Steve Kosten - Exploiting common web application vulnerabilities

Exploiting and Defending:Common Web Application

Vulnerabilities

Senior Security ConsultantSANS Instructor Denver OWASP Chapter LeadCertifications

CISSP, GWAPT, GSSP-Java, CISM

Contact InfoSteve.kosten@cypressdefense.com@skosten

Introduction: Steve Kosten

IntroductionA1: InjectionA3: Cross-Site Scripting (XSS)A8: Cross-Site Request Forgery (CSRF)

Agenda

Using real attack toolsIllegal to attack targets without written contractual consentObey all state and federal lawsCypress Data Defense assumes no liability

Disclaimer

A1: Injection

Text-based attacks that exploit the syntax of the targeted interpreter.Almost any source of data can be an injection vector, including internal sources. Injection flaws occur when an application sends untrusted data to an interpreter.

A1: Injection

A1: SQL Injection

110 million customer recordsEmail, Mailing addresses, other Personally Identifiable Information (PII)

In The News (Target)

50 million customer recordsEmail, DOB, Password Hashes, Challenge Questions & Answers

In The News (Living Social)

130 million credit card numbers$200 million loss

In The News (Heartland)

Command Injection

Inline SQL

A1: Example (1)

rs = statement.executeQuery("Select EmployeeId, LastName, FirstName, PhoneNumber " +"From Employees " +"Where EmployeeId = " + request.getParameter("employeeId"))

Runtime.getRuntime().exec(String.format("myTestProcess.exe %s", request.getParameter("employeeId")))

sqlmap DEMOhttp://sqlmap.org/ Written in Python

Exploitation DEMO

Parameterized QueriesA1: Solution

Cross-Site Scripting

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper encoding.

Execute scripts in the victim’s browserHijack user sessionsDeface web sitesRedirect the user to malicious sites.

A3: Cross-Site Scripting (XSS)

In The News (Sears)

Site defaced to contain flashing images designed to cause seizures Some victims required hospital care

In The News (EF)

Primaries web site had XSS in the blog pagesPayloads injected to redirect users to Hillary Clinton’s election web site

In The News (Obama)

HTML Context

URL Context

JavaScript Context

Reflected Example

Browser Exploitation Framework (BeEF)http://beefproject.com/Written in Ruby

Exploitation DEMO

Encoding, encoding, encodingValidation is not the solution

Contexts to considerHtml, Url, JavaScriptHtmlAttribute, Css, Xml, XmlAttribute

Mitigations

Recommended encoding librariesOWASP Java Encoder

HTTP Security HeadersSourceClear Headlines

X-XSS-ProtectionContent-Security-Policy (CSP)

Mitigations (2)

Cross Site Request Forgery

Researcher earns $10,000 bug bountyCSRF vulnerability allowing attackers to:

Add payment methodsModify email addressesChange security questionsAdd privileged users

In The News

Admin console vulnerable to CSRF allowing attackers to perform the following:

Modify automatic renewalsEdit zone filesName server management

In The News (GoDaddy)

• 2012: Multiple manufacturers• 4.5 Million Routers Compromised in Brazil

In The News

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information.

Audit logs will show the user made the transaction User has no knowledge of the transaction

Cross-Site Request Forgery

Multiple Authenticated Sessions

Cross-Site Request Forgery (CSRF) Example

Payload on attack page

Cross-Site Request Forgery (CSRF) Example (2)

</form>

Request triggered from authenticated session

POST /csrf/content/vulnerable/changepassword HTTP/1.1Host: localhost:8080Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2Content-Type: application/x-www-form-urlencodedContent-Length: 53

newPassword=StorageRoomB&confirmPassword=StorageRoomB

200 Response from web site

HTTP/1.1 200 OK

<div class="alert alert-dismissable alert-success"><span>Your password was successfully changed.</span>

</div>

Simple Javascript Post

Exploitation DEMO

CSRF MitigationsRandom nonce for each requestAnti-Forgery TokensCSRF Guard (OWASP Project)

Mitigations

Payload with incorrect csrf token

Cross-Site Request Forgery (CSRF) Solution (1)

<input type="hidden" name="_csrf"

value="103ae2a3-d4d6-46e9-8ba6-92188ff998c2" />

</form>

Request with invalid token submitted

Cross-Site Request Forgery (CSRF) Solution (2)

POST /csrf/content/vulnerable/changepassword HTTP/1.1Host: localhost:8080Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2Content-Type: application/x-www-form-urlencodedContent-Length: 53

newPassword=StorageRoomB&confirmPassword=StorageRoomB&_csrf=103ae2a3-d4d6-46e9-8ba6-92188ff998c2

403 response from web site

HTTP/1.1 403 Forbidden

<div class="alert alert-dismissable alert-danger"><span>java.lang.NullPointerException</span>

</div>

Questions?Contact Info

SteveTwitter: @skostenEmail: steve.kosten@cypressdefense.com

Thanks for attending!

Steve Kosten - Exploiting common web application vulnerabilities

Technology

Exploiting Format String VulnerabilitiesTDDC90/literature/papers/teso-fs1-1.pdf · 2007-11-01 · Exploiting Format String Vulnerabilities scut / team teso March 24, 2001 version

Exploiting and Protecting Vulnerabilities in Binary Code · Vulnerabilities in Binary Code David Brumley Carnegie Mellon University dbrumley@cmu.edu 2 ... Profit! 9 Exploits Can Help

Exploiting Terrorist Vulnerabilities: A Law …Exploiting Terrorist Vulnerabilities: A Law Enforcement Approach to Fighting Terrorist Organizations A Monograph by SSA Danny Day, Jr

EXPLOITING NFC AND RFID VULNERABILITIES IN A …

Assessing and Exploiting XML Schema's Vulnerabilities · 2019-12-09 · WHITE PAPER © 2016 IOActive, Inc. All Rights Reserved Assessing and Exploiting XML Schema's Vulnerabilities

Exploiting Format String Vulnerabilities - Stanford · PDF fileExploiting Format String Vulnerabilities scut / team teso September 1, ... 2.5 The stack and its role at format strings

Understanding and Exploiting Flash ActionScript Vulnerabilities --

Finding and Exploiting Access Control Vulnerabilities in ... · PDF fileVulnerabilities in Graphical User Interfaces ... – Win32 API can see widget but ... Finding and Exploiting

Messenger Apps Exploiting Memory Corruption ... › presentations › offensivecon_20_no_clicks.pdf · Exploiting Memory Corruption Vulnerabilities in Messenger Apps Samuel Groß

Finding and Exploiting Access Control Vulnerabilities in ... · Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces ... Vulnerabilities in Graphical

Exploiting Deserialization Vulnerabilities in Java

Exploiting Format String Vulnerabilities

Exploiting the Client Vulnerabilities in Internet E-voting Systems

Exploiting Server Vulnerabilities with XSS and Server Side Scripting Attacks

Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities

Ehi lH ki d Ethical Hacking and Countermeasures · • Identify Router • Identifyy ging Vulnerabilities • Exploiting Vulnerabilities in Cisco IOS • Brute-Forcing Services •

Beyond Autorun: Exploiting vulnerabilities with …media.blackhat.com/bh-dc-11/Larimer/BlackHat_DC_2011...Beyond Autorun: Exploiting vulnerabilities with removable storage Jon Larimer

Understanding and Exploiting Flash ActionScript Vulnerabilities -- Hafei Li, Sr. Security Researcher hfli@fortinet.com

Hands on C and C++: vulnerabilities and exploits - SecAppDev Younan... · Yves Younan . Handson Exploiting C and C++ Vulnerabilities March, 2012 33 . abo1.c static char shellcode[]

Exploiting COF Vulnerabilities in the Linux kernel...Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? • Security researcher @