what kind of attacks?... (f) technical impacts which security property would you loose if such a threat has to happen? how much money / work hours / efficiency would you loose?... (g) what to do with that identified risk? reduce it: deploy additional counter-measures to put the risk at an acceptable level transfer it: eg. insurance accept it: the potential additional countermeasures cost is too important regarding the cost of the corresponding threat to happen

13 20. (a) Perform a OWASP Risk Rating according to the method described at https://www.owasp.org/index. php/owasp_risk_rating_methodology regarding one of the threats that you identified before. (b) Regarding the threat you chose, draw an attack paths for a given threat diagram (such as the following one). (you are free to realize an ASCII, Visio, Omnigraffle, TikZ.. or even to use tools such as CORAS http: // coras. sourceforge. net/ downloads. html, there also are some nice risk analysis icons there!) 6 (on your free time) Going further In case you really did enjoy that practical assessment, and you have some free time, here are some training stuff for you: 6.1 Web exploitation WebGoat https://www.owasp.org/index.php/category:owasp_webgoat_project Gruyere https://google-gruyere.appspot.com 6.2 Risk analysis MEHARI: http://www.clusif.asso.fr/en/production/mehari/ EBIOS 2010: http://www.ssi.gouv.fr/en/the-anssi/publications-109/ methods-to-achieve-iss/ebios-2010-expression-of-needs-and-identification-of-security-objectives. html CORAS http://coras.sourceforge.net/