(System) Integrity attacks - people.unica.it · • (System) Integrity Attacks – Legitimate inputs, malicious goals • Application-specific: not covered by TOP 10 OWASP – There

Pattern Recognition and Applications Lab

Universityof Cagliari, Italy

Department ofElectrical and Electronic

Engineering

(System) Integrity attacksSystem Abuse, Malicious File upload, SQL Injection

Igino Coronaigino.corona (at) diee.unica.it

1

Computer Security April 9, 2018

http://pralab.diee.unica.it 2

Practical session - setup

• Target Configuration

Browser Zed Attack Proxy Internet



• In your host machine1. Install Zed Attack Proxy (ZAP)

https://github.com/zaproxy/zaproxy/wiki/Downloads2. Make sure that ZAP listens @ 127.0.0.1:8080



• In your host machine1. Go to Settings->Dynamic SSL certificates2. Save the ZAP root CA within a folder of your choice

owasp_zap_root_ca.cer



• From your host machine1. Open your browser (Firefox)

Preferences->Security&Privacy->Certificates->Authorities2. Open owasp_zap_root_ca.cer3. Trust the ZAP CA for web sites



• From your host machine1. Install Firefox - Web Browser

https://www.mozilla.org/it/firefox/new/2. Open your browser (Firefox)3. Settings->General>Proxy server->Settings



• From your host machine1. Open your browser (Firefox)2. Settings->Advanced->Network->Settings



• From your host machine1. Open your browser (Firefox)2. Go to a HTTPS enabled site (e.g. Google)

http://pralab.diee.unica.it

Main Security Goals

– Confidentiality• ensure that (sensitive) information is disclosed to authorized parties

only

– Integrity• prevent unauthorized modification of data (data integrity), including

system code and (ab)use of system functionalities (system integrity)

– Availability• guarantee that data and services can be accessed (in a reasonable

time) by authorized parties when requested

9

Information System Security

NOTE: Violations in one category may enable violations in any other category! Examples:• Password theft (confidentiality violation) may allow attackers to perform unhauthorized

modifications of user data (data integrity violation)• A buffer overflow attack (system integrity violation) may allow attackers to gather private data

(confidentiality violation)

key aspects: • authentication• access control


Integrity Attacks - Pratical session

• (System) Integrity Attacks– Legitimate inputs, malicious goals

• Application-specific: not covered by TOP 10 OWASP– There are at least four TOP 10 threats that exploit

DataàCode vulnerabilities• A1:2017 - Injection• A4:2017 - XML External Entities (XXE)• A7:2017 - Cross-Site Scripting (XSS)• A8:2017 - Insecure Deserialization

• In this lesson we will focus on– Real-world abuse of web services with legitimate

inputs– A1:2017 Injection


Legitimate inputs, Malicious goals

https://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwi3nrfSrvjZAhXMOBQKHacfAFIQFggnMAA&url=http%3A%2F%2Fpralab.diee.unica.it%2F&usg=AOvVaw0lfLJwt5lit4axL3uWkXHq

REAL-WOLD PHISHING EMAIL AGAINST APPLE USERS!



• Google Redirect Service– Google business: track users who click on search

results– Cybercriminal business: evade spam filters, by

masquerading a (google-indexed) malicious/compromised URL• https://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=w

eb&cd=1&cad=rja&uact=8&ved=0ahUKEwi3nrfSrvjZAhXMOBQKHacfAFIQFggnMAA&url=http%3A%2F%2Fpralab.diee.unica.it%2F&usg=AOvVaw0lfLJwt5lit4axL3uWkXHq



To protect against such attacks Google might addthe following security requirements

– check the Referer header (it should be a valid Google search result URL) • Legitimate inputs must provide a valid Referer

– malicious URLs might be de-indexed/blacklisted• Legitimate inputs must not involve a blacklisted URL



https://www.httpdebugger.com/tools/ViewHttpHeaders.aspx

Legitimate business: HTTP debugger

Malicious business: unconventional web proxy



http://www.rexswain.com/httpview.html



Take away: the same technical function can be used for different business goals

– Legitimate (Service Provider)– Malicious (Cybercriminals)

– App-specific: Not covered by OWASP TOP 10!

– Once abuse is detected, attack protection is typicallyachieved by service providers adding security checks to better describe how legitimate inputsare

– Take away: think about how the intendedfunctionalities of your web applications can be abused, even if inputs are legitimate!


OWASP Broken Web Applications Project

1. Install Virtualbox https://www.virtualbox.org/2. Download the OVA archive

https://sourceforge.net/projects/owaspbwa/files/1.2/3. Import the OVA archive into VirtualBox

17

Pratical session with OWASP BWA


Practical session

• Vulnerable services setup– Setup NAT (port forwarding) rule. Make sure that

Guest IP is correct, it should be displayed in the OWASP BWA shell at startup


Practical session

• From your host machine1. Open your browser (Firefox)2. Go to http://127.0.0.1:8888


• Very useful training application by OWASP

20

OWASP WebGoat


– It should appear an authentication request

– On ZAP you can see a request such as

Confidentiality


GET http://127.0.0.1:8888/WebGoat/attack HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 17.1; WOW64; rv:132.0) Gecko/20100105 Firefox/60.2Accept: text/html,application/xhtml+xml […]Accept-Language: it,en;q=0.8,it-IT;q=0.5,en-US;q=0.3Referer: http://127.0.0.1:8888/Cookie: sid=Fe26.2**2df5243289 […]Upgrade-Insecure-Requests: 1Authorization: Basic cm9vdDpvd2FzcGJ3YQ==Connection: keep-aliveHost: 127.0.0.1:8888

The following is a successful (authorized) request on the web server.

What about its confidentiality?It is not handled! The underlying protocol is HTTP and all data istransferred in clear text through TCP.

What about its authentication?It is handled through the Authorization header (Basic Authentication).

Confidentiality


Confidentiality

Authorization: Basic cm9vdDpvd2FzcGJ3YQ==

Exercise: what are the credentials associated to the previous header?

Basic authentication transfers username and passwords in clear text!The Authorization field is constructed as follows:• The username and password are combined with a single colon. (:)• The resulting string is encoded into an octet sequence• The resulting string is encoded using a variant of Base64The authorization method and a space is then prepended to the encodedstring, separated with a space (e.g. "Basic ").

$ python>>> import base64>>> base64.b64decode("cm9vdDpvd2FzcGJ3YQ==")

Let’s execute some code. Open a shell, and launch the python interpreter


Confidentiality

$ python>>> import base64>>> base64.b64decode("cm9vdDpvd2FzcGJ3YQ==")'root:owaspbwa'

OK we now have the credentials to access WebGoat!


• Data should be exchanged using:– HTTPS with strong ciphers and additional headers

for security https://cipherli.st– SSL certificate with trusted Certificate Authorities

• No excuses! You can get them for free usinghttps://letsencrypt.org

– HTTPS must be enforced

• However, preserving data confidentiality is notjust matter of data transport– How it is stored and how it can be accessed (including

backups)?– Authentication and access control

25

How do I protect against Confidentialityviolations?


• From the left menu– Malicious Execution->Malicious File Execution– The page allows one to upload/display (read) an

image

26

OWASP WebGoat


• Let’s check out request and responses in ZAP– To understand what is the backend web application

interpreter

27

OWASP WebGoat

Our first guess is that there is aJavaServer Pages (JSP) interpreter


• In JSP (like PHP), programs are written withinfiles that are read and interpreted at runtime– Any file with a name which ends with a specific

extension (e.g., .jsp) is executed by the interpreter– Key security question:

• does the application checks the extension and content of the uploaded files?

• Let’s try to upload a file browser program written in JSP…

• http://www.vonloesch.de/files/browser.zip

28

OWASP WebGoat


• Oh… we were able to upload the JSP file... – Let’s execute it (right click, view image)

29

OWASP WebGoat


• Oh... The JSP file is actually executed and give us a full-featured file browser – with read/write permissions on the filesystem!

30

OWASP WebGoat


Targets: file (up)load routine of the web applicationInterpreter: web application server (typically)An insecure handling of external/uploaded files, allows the attacker to convert input data into (arbitrary) application code

31

A6:2010 Malicious File Execution

HTTP(S) serverHTTP(S) Client

HTML Application DatabaseCSSImages

JavaScript

Flash Silverlight PDF ReaderExternal file

(up)load routine


• Let’s play with Wordpress

32

Wordpress


• OK, it appears that we are in front of WP 2.0– Plugin Spreadsheet v0.6 as well as MyGallery 1.2.1

installed

33

Wordpress


• Let’s find a suitable exploit

34

Wordpress


• OWASP TOP A1-2013– Found SQL Injection exploit for plugin spreadsheet

v.0.6• https://www.exploit-db.com/exploits/5486/

35

Wordpress


• You may launch the exploit using your browser– http://localhost:8888/wordpress/wp-

content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain

36

Wordpress

password hash NOTE: no errors on the DB side. Why?

Because we injected the SQL query so that it generates one more row,- containing exactly the expected number of columns (4 in this case)- putting in the string field (n. 2) the char-separated (0x3a) concatenation of desired

info (user_login, user_pass, user_email)


• Let’s find out the password through bruteforce– We can use an online webservice https://crackstation.net– In a more realistic case, attackers may use “offline” tools such a

John The Ripper http://www.openwall.com/john/

37

Wordpress


• Now that we have both username and password– The login URL for wordpress is at /wp-login.php

38

Wordpress


• We are in (with administrative privileges)– The website is now 0wned by us (the end)

39

Wordpress


Targets: insecure API between web application and databaseInterpreter: DataBase backendAn insecure API between Application and Database allows the attacker to convert input data into (arbitrary) DB Queries

40

A1 2013 - SQL Injection

HTTP(S) serverHTTP(S) Client

HTML Application

Database

CSSImages

JavaScript

Flash Silverlight PDF Reader

DB accessAPI

Documents

(System) Integrity attacks - people.unica.it · • (System) Integrity Attacks – Legitimate inputs, malicious goals • Application-specific: not covered by TOP 10 OWASP – There