28
Common Exploits Aaron Cure Cypress Data Defense

Common Exploits

  • Upload
    teal

  • View
    69

  • Download
    2

Embed Size (px)

DESCRIPTION

Common Exploits. Aaron Cure Cypress Data Defense. SQL Injection. What is it? The inclusion of portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). - PowerPoint PPT Presentation

Citation preview

Page 1: Common Exploits

Common ExploitsAaron Cure

Cypress Data Defense

Page 2: Common Exploits

SQL Injection

Page 3: Common Exploits

SQL Injection

What is it?◦The inclusion of portions of SQL statements in

an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker)

Page 4: Common Exploits

SQL Injection Tools

How do we attack it?◦SqlMap

http://sqlmap.org sqlmap is an open source penetration testing tool that

automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Page 5: Common Exploits

SQL Injection Tools

◦BSQL Hacker http://labs.portcullis.co.uk/application/bsql-hacker/ BSQL (Blind SQL) Hacker is an automated SQL

Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

Page 6: Common Exploits

SQL Injection Demo

sqlmap.py -u http://localhost:55612/Product.aspx?id=3 sqlmap identified the following injection points with a total of 59 HTTP(s) requests:

---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3 AND 1640=1640

Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=3 AND (SELECT 1157 FROM(SELECT COUNT(*),CONCAT(0x3a796c6a3a,(SELECT (CASE WHEN (1157=1157) THEN 1 ELSE 0 END)),0x3a7a76743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=3 UNION ALL SELECT NULL,CONCAT(0x3a796c6a3a,0x6f6a6c61786d494f6a74,0x3a7a76743a),NULL– ---web server operating system: Windows 2012web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0back-end DBMS: MySQL 5.0

Page 7: Common Exploits

SQL Injection Mitigation

How do we prevent it?◦Don’t concatenate untrusted data◦Use parameterized queries◦Use a framework

nHibernate Entity Framework Etc.

Page 8: Common Exploits

Session hiJACKING

Page 9: Common Exploits

Session Hijacking

What is it?◦Occurs when authentication tokens are stolen

from an authenticated user. This vulnerability commonly occurs when session tokens are sent in cleartext between a web server and a client’s browser. Other examples include tokens being stolen via cross-site scripting and man-in-the-middle attacks. Allows an attacker to assume the identity of another user gain unauthorized access to applications and functionality.

Page 10: Common Exploits

Session Hijacking Tools

How do we attack it?◦Firesheep

Intercepts browser cookies used by many sites, including Facebook and Twitter, to identify users and allows anyone running the program to log in as the legitimate user and do anything that user can do on a particular website.

◦Cross Site Scripting (XSS)◦Hamster/Ferret◦Man in the Middle (MITM)

Page 11: Common Exploits

Session Hijacking Demo

HTTP Header Injection of hijacked cookie◦Grab the existing cookie value (XSS, MITM, etc)◦Create a new request, adding the captured

value in the header.

Page 12: Common Exploits

Session Hijacking Mitigation

How do we prevent it?◦Use SSL◦Set HTTPOnly and Secure on all cookies◦No http links (secure only)◦Set the HTTP Strict-Transport-Security (HSTS)

header

Page 13: Common Exploits

Cross Site request forgery (CSRF)

Page 14: Common Exploits

Cross Site Request Forgery

What is it?◦While a user is authenticated into the target

website (i.e. a banking website), the user visits another website (injection website) that is under the control of an attacker or a site (including the target site) that contains a vulnerability that the attacker can exploit.

Page 15: Common Exploits

CSRF Tools

How can we attack it?◦Pinata.py

http://code.google.com/p/pinata-csrf-tool/ Assists with the explanation of Cross Site Request

Forgery and how a vulnerable application can be exploited.

◦CSRF Tool http://homakov.github.io/

Page 17: Common Exploits

CSRF Mitigation

How can we prevent it?◦Use a random token on every post.◦Server-side must check it before processing the

request.◦If any POST endpoint lacks it — something is

clearly wrong

Page 18: Common Exploits

Session Fixation

Page 19: Common Exploits

Session Fixation

Permits an attacker to hijack a valid user session. When authenticating a user, the web application doesn’t assign a new session ID, making it possible to use an existing session ID.

Page 20: Common Exploits

Session Fixation Tools

How do we attack it?◦XSS◦MITM◦BlackSheep◦FireSheep

Page 21: Common Exploits

Session Fixation Demo

Perform a GET of the siteLoginEnsure that the Session ID changes

Page 22: Common Exploits

Session Fixation Mitigation

How do we prevent it?◦Clear the session on login/logout◦Generate a new session ID on login/logout◦Remove the session cookie on logout◦Log the user out

Page 23: Common Exploits

Cross-Site Scripting (XSS)

Page 24: Common Exploits

Cross-Site Scripting (XSS)

What is it?◦Cross-Site Scripting attacks occur when

malicious scripts are injected into the otherwise benign and trusted web sites. An attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Page 25: Common Exploits

XSS Tools

How can we attack it?◦ XSSer

http://xsser.sourceforge.net/ Cross Site "Scripter" (aka XSSer) is an automatic -framework- to

detect, exploit and report XSS vulnerabilities in web-based applications.

◦ XSS Me (ff)◦ XSS-Proxy

http://xss-proxy.sourceforge.net/ XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The

documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.

Page 26: Common Exploits

XSS Demo

http://homakov.github.io/stealpass.htmljavascript:alert(pass.value)

Page 27: Common Exploits

XSS Mitigation

How do we prevent it?◦Validate the user input◦Remove or encode special characters◦Encode it before it is displayed◦Use an Anti-XSS library

Page 28: Common Exploits

Questions?