SlideShare une entreprise Scribd logo
1  sur  44
Télécharger pour lire hors ligne
Secure Programming and!
          Common Errors!
               PART I

brought to you by Michele “AntiSnatchOr” Orrù
           and Integrating Web LTD
  Computer System Security course lead by Prof. Ozalp Babaoglu
                      3 December 2009



                                                                  1

h$p://www.integra1ngweb.com
        h$p://an1snatchor.com





Who am I?
  irector and CSO of Integrating Web LTD
 D
  achelor Degree in Internet Sciences
 B
  ndependent Security Researcher
 I
  wner of http://antisnatchor.com security
 O
 advisory blog
  EE developer

 J




                                                               Outline
                                                               2 of 44
h$p://www.integra1ngweb.com
           h$p://an1snatchor.com





Seminar outline (part I)
  iscuss the most relevant SANS top 25
 D
 errors that concern Web Applications




                                                                  Seminar outline (part I)
  ractical demonstrations of some
 P
 vulnerable Real World web applications
 (my totally independent security research)

  nderstand the impact of these threats
 U
 on the most valuable web-app assets

                                                                    3 of 44
h$p://www.integra1ngweb.com
            h$p://an1snatchor.com





What we will discuss:
  CWE-20: Improper Input Validation 
  CWE-116: Improper Encoding or Escaping of Output 




                                                                   What we will discuss
  CWE-209: Error Message Information Leak 
  CWE-89: Failure to Preserve SQL Query Structure
   (SQL injection) 
  CWE-79: Failure to Preserve Web Page Structure
   (XSS) 
  CWE-352: Cross-Site Request Forgery (XSRF)

                                                                     4 of 44
h$p://www.integra1ngweb.com
             h$p://an1snatchor.com




CWE-20: Improper !




                                                                        CWE-20: Improper Input Validation
 Input Validation
    The biggest issue on today’s Internet
     Applications (not just WebApps)
    Improper Input Validation can lead to security
     vulnerabilities when attackers can modify input
     in unexpected ways for the application
    The only way to protect our applications is by
     understanding that all input can be malicious

                                                                           5 of 44
h$p://www.integra1ngweb.com
            h$p://an1snatchor.com



 CWE-20:
 Example
    8e6 R3000 Internet Filter (commercial HTTP(S)
     Proxy filter solution)




                                                                      CWE-20: Example
                                                                       6 of 44
h$p://www.integra1ngweb.com
           h$p://an1snatchor.com



CWE-20:
Example
  Credits: nnposter
  DNS based website blacklist can be bypassed by

   providing a forged request with custom HTTP
   header




                                                                 CWE-20: Example
Http request:

 GET / HTTP/1.1
 X-DecoyHost: www.milw0rm.org
 Host: www.blocked.org

                                                                  7 of 44
h$p://www.integra1ngweb.com
             h$p://an1snatchor.com




CWE-20:
Mitigation
    Understand every potential attack areas:
     parameters, arguments, cookies, headers, files,
     databases... 




                                                                       CWE-20: Mitigation
    Whitelist approach instead of blacklist (you are
     certainly going to miss some character encoding
     variants)
    WebApp case: use a WebApp Firewall
     (ModSecurity/F5) or an Input Validation
     Framework for your language.
                                                                        8 of 44
h$p://www.integra1ngweb.com
   h$p://an1snatchor.com



CWE-20: Mitigation!




                                                          CWE-20: Mitigation with ModSecurity
  ModSecurity




                                                             9 of 44
h$p://www.integra1ngweb.com
                h$p://an1snatchor.com




CWE-20:MITIGATION




                                                                       CWE-20:MITIGATION OWASP ESAPI
  OWASP ESAPI
     A common set of interfaces for security controls
      such as:

     Authentication
     Access Control
     Input Validation
     Output Encoding
     Cryptography
     Error handling/logging
                                                                       10 of 44
h$p://www.integra1ngweb.com
               h$p://an1snatchor.com




CWE-20: MITIGATION
     PHPIDS




                                                                      CWE-20: MITIGATION PHPIDS
     Input validation framework for PHP based
      applications
     Developed by skilled hackers (Mario Heiderich
      - .mario on sla.ckers.org)
     Try their demo with your nasty attack vectors
      here: http://demo.php-ids.org
     Integrated as a module in Drupal, works with the
      powerful Zend Framework (http://forum.php-
      ids.org/comments.php?DiscussionID=113)
                                                                      11 of 44
CWE-116: Improper EncodingEscaping !
 h$p://www.integra1ngweb.com
               h$p://an1snatchor.com


CWE-116: Improper !
Encoding/Escaping !
    of Output
    Insufficient output encoding is the often-ignored
     sibling to poor input validation
    Even if input has been filtered, application
     output could not be safe: it need to be encoded
     too
    Common examples: HTML/JavaScript injection




                                                                     of Output
     on web based applications



                                                                            12 of 44
h$p://www.integra1ngweb.com
             h$p://an1snatchor.com




CWE-116:
Example
    Eclipse BIRT (reporting system that integrates
     with Java/JEE applications)




                                                                       CWE-116: Example
                                                                       13 of 44
h$p://www.integra1ngweb.com
                            h$p://an1snatchor.com




CWE-116:
Example
    Credits: antisnatchor           [http://antisnatchor.com/
     2008/12/18/eclipse-birt-reflected-xss]
 Java Exception stack trace was not HTML-
  encoded, so we can inject an iframe




                                                                                      CWE-116: Example

 
GET

    
/birt-viewer/run?__report='"><iframe
     %20src=javascript:alert(666)>&r=-703171660 
 HTTP/1.1

    
Host: localhost:8780
    Our code was executed correctly in the
     application output


                                                                                      14 of 44
h$p://www.integra1ngweb.com
                 h$p://an1snatchor.com




CWE-116:
Mitigation
     Always encode Java stack traces (better to don’t
      show them to prevent Information Leakage)




                                                                        CWE-116: Mitigation
     Always encode application output, especially if it
      contains previously user-supplied input

     WebApp firewall and ESAPI/PHPIDS (you lazy
      developers :-))



                                                                        15 of 44
CWE-209: Error Message Information Leak
   h$p://www.integra1ngweb.com
                 h$p://an1snatchor.com




CWE-209: Error Message
   Information Leak
      Chatty or debug error messages could disclose
       important important information to attackers

      This information is used in the Penetration
       Testing phase called “Reconnaissance”

      Even these little secrets can greatly simplify a
       more concerted attack that yields much bigger
       rewards


                                                                         16 of 44
h$p://www.integra1ngweb.com
                h$p://an1snatchor.com




CWE-209: Examples!
1. www.dm.unibo.it




                                                                      CWE-209: www.dm.unibo.it
      Credits: antisnatchor
      MySQL error when forging a malicious request
       altering the anno parameter

  GET /seminari/archivio.php?anno=2008%27 HTTP/1.1
  Host: www.dm.unibo.it
  [...]
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Proxy-Connection: keep-alive
  Cookie: dm=[...]
                                                                      17 of 44
h$p://www.integra1ngweb.com
       h$p://an1snatchor.com




CWE-209: Examples!
1. www.dm.unibo.it




                                                             CWE-209: www.dm.unibo.it
      Application response:




   Causing an SQL syntax error we discovered
    that the DB backend is MySQL
   We can now run more targeted attacks

                                                             18 of 44
h$p://www.integra1ngweb.com
                 h$p://an1snatchor.com




CWE-209: Examples!
 2. uniwex.unibo.it
     Credits: antisnatchor




                                                                        CWE-209: unibo.unibo.it
     Session Management was (IS actually) broken
      and can be manipulated
     If we are the hacker riding the victim’s session,
      and the victim then logout from Uniwex, his
      session (and ours, because is the same) is
      invalidated.
     If we invalidate a session and then we try to
      submit the previously “invalid” session token...
      MAGICALLY ...
                                                                        19 of 44
h$p://www.integra1ngweb.com
   h$p://an1snatchor.com


CWE-209: Examples!
 2. uniwex.unibo.it




                                                         CWE-209: unibo.unibo.it
                                                         20 of 44
h$p://www.integra1ngweb.com
                           h$p://an1snatchor.com


CWE-209: Examples!
 2. uniwex.unibo.it
      The JSP page /unique/UniqueNewException.jsp




                                                                                 CWE-209: unibo.unibo.it
       is clearly leaved there for debug purposes
      It shouldn’t be there in production!!!
      This revealed us that Tomcat is used as
       Application Server, and we’ve also obtained the
       specific version of a few frameworks on which
       the application was built:

  /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/struts-1.1.jar 
  /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/myfaces-
     api-1.1.4.jar
                                                                                 21 of 44
h$p://www.integra1ngweb.com
               h$p://an1snatchor.com




  CWE-89: !
SQL Injection
     These days most software is all about the data
      and how it can be served to maximize user and




                                                                    CWE-89: SQL Injection
      business needs
     The most common storage solution is a
      Relational Database(Oracle, MySQL, Postgres,
      MS-SQL, Sybase)
     If attackers can influence the SQL that you use
      to communicate with your database, then they
      can do nasty things for fun and profit


                                                                    22 of 44
h$p://www.integra1ngweb.com
               h$p://an1snatchor.com




  CWE-89: !
SQL Injection
     Discovering which web application parameters/
      cookie/headers are querying the DB, we can test




                                                                    CWE-89: SQL Injection
      if input is properly escaped or not
     The previous example on www.dm.unibo.it
      demonstrates that input is not being escaped at
      all
     After we discovered the SQL injection we can
      fire-up our favorite injection tool to retrieve
      useful informations


                                                                    23 of 44
h$p://www.integra1ngweb.com
              h$p://an1snatchor.com




 CWE-89:Example!
1. www.dm.unibo.it
        Credits: antisnatchor




                                                                     CWE-89: www.dm.unibo.it
    

       Confirmed unescaped numeric injection on GET
        parameter “anno”
       We were able to obtain details about the
        application stack: Apache 2.2.3, PHP 5.2.0,
        MySQL >= 5.0
       For demonstration we retrieved the exact name
        of the database name to which the web app is
        bounded: dipartimento

                                                                     24 of 44
h$p://www.integra1ngweb.com
                h$p://an1snatchor.com




CWE-89:Example!
2. www.virtus.it
      Credits: antisnatchor
      Confirmed unescaped numeric injection on GET




                                                                      CWE-89: www.virtus.it
       parameter “ID” (SPNewsDettaglio.asp)
      We were able to obtain details about the
       application stack: Microsoft IIS 6, ASP and SQL
       Server 2000
      We retrieved the exact name of the database
       name to which the web app is bounded:
       ServizioNews (and a few tables too)

                                                                      25 of 44
h$p://www.integra1ngweb.com
              h$p://an1snatchor.com




CWE-89: !
Mitigation
       Implement a validation framework (previously
        discussed) to protect your application
       Use stored procedures




                                                                     CWE-89: Mitigation
       Hibernate on JEE, NHibernate on .NET
       DB specific: Oracle DBMS_ASSERT directive,
        MySQL real_escape_string() function
       Use a whitelist approach, permitting only
        “known good input”


                                                                     26 of 44
h$p://www.integra1ngweb.com
                   h$p://an1snatchor.com




CWE-89: !
Dangers
      As you can see SQL injection can be devastating
       for the integrity of your data

      Data loss is probably the most negative




                                                                         CWE-89: Dangers
       consequence for an Enterprise

      If the web application (most of them, if not all) is
       storing web page content inside the DB, we can
       deface the site too

                                                                         27 of 44
CWE-79: The Plague of Cross Site Scripting
  h$p://www.integra1ngweb.com
              h$p://an1snatchor.com




CWE-79: The Plague of!
 Cross Site Scripting
       We can inject JavaScript, HTML, VBscript or
        other browser-executable content into pages
        generated by the application

       The page is then accessed by other users, whose
        browsers execute that malicious script as if it
        came from the legitimate user (the victim)




                                                                     28 of 44
h$p://www.integra1ngweb.com
   h$p://an1snatchor.com




CWE-79: Examples!
 1. www.cia.gov




                                                          CWE-79: www.cia.gov
                                                          29 of 44
h$p://www.integra1ngweb.com
   h$p://an1snatchor.com





                                                          CWE-79: portal.hotspotsvankpn.com
      CWE-79: Examples!
2. portal.hotspotsvankpn.com




                                                          30 of 44
h$p://www.integra1ngweb.com
                h$p://an1snatchor.com




CWE-79:
Mitigation
       A real world case example: Apache OFBiz
        implementation of ESAPI toolkit.
       After my JIRA issue they started to take really




                                                                       CWE-79: Mitigation
        care of security (I’m glad to)
       See http://fisheye6.atlassian.com/changelog/
        ofbiz?cs=746409 and http://antisnatchor.com/
        2008/12/11/apache-ofbiz-multiple-security-
        vulnerabilities


                                                                       31 of 44
h$p://www.integra1ngweb.com
                   h$p://an1snatchor.com




CWE-79:
Mitigation
       The changes of StringUtil.java class:




                                                                          CWE-79: Mitigation
                                                                          32 of 44
h$p://www.integra1ngweb.com
              h$p://an1snatchor.com




CWE-79:
Mitigation
       The changes of ModelScreenWidget.java class:




                                                                     CWE-79: Mitigation
                                                                     33 of 44
h$p://www.integra1ngweb.com
              h$p://an1snatchor.com




CWE-79:
Mitigation
       Validate every parameter/cookie/header/input
        that can be manipulated by a potential attacker
        and then displayed on the page




                                                                     CWE-79: Mitigation
       Do not create your own filters: you’ll probably
        miss some attack vectors or encodings
       Use well known Encoding/Validation frameworks
        such as ESAPI,PHPIDS,Microsoft Anti-XSS
        (yes, Microsoft, don’t laugh please :-))


                                                                     34 of 44
h$p://www.integra1ngweb.com
                 h$p://an1snatchor.com





                                                                        CWE-352: Cross Site Request Forgery
CWE-352: Cross Site !
 Request Forgery
       It exploits the trust that a website has for the
        currently authenticated user and executes
        unwanted actions on a web application on his
        behalf
       Once the request gets to the application, it looks
        as if it came from the user, not the attacker
       If the victim has admin privileges on the
        application: GAME OVER


                                                                        35 of 44
CWE-352: XSRF Concrete Consequences
  h$p://www.integra1ngweb.com
                h$p://an1snatchor.com




   CWE-352: XSRF !
Concrete Consequences
       Performing illegal actions such as using victim's
        shopping cart, executing stock trades
       Changing DNS settings of home routers (thanks
        pdp & GNUCITIZEN)
       Performing a Denial Of Service attack on the
        application
       Combining it with XSS to build WORMS



                                                                       36 of 44
CWE-352: XSRF Concrete Consequences
  h$p://www.integra1ngweb.com
                h$p://an1snatchor.com




   CWE-352: XSRF !
Concrete Consequences
       1. Find a page with a lost-password form inside
        and find out which fields would be updated 
       2. Trick the administrator to load a hacker page
        with a malicious request on it that submits a
        new email 
       3. Administrator's e-mail is now changed to the
        email submitted by hacker 
       4. A hacker performs a lost-password request
        and receives a new password
                                                                       37 of 44
CWE-352: XSRF Who has been vulnerable?
  h$p://www.integra1ngweb.com
                   h$p://an1snatchor.com




    CWE-352: XSRF!
Who has been vulnerable?
       ING direct [We discovered CSRF vulnerabilities in
        ING's site that allowed an attacker to open
        additional accounts on behalf of a user and transfer
        funds from a user's account to the attacker's
        account.]
       Youtube
       New York Times
       Gmail [http://directwebremoting.org/blog/joe/
        2007/01/01/
        csrf_attacks_or_how_to_avoid_exposing_your_gm
        ail_contacts.html]
                                                                          38 of 44
h$p://www.integra1ngweb.com
                 h$p://an1snatchor.com




CWE-352: XSRF!
  Example
      A simple practical attack:




                                                                       CWE-352: XSRF Example
      http://x.x.x.x/account/doTransfer?from=666&to=667
      where 666 is a potential victim account and 667 the
       attacker one. 
      Tricking the victim to load that URL will transfer
       money from one account to another one.




                                                                       39 of 44
h$p://www.integra1ngweb.com
                     h$p://an1snatchor.com




CWE-352: XSRF!
1. Apache OFBiz
       Read my advisory here:           https://




                                                                            CWE-352: Apache OFBiz
        issues.apache.org/jira/browse/OFBIZ-1959
       We can create a malicious form that will add a
        product (eventually with some JS inside) to the
        Catalog
       If the victim is already authenticated she will not
        even realize what she did 




                                                                            40 of 44
h$p://www.integra1ngweb.com
                       h$p://an1snatchor.com




CWE-352: XSRF!
1. Apache OFBiz




                                                                              CWE-352: Apache OFBiz
   <form method="POST" id="xsrf" name="xsrf"
   action="https://127.0.0.1:8443/catalog/control/createProduct">
   <input type=hidden name="isCreate" value="true">
   <input type=hidden name="productId" value="hack02">
   <input type=hidden name="productTypeId"
      value="DIGITAL_GOOD">
   <input type=hidden name="internalName"
      value="hack02<script>alert(document.cookie)</script>">
   </form>
   <script>document.xsrf.submit(); </script>
                                                                              41 of 44
h$p://www.integra1ngweb.com
                        h$p://an1snatchor.com




CWE-352: XSRF!
  Mitigation




                                                                               CWE-352: XSRF Mitigation
 •  Add a unique randomly-generated token to each request (maybe
    as an hidden form value): this n bit token is changed for every
    request and is verified by the application

 •  <input id="fkey" name="fkey" type="hidden"
    value="df8652852f139" />




                                                                               42 of 44
h$p://www.integra1ngweb.com
                         h$p://an1snatchor.com




CWE-352: XSRF!
  Mitigation




                                                                                CWE-352: XSRF Mitigation
 •  Use a secure framework such as ESAPI to add random token to
    your requests

 •  Implement AJAX functionalities with secure libraries such as
    DWR-2.0 (Direct Web Remoting) that automatically prevents
    XSRF




                                                                                43 of 44
h$p://www.integra1ngweb.com
               h$p://an1snatchor.com





                       Thanks for your !
                         attention!




                                                                    Questions?
                                                                     44 of 44

Contenu connexe

Tendances

Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webPablo Garaizar
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 

Tendances (9)

Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares web
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 

Similaire à Secure Programming And Common Errors[Michele Orru Dec 2008]

The bash vulnerability practical tips to secure your environment
The bash vulnerability  practical tips to secure your environmentThe bash vulnerability  practical tips to secure your environment
The bash vulnerability practical tips to secure your environmentAlienVault
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...Kenta Yamamoto
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HKLawrence Amer
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 

Similaire à Secure Programming And Common Errors[Michele Orru Dec 2008] (20)

The bash vulnerability practical tips to secure your environment
The bash vulnerability  practical tips to secure your environmentThe bash vulnerability  practical tips to secure your environment
The bash vulnerability practical tips to secure your environment
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 

Dernier

Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 

Dernier (20)

Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 

Secure Programming And Common Errors[Michele Orru Dec 2008]

  • 1. Secure Programming and! Common Errors! PART I brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 3 December 2009 1

  • 2. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of http://antisnatchor.com security O advisory blog   EE developer
 J Outline 2 of 44
  • 3. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Seminar outline (part I)   iscuss the most relevant SANS top 25 D errors that concern Web Applications Seminar outline (part I)   ractical demonstrations of some P vulnerable Real World web applications (my totally independent security research)   nderstand the impact of these threats U on the most valuable web-app assets 3 of 44
  • 4. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 What we will discuss:  CWE-20: Improper Input Validation  CWE-116: Improper Encoding or Escaping of Output What we will discuss  CWE-209: Error Message Information Leak  CWE-89: Failure to Preserve SQL Query Structure (SQL injection)  CWE-79: Failure to Preserve Web Page Structure (XSS)  CWE-352: Cross-Site Request Forgery (XSRF)
 4 of 44
  • 5. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20: Improper ! CWE-20: Improper Input Validation Input Validation   The biggest issue on today’s Internet Applications (not just WebApps)   Improper Input Validation can lead to security vulnerabilities when attackers can modify input in unexpected ways for the application   The only way to protect our applications is by understanding that all input can be malicious 5 of 44
  • 6. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20: Example   8e6 R3000 Internet Filter (commercial HTTP(S) Proxy filter solution) CWE-20: Example 6 of 44
  • 7. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20: Example   Credits: nnposter   DNS based website blacklist can be bypassed by providing a forged request with custom HTTP header CWE-20: Example Http request: GET / HTTP/1.1 X-DecoyHost: www.milw0rm.org Host: www.blocked.org 7 of 44
  • 8. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20: Mitigation   Understand every potential attack areas: parameters, arguments, cookies, headers, files, databases... CWE-20: Mitigation   Whitelist approach instead of blacklist (you are certainly going to miss some character encoding variants)   WebApp case: use a WebApp Firewall (ModSecurity/F5) or an Input Validation Framework for your language. 8 of 44
  • 9. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20: Mitigation! CWE-20: Mitigation with ModSecurity ModSecurity 9 of 44
  • 10. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20:MITIGATION CWE-20:MITIGATION OWASP ESAPI OWASP ESAPI   A common set of interfaces for security controls such as:   Authentication   Access Control   Input Validation   Output Encoding   Cryptography   Error handling/logging 10 of 44
  • 11. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-20: MITIGATION PHPIDS CWE-20: MITIGATION PHPIDS   Input validation framework for PHP based applications   Developed by skilled hackers (Mario Heiderich - .mario on sla.ckers.org)   Try their demo with your nasty attack vectors here: http://demo.php-ids.org   Integrated as a module in Drupal, works with the powerful Zend Framework (http://forum.php- ids.org/comments.php?DiscussionID=113) 11 of 44
  • 12. CWE-116: Improper EncodingEscaping ! h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-116: Improper ! Encoding/Escaping ! of Output   Insufficient output encoding is the often-ignored sibling to poor input validation   Even if input has been filtered, application output could not be safe: it need to be encoded too   Common examples: HTML/JavaScript injection of Output on web based applications 12 of 44
  • 13. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-116: Example   Eclipse BIRT (reporting system that integrates with Java/JEE applications) CWE-116: Example 13 of 44
  • 14. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-116: Example   Credits: antisnatchor [http://antisnatchor.com/ 2008/12/18/eclipse-birt-reflected-xss]  Java Exception stack trace was not HTML- encoded, so we can inject an iframe CWE-116: Example GET /birt-viewer/run?__report='"><iframe %20src=javascript:alert(666)>&r=-703171660 HTTP/1.1 Host: localhost:8780   Our code was executed correctly in the application output 14 of 44
  • 15. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-116: Mitigation   Always encode Java stack traces (better to don’t show them to prevent Information Leakage) CWE-116: Mitigation   Always encode application output, especially if it contains previously user-supplied input   WebApp firewall and ESAPI/PHPIDS (you lazy developers :-)) 15 of 44
  • 16. CWE-209: Error Message Information Leak h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-209: Error Message Information Leak   Chatty or debug error messages could disclose important important information to attackers   This information is used in the Penetration Testing phase called “Reconnaissance”   Even these little secrets can greatly simplify a more concerted attack that yields much bigger rewards 16 of 44
  • 17. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-209: Examples! 1. www.dm.unibo.it CWE-209: www.dm.unibo.it   Credits: antisnatchor   MySQL error when forging a malicious request altering the anno parameter GET /seminari/archivio.php?anno=2008%27 HTTP/1.1 Host: www.dm.unibo.it [...] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: dm=[...] 17 of 44
  • 18. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-209: Examples! 1. www.dm.unibo.it CWE-209: www.dm.unibo.it   Application response:   Causing an SQL syntax error we discovered that the DB backend is MySQL   We can now run more targeted attacks 18 of 44
  • 19. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-209: Examples! 2. uniwex.unibo.it   Credits: antisnatchor CWE-209: unibo.unibo.it   Session Management was (IS actually) broken and can be manipulated   If we are the hacker riding the victim’s session, and the victim then logout from Uniwex, his session (and ours, because is the same) is invalidated.   If we invalidate a session and then we try to submit the previously “invalid” session token... MAGICALLY ... 19 of 44
  • 20. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-209: Examples! 2. uniwex.unibo.it CWE-209: unibo.unibo.it 20 of 44
  • 21. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-209: Examples! 2. uniwex.unibo.it   The JSP page /unique/UniqueNewException.jsp CWE-209: unibo.unibo.it is clearly leaved there for debug purposes   It shouldn’t be there in production!!!   This revealed us that Tomcat is used as Application Server, and we’ve also obtained the specific version of a few frameworks on which the application was built: /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/struts-1.1.jar /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/myfaces- api-1.1.4.jar 21 of 44
  • 22. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   These days most software is all about the data and how it can be served to maximize user and CWE-89: SQL Injection business needs   The most common storage solution is a Relational Database(Oracle, MySQL, Postgres, MS-SQL, Sybase)   If attackers can influence the SQL that you use to communicate with your database, then they can do nasty things for fun and profit 22 of 44
  • 23. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   Discovering which web application parameters/ cookie/headers are querying the DB, we can test CWE-89: SQL Injection if input is properly escaped or not   The previous example on www.dm.unibo.it demonstrates that input is not being escaped at all   After we discovered the SQL injection we can fire-up our favorite injection tool to retrieve useful informations 23 of 44
  • 24. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! 1. www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it     Confirmed unescaped numeric injection on GET parameter “anno”   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 24 of 44
  • 25. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! 2. www.virtus.it   Credits: antisnatchor   Confirmed unescaped numeric injection on GET CWE-89: www.virtus.it parameter “ID” (SPNewsDettaglio.asp)   We were able to obtain details about the application stack: Microsoft IIS 6, ASP and SQL Server 2000   We retrieved the exact name of the database name to which the web app is bounded: ServizioNews (and a few tables too) 25 of 44
  • 26. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! Mitigation   Implement a validation framework (previously discussed) to protect your application   Use stored procedures CWE-89: Mitigation   Hibernate on JEE, NHibernate on .NET   DB specific: Oracle DBMS_ASSERT directive, MySQL real_escape_string() function   Use a whitelist approach, permitting only “known good input” 26 of 44
  • 27. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! Dangers   As you can see SQL injection can be devastating for the integrity of your data   Data loss is probably the most negative CWE-89: Dangers consequence for an Enterprise   If the web application (most of them, if not all) is storing web page content inside the DB, we can deface the site too 27 of 44
  • 28. CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: The Plague of! Cross Site Scripting   We can inject JavaScript, HTML, VBscript or other browser-executable content into pages generated by the application   The page is then accessed by other users, whose browsers execute that malicious script as if it came from the legitimate user (the victim) 28 of 44
  • 29. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Examples! 1. www.cia.gov CWE-79: www.cia.gov 29 of 44
  • 30. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: portal.hotspotsvankpn.com CWE-79: Examples! 2. portal.hotspotsvankpn.com 30 of 44
  • 31. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Mitigation   A real world case example: Apache OFBiz implementation of ESAPI toolkit.   After my JIRA issue they started to take really CWE-79: Mitigation care of security (I’m glad to)   See http://fisheye6.atlassian.com/changelog/ ofbiz?cs=746409 and http://antisnatchor.com/ 2008/12/11/apache-ofbiz-multiple-security- vulnerabilities 31 of 44
  • 32. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Mitigation   The changes of StringUtil.java class: CWE-79: Mitigation 32 of 44
  • 33. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Mitigation   The changes of ModelScreenWidget.java class: CWE-79: Mitigation 33 of 44
  • 34. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Mitigation   Validate every parameter/cookie/header/input that can be manipulated by a potential attacker and then displayed on the page CWE-79: Mitigation   Do not create your own filters: you’ll probably miss some attack vectors or encodings   Use well known Encoding/Validation frameworks such as ESAPI,PHPIDS,Microsoft Anti-XSS (yes, Microsoft, don’t laugh please :-)) 34 of 44
  • 35. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: Cross Site Request Forgery CWE-352: Cross Site ! Request Forgery   It exploits the trust that a website has for the currently authenticated user and executes unwanted actions on a web application on his behalf   Once the request gets to the application, it looks as if it came from the user, not the attacker   If the victim has admin privileges on the application: GAME OVER 35 of 44
  • 36. CWE-352: XSRF Concrete Consequences h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF ! Concrete Consequences   Performing illegal actions such as using victim's shopping cart, executing stock trades   Changing DNS settings of home routers (thanks pdp & GNUCITIZEN)   Performing a Denial Of Service attack on the application   Combining it with XSS to build WORMS 36 of 44
  • 37. CWE-352: XSRF Concrete Consequences h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF ! Concrete Consequences   1. Find a page with a lost-password form inside and find out which fields would be updated   2. Trick the administrator to load a hacker page with a malicious request on it that submits a new email   3. Administrator's e-mail is now changed to the email submitted by hacker   4. A hacker performs a lost-password request and receives a new password 37 of 44
  • 38. CWE-352: XSRF Who has been vulnerable? h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF! Who has been vulnerable?   ING direct [We discovered CSRF vulnerabilities in ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user's account to the attacker's account.]   Youtube   New York Times   Gmail [http://directwebremoting.org/blog/joe/ 2007/01/01/ csrf_attacks_or_how_to_avoid_exposing_your_gm ail_contacts.html] 38 of 44
  • 39. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF! Example   A simple practical attack: CWE-352: XSRF Example   http://x.x.x.x/account/doTransfer?from=666&to=667   where 666 is a potential victim account and 667 the attacker one.   Tricking the victim to load that URL will transfer money from one account to another one. 39 of 44
  • 40. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF! 1. Apache OFBiz   Read my advisory here: https:// CWE-352: Apache OFBiz issues.apache.org/jira/browse/OFBIZ-1959   We can create a malicious form that will add a product (eventually with some JS inside) to the Catalog   If the victim is already authenticated she will not even realize what she did 40 of 44
  • 41. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF! 1. Apache OFBiz CWE-352: Apache OFBiz <form method="POST" id="xsrf" name="xsrf" action="https://127.0.0.1:8443/catalog/control/createProduct"> <input type=hidden name="isCreate" value="true"> <input type=hidden name="productId" value="hack02"> <input type=hidden name="productTypeId" value="DIGITAL_GOOD"> <input type=hidden name="internalName" value="hack02<script>alert(document.cookie)</script>"> </form> <script>document.xsrf.submit(); </script> 41 of 44
  • 42. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF! Mitigation CWE-352: XSRF Mitigation •  Add a unique randomly-generated token to each request (maybe as an hidden form value): this n bit token is changed for every request and is verified by the application •  <input id="fkey" name="fkey" type="hidden" value="df8652852f139" /> 42 of 44
  • 43. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-352: XSRF! Mitigation CWE-352: XSRF Mitigation •  Use a secure framework such as ESAPI to add random token to your requests •  Implement AJAX functionalities with secure libraries such as DWR-2.0 (Direct Web Remoting) that automatically prevents XSRF 43 of 44
  • 44. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Thanks for your ! attention! Questions? 44 of 44