- Discuss other important attack vectors, not limited to Web Applications
- Practical screen-casts that show how attackers exploit common flows
- Understand the impact of these threats on your privacy, data and identity
1. Secure Programming and!
Common Errors!
PART II
brought to you by Michele “AntiSnatchOr” Orrù
and Integrating Web LTD
Computer System Security course lead by Prof. Ozalp Babaoglu
9 December 2009
1
2. h$p://www.integra1ngweb.com h$p://an1snatchor.com
Who am I?
irector and CSO of Integrating Web LTD
D
achelor Degree in Internet Sciences
B
ndependent Security Researcher
I
wner of http://antisnatchor.com security
O
advisory blog
Who am I?
EE developer
J
2 of 25
3. h$p://www.integra1ngweb.com h$p://an1snatchor.com
Seminar outline (part II)
iscuss other important attack vectors,
D
Seminar outline (part II)
not limited to Web Applications
ractical screen-casts that show how
P
attackers exploit common flows
nderstand the impact of these threats
U
on your privacy, data and identity
3 of 25
4. h$p://www.integra1ngweb.com h$p://an1snatchor.com
What we will discuss:
CWE-22: Path Traversal + screen-cast
CWE-89: Failure to Preserve SQL Query Structure
What we will discuss
(SQL injection) + screen-cast
CWE-79: Failure to Preserve Web Page Structure
(XSS) + 2 screen-cast
Appendix: do you think HTTPS is secure? Not
completely true…
4 of 25
5. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-22: Path Traversal
Many applications read from or write to a file
system parsing user supplied parameters that
CWE-22: Path Traversal
specify the file or the operation
If these user supplied parameters are not
validated (and the application is not chrooted/
jailed), then an attacker can manipulate them to
read/write sensitive information/files on the OS.
5 of 25
6. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-22: Example!
www.essedi.it
Credits: antisnatchor
CWE-22: www.essedi.it
Path traversal vulnerability on ONERROR
parameter
The HTML file requested as a value of ONERROR,
can be manipulated to retrieve non-IIS owned
files
6 of 25
9. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-89: !
SQL Injection
If attackers can influence the SQL that you use
to communicate with your database, then they
CWE-89: SQL Injection
can do nasty things for fun and profit
Thanks to Bernardo for SQLmap
http://sqlmap.sourceforge.net
Open source, written in python
Full database manipulation with MySQL, Oracle,
PostgreSQL and Microsoft SQL Server
Metasploit plugin to exploit MS09-004 (M. SQL Server
2000/2005 heap based buffer overflow)
9 of 25
10. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-89:Example!
www.dm.unibo.it
Credits: antisnatchor
CWE-89: www.dm.unibo.it
Confirmed unescaped numeric injection on GET
parameter “anno” (patched from many months)
We were able to obtain details about the
application stack: Apache 2.2.3, PHP 5.2.0,
MySQL >= 5.0
For demonstration we retrieved the exact name
of the database name to which the web app is
bounded: dipartimento
10 of 25
11. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-89: www.dm.unibo.it
Screen-Cast!
www.dm.unibo.it
11 of 25
13. CWE-79: The Plague of Cross Site Scripting
h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-79: Cross Site
Scripting
When a page with our malicious code is
accessed by other users, their browsers will
execute our scripts on their contexts
Really difficult to create a powerful anti-XSS
filter:
Multiple data encoding handling
Data truncation handling
New vectors (CSS, JSON, XUL)
13 of 25
14. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-79: Example!
1. KonaKart
Credits: antisnatchor
KonaKart is a free Java based web application to
manage e-commerce websites
CWE-79: KonaKart
(www.konakart.com)
Stored XSS has been found and verified in the
backend
More info here:
h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/
Let see how we can exploit them
14 of 25
16. h$p://www.integra1ngweb.com h$p://an1snatchor.com
CWE-79: Examples!
2. WMSmonitor
Credits: antisnatchor
CWE-79: WMSmonitor
Internal Penetration Test at INFN (National Institute
of Nuclear Physics)
Workload Management System (distribute job
execution between multiple Computing Elements on
a Grid infrastructure) monitor
Some serious flows have been identified
Unsecure handling of X.509 client certificates
Reflected XSS
TRACE method enabled
Let see how can we take full control of the victim browser
16 of 25
20. h$p://www.integra1ngweb.com h$p://an1snatchor.com
Appendix: do you think
HTTPS is secure?
Appendix: HTTPS insecurity
SSL/TLS are cryptographically secure (RSA/DSA/
Symmetric Encryption)
But they have well known limitations and
security flows
They all suffer from MITM attacks and network
protocol manipulation
Some aspects such as OSCP and different
implementations (OpenSSL, Mozilla NSS) are
flowed
20 of 25
21. h$p://www.integra1ngweb.com h$p://an1snatchor.com
Appendix: do you think
HTTPS is secure?
Appendix: HTTPS insecurity
Latest research of Moxie Marlinspike
(http://www.thoughtcrime.org)
Sslstrip: It transparently hijack HTTP traffic on a
network, watch for HTTPS links and redirects,
then map those links into either look-alike HTTP
links or homograph-similar HTTPS links.
We can use as the old certificate injection
method: ARP-spoofing + traffic redirection +
sniffing
Eventually altering BGP routing tables on
routers, for remote sniffing
21 of 25
22. h$p://www.integra1ngweb.com h$p://an1snatchor.com
Appendix: do you think
HTTPS is secure?
Appendix: HTTPS insecurity
Old exploit method (still useful)
MITM and fake certificate injection
ARP spoofing
IP forwarding
Sniffing
webmitm
Cons: the victim will see that the certificate is
not valid (BTW, almost all of you don’t take care
to Firefox’s alerts on certificates problems)
Press OK … That’s FINE
22 of 25