5MMSSI - Information Systems Security 1 - vulnerabilities and … · 2011-09-22 · 5MMSSI - Information Systems Security 1 - vulnerabilities and attacks Fabien Duchene1 Karim Hossen1

5MMSSI - Information Systems Security1 - vulnerabilities and attacks

Fabien Duchene1

Karim Hossen1

1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag

[email protected]

2011-2012Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 1/36 2011-2012 1 / 36

http://www.liglab.fr

http://grenoble-inp.fr

Outline

1 Web based vulnerabilitiesInjectionSQL InjectionPath vulnerabilityCSRFXSS - Cross-Site scripting

Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 2/36 2011-2012 2 / 36

Remarks

NOT exhaustive. a selection of several interesting vulnerabilities andattacksMany others do exists 1

1[OWASP vulnerabilities] OWASP vulnerabilitiesFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 3/36 2011-2012 3 / 36

Web based vulnerabilities

Input related vulnerabilitiesAttacker’s goal:

attack name targeted subsys-tem

parsing evaluation

buffer overflow ex-ploitation

binary executable x

format string exploita-tion

binary executable x x

SQL injection database x xXSS web application x xCSRF web application x x

Causenon sufficiently sanitized inputsinsecure use of input parameters


Web based vulnerabilities Injection

Injection I

2


Web based vulnerabilities Injection

Injection II

Threat level [OWASP 2011]Exploitability +++ EASYPrevalence ++ COMMONDetectability ++ AVERAGEImpact +++ SEVERE

Counter-measuresinput sanitization: application dependent

2[Kunz 2011] Skype Vulnerabilities: Zero Day Exploitation 2011,HITBSecConf 2011 (Malaysia)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 6/36 2011-2012 6 / 36

Web based vulnerabilities SQL Injection

SQL Injection Attack (SQli) I

subsystem:goal:

Several SQL injection attacks [Wikipedia - SQL injection]incorrectly filtered escape charactersincorrect type handlingblind SQL injection



SQli: basic - “Incorrect type handling” I

Incorrect type handlingdata is not strongly typedin the example: an integer is expected, but the language interpreterevaluates the whole expression

1 s t a t e m e n t := ”SELECT ∗ FROM w e a t h e r d a t a WHERE s t a t i o n= ” +a v a r i a b l e + ” ; ”

Example: webgoat SQLi 3



SQli: basic - “Incorrect type handling” II

Basic form. We submit it once and observe:

Once we submit, the station parameter seems to be used in the dataretrieval. Goal: to extract all the data from that SQL table



SQli: basic - “Incorrect type handling” III

Have a look at the source code, and observe

Since it is simpler to perform request by HTTP GET, give it a try:



SQli: basic - “Incorrect type handling” IV

It works, the station parameter sent via a GET request is used by theweb application:

Let us try to inject:



SQli: basic - “Incorrect type handling” V

exploitation succeeds: we are able to extract all the records from thattable



SQli: basic - “Incorrect type handling” VI

Also works if we use HTTP POST, here with Firefox Hackbar 4

Note: we only tried to get the data, but think about5

1 s t a t i o n =103 OR 1=1 ; DROP t a b l e w e a t h e r d a t a

3[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection4[Firefox hackbar add-on] Firefox hackbar add-on5Most SQL server implementations allow multiple statements. API do

generally not: PHP:mysql query() and Python:sqlite3.[.].execute() do notsupport this. Some functions such as Python:sqllite3.[.].executescript() howeverdoFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 13/36 2011-2012 13 / 36


SQLi: basic - “Incorrectly filtered escape characters” I

Incorrect type handlinguser input is not filtered for escape characters (eg: ’ ” ..)parameters are passed without using prepared statement

1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +” ’ ; ”

How would you set the variable userName to bypass theauthentication?

A possible answer:



SQLi: basic - “Incorrectly filtered escape characters” II

1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1

WHERE name=’”+userName+” ’ ; ”

How do we prevent the logon attempt counter to increase for thatusername?A possible answer:



“Blind” SQLi I

Blind SQL injection?production environment do not let you see the error outputswhen trying to inject in such a system: “blind injection”more injection techniques on [Hackipedia - SQL injection]

Example: webgoat blind integer SQLIA 6

Assume a simple SELECT WHERE request such as:



“Blind” SQLi II

1 SELECT ‘ f i e l d n a m e ‘ from ‘ tab le name ‘ WHERE ‘ f i e l d 1 ‘= ’ a r g 1 ’

If we try a random number:

If we try to input a non integer:

Is the application sensible to blind injection?



“Blind” SQLi III

Does such a record exist?

Now let us explore the possible space via

... POWER(2,30)

... POWER(2,11):



“Blind” SQLi IV

Thus the value is betweenNow let us continue the dichotomy:

Still too high...

Now too low ...

We iterate that process, and finally:



“Blind” SQLi V

1 101 AND (SELECT p i n FROM p i n s WHERE cc number=1111222233334444)<(POWER( 2 , 1 1 )+POWER( 2 , 8 )+POWER( 2 , 5 )+POWER( 2 , 4 )+POWER( 2 , 3 )+POWER( 2 , 2 )+POWER( 2 , 0 ) )

211 + 28 + 25 + 24 + 23 + 22 + 20 = 2365

Let us verify one last time that the value is 2364



“Blind” SQLi VI7

Blind string SQL Injection AttackSimilar:

by using the CHAR(x) (x: integer ; ex in ASCII encoding:CHAR(41)=’A’ ; CHAR(61)=’a’)ASCII(c) (c: character ; eg: ASCII(’a’)=61)and SUBSTRING(str,start,length) SQL functions

Encoding-dependent: ASCII, UTF8, UTF16 ...Heuristic: would promote characters of the assumed alphabet

6[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection7[Mavituna - SQL injection sheet 2007] Mavituna - SQL injection sheet



SQLi blind string injection: exercise

we want to find the first character of the field user name of the tableusers of the record with user id equal to 6969 ... thanks to thefollowing SQL request: (and we are able to manipulate $bet id)we know that bet id = 3679 is a valid ID

1 ’SELECT MAX( ‘ bet amount ‘ ) FROM ‘ bets ‘ WHERE ‘ b e t i d ‘= ’ +$ b e t i d + ’ ; ’

A possible answer:



SQLi Prevention

input sanitizationonly allow some characters.. or explicitly deny some that have a meaning 8

strongly type the parametersUse parameterized statements

1 j a v a . s q l . P r e p a r e d S t a t e m e n t prep = connect ion . p r e p a r e S t a t e m e n t(

”SELECT ∗ FROM u s e r s WHERE LASTNAME = ? ANDAGE = ? ” ) ;

3 prep . s e t S t r i n g ( 1 , l a s t n a m e ) ;prep . s e t I n t ( 2 , age ) ;

5 prep . e x e c u t e Q u e r y ( ) ;

8problem: might be encoding dependent (eg: UTF-8, UTF-16)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 23/36 2011-2012 23 / 36

Web based vulnerabilities Path vulnerability

Path vulnerability

Path vulnerabilityability to access (read and/or execute and/or write..) files, folders thatwere initially not intended to be accessible from the web-application

Path Traversal aka “../” (dot-dot-slash) vulnerability“LFI” Local File Inclusion“RFI” Remote File Inclusion



Path vulnerability example (LFI, RFI)

1 <?php$ c o l o r = ’ b l u e ’ ;

3 i f ( i s s e t ( $ GET [ ’LANGUAGE ’ ] ) )$ l a n g u a g e = $ GET [ ’LANGUAGE ’ ] ;

5 i n c l u d e ( $ l a n g u a g e . ’ . php ’ ) ;?>

7<form method=” g e t ”>

9 < s e l e c t name=”LANGUAGE”><o p t i o n v a l u e=” e n g l i s h ”>e n g l i s h </o p t i o n>

11 <o p t i o n v a l u e=” c h i n e s e ”>c h i n e s e </o p t i o n></ s e l e c t >

13 < i n p u t t y p e=” submit ”></form>

1–files/file–include.php



Path vulnerability example

How would you perform an HTTP GET request in order tolist the content of the /etc/passwd file?LFI. A possible answer:run code from a remote file?RFI. A possible answer:



Path vulnerability example (Directory traversal)

Consider a similar PHP code, replace the include line:. . .

2 i n c l u d e ( ”/home/webapp1/ p u b l i c h t m l / code / l a n g u a g e s /” .$ l a n g u a g e ) ;

. . .

How would you read the RSA SSH private key ( /.ssh/id rsa) of theuser orlando (/home/orlando) ?Directory traversal. A possible answer:



Path vulnerability - countermeasures

(once more) input sanitizationlimit file inclusion to a selected subset of directories. This can bedone at several layers:

interpreter (eg: PHP (allow url fopen allow url include), ASP.Net)web-server (eg: Apache httpd) configuration)chroot jails or similar systems (children processes will only be able toopen files within the defined chroot jail authorization)

enforce strict ACL on sensitive files and run websites on differentidentity than the owner(s) of those sensitive files


Web based vulnerabilities CSRF

CSRF

Cross Site Request Forgeryattacker tricks a victim to load a webpageby loading that webpage, the victim will perform the action plannedby the attacker

Causesweb application is not able to distinguish between



CSRF example I

Aimelyne wants to trick Ilyas to receive 2000 USD from him via thewebsite payme.blabla

Application logic discoveryA uses the payme.blabla for a small amount 5 USD to Melissa... and discovers that the following request is performed:

1 GET h t t p : / / bank . com/ t r a n s f e r . do ? to=M e l i s s a&amount=5 HTTP/ 1 . 1



CSRF example II

Malicious link constructionHow would A construct a malicious link so that people who will performthat request would (if authenticated) send here 2000 USD?



CSRF example III

Transmission to the victimHow would A send that link to the victim?A possible answer:

The victim gets trickedAssuming Ilyas is authenticated, if he clicks the link, Aimelyne will receivethe money.

What is the problem that now could occur?Answer:How to prevent that?A solution:

9

9We here assumed a GET request. POST request could also be tricked (eg:HTML form, input submission triggered via javascript)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 32/36 2011-2012 32 / 36


CSRF countermeasures

client side:browser plugin: [RequestPolicy firefox add-on], [CsFire firefox add-on]

server side:for each form request, include a “fresh state token”

freshness requires a sufficient randomizationeg. dependencies: user identity, session, time, webpage from which therequest come from, form “status”ASP.Net: viewstateJava: Nothing out of the box, but ability to build it. OWASPCSRFGuard

checking the HTTP header refererlimiting the lifetime of tickets (eg: cookies)


Web based vulnerabilities XSS - Cross-Site scripting

XSS (will be updated)

will be updated


Appendix For Further Reading

Hackipedia - SQL injection.http://hakipedia.com/index.php/SQL_Injection.Johan Adriaans, Pedro Laguna. Firefox hackbar add-on.https://addons.mozilla.org/en-US/firefox/addon/hackbar/.Kunz, Benjamin (2011). Skype Vulnerabilities: Zero Day Exploitation2011, HITBSecConf 2011 (Malaysia).http://conference.hitb.org/hitbsecconf2011kul/?page_id=1757.Mavituna - SQL injection sheet (2007).http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/.OWASP. OWASP vulnerabilities.https://www.owasp.org/index.php/Category:Vulnerability.— (2011). Injection - OWASP top 10 - 2010.https://www.owasp.org/index.php/Top_10_2010-A1.Philippe De Ryck, Lieven Desmet. CsFire firefox add-on.https://addons.mozilla.org/en-US/firefox/addon/csfire/.


http://hakipedia.com/index.php/SQL_Injection

https://addons.mozilla.org/en-US/firefox/addon/hackbar/

http://conference.hitb.org/hitbsecconf2011kul/?page_id=1757

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

https://www.owasp.org/index.php/Category:Vulnerability

https://www.owasp.org/index.php/Top_10_2010-A1

https://addons.mozilla.org/en-US/firefox/addon/csfire/

Appendix For Further Reading

Samuel, Justin. RequestPolicy firefox add-on. https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/.Webgoat - numeric SQL injection.http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_InjectionFlaws_NumericSQLInject/WebGoat_InjectionFlaws_NumericSQLInject.html.Wikipedia - SQL injection. https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection.


https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/

https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/

http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_InjectionFlaws_NumericSQLInject/WebGoat_InjectionFlaws_NumericSQLInject.html



https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection

https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection

Documents

5MMSSI - Information Systems Security 1 - vulnerabilities and … · 2011-09-22 · 5MMSSI - Information Systems Security 1 - vulnerabilities and attacks Fabien Duchene1 Karim Hossen1