video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
4. 400+ enterprise customers
•Start-ups to Fortune 500
Flagship offering “WhiteHat Sentinel Service”
•1000’s of assessments performed annually
Recognized leader in website security
•Quoted thousands of times by the mainstream press
4
5. About the Top Ten
“Every year the Web security community produces a stunning
amount of new hacking techniques published in various white
papers, blog posts, magazine articles, mailing list emails, etc. Within
the thousands of pages are the latest ways to attack websites, Web
browsers, Web proxies, and so on. Beyond individual vulnerability
instances with CVE numbers or system compromises, we're talking
about brand new and creative methods of Web-based attack.”
5
6. New Techniques
2009 (80)
Creating a rogue CA certificate
2008 (70)
GIFAR (GIF + JAR)
2007 (83)
XSS Vulnerabilities in Common Shockwave Flash Files
2006 (65)
Web Browser Intranet Hacking / Port Scanning
6
7. 2010
69 new techniques
1) 'Padding Oracle' Crypto Attack
2) Evercookie
3) Hacking Auto-Complete
4) Attacking HTTPS with Cache Injection
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
6) Universal XSS in IE8
7) HTTP POST DoS
8) JavaSnoop
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
10) Java Applet DNS Rebinding
http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html
7
8. Bypassing CSRF with Clickjacking
and HTTP Parameter Pollution
5
Clickjacking is when an attacker invisibly hovers an object
(button, link, etc.) below a user's mouse. When the user
clicks on something they visually see, they're instead
really clicking on something the attacker wanted them to.
HTTP Parameter Pollution is where an attacker submits
multiple input parameters (query string, post data,
cookies, etc.) with the same name. Upon receipt
applications may react in unexpected ways and open up
avenues of server-side and client-side exploitation. By
cleverly leveraging these two former Top Ten attacks,
CSRF attacks can be carried out against a user even
when recommended token defenses are in use.
Lavakumar Kuppan (@lavakumark)
http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
8
9. Clickjacking (Top Ten 2009)
Think of any button – image, link, form, etc. – on any website – that can appear
between the Web browser walls. This includes wire transfer on banks, DSL router
buttons, Digg buttons, CPC advertising banners, Netflix queue.
Next consider that an attacker can invisibly hover these buttons below the user's
mouse, so that when a user clicks on something they visually see, they're actually
clicking on something the attacker wants them to.
What could the bad guy do with that ability?
9
10. Hover Invisible IFRAMEs
HTML, CSS, and JavaScript
may size, follow the mouse
and make transparent third-
party IFRAME content.
<iframe
src="http://victim/page.html"
scrolling="no"
frameborder="0"
style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">!
</iframe>
10
11. HTTP Parameter Pollution (HPP) - Top Ten 2009
If an attacker submit multiple input parameters (query string, post data, cookies,
etc.) of the same name, the application may react in unexpected ways and open
up new avenues of server-side and client-side exploitation.
GET /foo?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
POST /foo HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
par1=val1&par1=val2
POST /index.aspx?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Cookie: par1=val3; par1=val4
Content-Length: 19
par1=val5&par1=val6
11
16. Simple parameter injection
void private executeBackendRequest(HTTPRequest request) {
String amount=request.getParameter("amount");
String beneficiary=request.getParameter("recipient");
HttpRequest("http://backend.com/servlet/actions","POST",
"action=transfer&amount="+amount+"&recipient="+beneficiary);
}
Malicious URL:
http://target.com/page?amount=1000&recipient=Jeremiah%26action%3dwithdraw
Translates to:
action=transfer&amount=1000&recipient=Jeremiah&action=withdraw
It is possible the attack could work if proper authorization controls are not in place and
the application uses the last occurrence of the action parameter (IBM Lotus Domino,
PHP / Apache, etc.)
16
17. Example Scenario
http://example/updateEmail.jsp
Client-Side
<form method="POST">
<input type="text" name="email" value=””></input>
<input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/>
</form>
Server-Side
if (req.parameter("email").isSet() && req.parameter("csrf-token").isValid()) {
// process the form and update the email ID
} else {
// display an empty form to the user (CSRF token included)
}
17
18. Bringing it all together
<iframe src=”http://example/updateEmail.jsp?email=evil@attacker.com”>
HTTP request via user submitted form via Clickjacking. The form was not filled out by
the victim, meaning the email parameter in the POST body is blank. Now the
QueryString contains the attacker entered value for the ‘email’ parameter.
POST /updateEmail.jsp?email=evil@attackermail.com
HTTP/1.1
Host: www.example.com
email=&csrf-token=a0a0a0a0a0
When the server side JSP code calls req.parameter("email"), the value that is returned
is the one in the QueryString (HPP first occurrence) and not the POST body. Since
this value can be controlled by the attacker, he can trick the victim in to updating his
account with the attacker’s mail ID.
18
19. Attacking HTTPS with Cache Injection
4
No matter what type of encryption is used to defend a
network, sooner or later the password, key, or certificate
needs to be stored. If an attacker is able to tamper with
the storage mechanism, even the strongest encryption
mechanism can fail. The researchers demonstrated how
to attack storage mechanisms by tampering with SSL
session and break into Wifi networks using WPA. They
also showed how to exploit SSL warning inconsistencies
and caching mechanisms to trick the user into accepting a
bad certs and steal their username & password.
Elie Bursztein (@ELIE), Baptiste Gourdin
(@bapt1ste), Dan Boneh
http://www.youtube.com/watch?v=bt0Qh9c59_c
http://elie.im/talks/bad-memories
19
20. RFC1918 Caching Security - (Top Ten 2009)
Public Wifi
HTTP
Internet
Airpwn
Victims
coffee shops, airplanes,
corp guest networks Bad Guy
• Victim(s) located on a RFC 1918 network with a Bad Guy
• Bad Guy may take the opportunity to read victim’s Web mail, steal creds, etc.
• Bad Guy man-in-the-middles HTTP (Airpwn) to inject IFRAMEs to RFC-1918 IPs
• MitM IFRAMEs to include JavaScript malware (BeEF). Or ...
• Inject JavaScript malware into popular Web widget URLs. (Ad servers, counters, etc.)
• Cache content in the browser for a really long time, beyond current session!
http://www.bindshell.net/tools/beef/
http://airpwn.sourceforge.net/Airpwn.html
21. Situation
• 43% of the Alexa top 100,000 use external javascript libraries
• Injecting a malicious javascript library into the browser cache
allows the attacker to compromise a website protected by SSL
• The malicious library stays in the cache until the user clears it.
Moving to a “safe” location doesn’t help
21
22. Impact
• One poisoned injection leads to multiple breaches
• Multiples websites share the same external library such as
Google Analytics
• Injecting a malicious version of one of these shared libraries
allows the attacker to target all the websites that use it
22
23. Browser Defense -- sort of
• The only defense against cache injection is the SSL warning
displayed by the browser when a bad certificate is supplied
• Corner cases that allows an attacker to alter the way SSL
certificate warning are displayed
• These alterations make caching attack efficient as the user is
more likely to click through the tampered warning
23
24. Video Demo
• The following demos show how caching injection attacks
works against Internet Explorer 8 and Firefox 3.6
• These demos were done in real time against real sites with
their real certificates
24
25. Hacking Auto-Complete
3
This research encompasses a set of techniques where a
malicious website may surreptitiously obtain their visitors
names, job title, workplace, physical address, telephone
number, email addresses, usernames, passwords, search
terms, social security numbers, credit card numbers, and
on and on by simulating JavaScript keystroke events in
Web browsers HTML form auto-complete / autofill
functionality.
Jeremiah Grossman (@jeremiahg)
http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
http://jeremiahgrossman.blogspot.com/2010/09/safari-autofill-hack-lives.html
http://jeremiahgrossman.blogspot.com/2010/07/in-firefox-we-cant-read-auto-complete.html
25
26. I want to know your name, who
you work for, where you live, your
email address, etc.
Right at the moment you a visit a website. Even if you’ve never
been there before, let alone entered information.
26
28. Address Card Autofill works even when
you’ve NEVER entered personal data on
ANY WEBSITE.
28
29. Demo
var event = document.createEvent('TextEvent');
event.initTextEvent('textInput', 1, 1, null, char);
input.value = ""; Step 1) Dynamically create
input.selectionStart = 0; input fields with the pre-set
input.selectionEnd = 0; attribute names.
input.focus();
input.dispatchEvent(event);! Step 2) Cycle through the
! alphabet initiating text events
setTimeout(function() { until a form value populates.
if (input.value.length > 1) {
// capture the value; Step 3) Profit! -- Steal data
} with JavaScript.
}, 500); *transparency is even more fun!*
Safari
v4 / v5
29
31. AutoComplete: User-supplied form values are shared across
different websites by attribute “name”. For example, email
addresses entered into a field on website A populates the autofill for
the same field name on website B, C, D, etc.
<input type="text" name="email">
31
32. DEMO - Down, Down, Enter
// hit down arrow an incrementing number of times.
// separate with time to allow the GUI to keep pace
for (var i = 1; i <= downs; i++) {
time += 30; // time padding
keyStroke(this, 40, time); // down button
}
! !
time += 15; // time padding
keyStroke(this, 13, time); // enter button
// initiate keystroke on a given object
function keyStroke(obj, code, t) {
//create new event and fire
var e = document.createEventObject();
e.keyCode = code;
setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);
} // end keyStroke
Security Basis, and an Internet Explorer data stealer
http://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.html
Andrea Giammarchi, Ajaxian Staff
32
33. Search terms
Credit card numbers and CCVs
Aliases
Contact information
Answers to secret questions
Usernames
Email addresses
...
33
34. AutoComplete is NOT enabled by default, but Internet
Explorer asks if the user if they would like to enable
the feature after filling out a non-password form.
34
36. Saving Passwords
Many Web Browsers have “password managers,” which provide
a convenient way to save passwords on a “per website” basis.
<form method="post" action="/">
E-Mail: <input type="text" name="email"><br />
Password: <input type="password" name="pass"><br />
<input type="submit" value="Login">
</form>
36
37. If a website with a saved password is vulnerable to XSS, the
payload can dynamically create login forms, which executes the
browser’s password auto-complete feature. Since the payload is
on the same domain the username / password can be stolen.
function stealCreds() {
var string = "E-Mail: " + document.getElementById("u").value;
string += "nPassword: " + document.getElementById("p").value;
return string;
}
document.write('<form method="post" action="/">E-Mail: <input
id="u" type="text" name="email" value=""><br>Password: <input
id="p" type="password" name="password" value=""></form>');
setTimeout('alert(stealCreds())', 2000);
* * DEMO
37
38. What to do...
Disable Auto-Complete in the Web browser
Remove persistent data
(History, Form Data, Cookies, LocalStorage, etc.)
NoScript (Firefox Extension), 1Password, etc.
<form autocomplete="off">
<input type="text" autocomplete="off" />
38
39. Evercookie
2
Evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal is to
identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs),
and others. Evercookie accomplishes this by storing the
cookie data in several types of storage mechanisms that
are available on the local browser. Additionally, if evercookie
has found the user has removed any of the types of cookies
in question, it recreates them using each mechanism
available.
Samy Kamkar (@samykamkar)
http://samy.pl/evercookie/
39
41. Evercookies
1) Standard HTTP Cookies 6) Internet Explorer userData storage
2) Flash Cookies (LSOs) 7) Storing cookies in Web cache
3) Silverlight Isolated Storage 8) Storing cookies in HTTP ETags
4) Storing cookies in RGB values of auto- 9) HTML5 Session Storage
generated, force-cached PNGs using
HTML5 Canvas tag to read pixels 10) HTML5 Local Storage
(cookies) back out
11) HTML5 Global Storage
5) Storing cookies in Web History
12) HTML5 Database Storage via SQLite
6)window.name caching
41
42. The API
• Persistent cookies via Javascript API
• Recreates after deletion
• Combines different storage mechanisms
• Easy to use!
var ec = new evercookie();
ec.set(“uniqueid”, “31337”); // set uniqueid = 31337
// get our evercookie data back
ec.get(“uniqueid”, function(val) { alert (“ID is “ + val) } );
42
43. PNGs Cache
Cookie stored in RGB values of auto-generated, force-cached PNGs
using HTML5 Canvas Tag to read pixels back out
Pixel 0x0 = 0x4f5741 OWA
Pixel 0x1 = 0x535000 SP0
43
44. Killing Evercookies (Video)
1) Open a new tab, then close all other windows and tabs.
2) Delete Silverlight Isolated Storage
• Go to http://www.silverlight.net/
• Right click the Silverlight application (any app will do)
• Silverlight Preferences > Application Storage > Delete all...
• Click "Yes"
• * Optionally disable "Enable application storage"
3) Delete Flash Local Shared Objects (LSO)
• Go got the Flash "Website Storage Settings panel"
• Click "Delete all sites"
• Click "Confirm"
4) Clear Browsing Data
• - Wrench > Tools > Clear Browsing Data...
• - Select all options
• - Clear data from this period: Everything
• - Click "Clear Browsing data"
http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.html
http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html
44
45. Other Protections
• Nevercookie - The evercookie killer
Firefox plugin to extend Firefox’s Private Browsing
http://nevercookie.anonymizer.com/
• Use a virtual machine. (On your neighbor’s WiFi Network)
45
46. Other Worries...
• System/browser timing
• GPU timing via plugins/accelerators (w/Flash)
• MAC address accessible via Java or ActiveX!
46
47. 'Padding Oracle' Crypto Attack
1
In 2002 a powerful side-channel attack, ‘padding
oracle’ (NOT THE DATABASE!), was described targeting
AES CBC-mode encryption with PKCS#5 padding. If
there is an oracle which on receipt of a ciphertext,
decrypts it and replies whether the padding is correct,
shows how to use that oracle to decrypt data without
knowing the encryption key. The new techniques allow
attackers to use a ‘padding oracle’ to decrypt and encrypt
messages of any length without knowing the secret key
and exploit popular web development frameworks
including ASP.NET.
Juliano Rizzo (@julianor)
Thai Duong (@thaidn)
http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf
http://netifera.com/research/
http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
http://www.youtube.com/watch?v=yghiC_U2RaM
http://threatpost.com/en_us/blogs/padding-oracle-crypto-attack-affects-millions-aspnet-apps-091310
47
49. Padding Oracle Attack Basics
An application uses a query string parameter to pass an encrypted username,
company id, and role id of a user. The parameter is encrypted using CBC mode,
and each value uses a unique initialization vector (IV) pre-pended to the ciphertext.
When the application is sent an encrypted value, it responds in one of three ways:
1)Valid ciphertext, properly padded and valid data (200 OK)
2)Invalid ciphertext, improper padding (500 Internal Server Error)
3)Valid ciphertext, properly padded and invalid data (200 OK - custom error)
User’s name (BRIAN), company id (12), and role id (2). The value, in plaintext, can
be represented as BRIAN;12;2;
http://site/app.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
49
52. First block of ciphertext pre-pended with an IV of all NULL values.
Request: http://site/app.jsp?UID=0000000000000000F851D6CC68FC9537
Response: 500 - Internal Server Error
52
53. Last byte of the initialization vector incremented by one.
Request: http://app/home.jsp?UID=0000000000000001F851D6CC68FC9537
Response: 500 - Internal Server Error
53
54. Incrementing the last byte in the IV up to FF will produce a valid padding sequence for a
single byte of padding (0×01). Only one value will produce the correct padding byte and
have different response than the other 255.
Request: http://site/app?UID=000000000000003CF851D6CC68FC9537
Response: 200 OK
If [Intermediary Byte] ^ 0x3C == 0×01,
then [Intermediary Byte] == 0x3C ^ 0×01,
so [Intermediary Byte] == 0x3D
54
55. To crack the 7th byte, the 7th and 8th byte must equal 0×02 for valid padding. Since we
already know that the last intermediary value byte is 0x3D, we can update the 8th IV byte
to 0x3F (which will produce 0×02) and then focus on brute forcing the 7th byte (starting
with 0×00 and working our way up through 0xFF).
55
56. Work backwards through the entire block until every byte of the intermediary value is
cracked and uncovering the decrypted value one byte at a time. The final byte is cracked
using an IV that produces an entire block of just padding (0×08).
"The first stage of the attack takes a few thousand requests, but
once it succeeds and the attacker gets the secret keys, it's totally
stealthy.The cryptographic knowledge required is very basic."
- Julian Rizzo
56
57. <VIDEO>
"It turns out that the vulnerability in ASP.NET is the most critical amongst
other frameworks. In short, it totally destroys ASP.NET security,"
-Thai Duong
57
58. Impact & Prevention
Vulnerable Frameworks
ASP.Net, CAPTCHAs, JavaServer Faces, OWASP ESAPI,
Ruby On Rails, etc.
Prevention
•Encrypt-then-MAC (sign) and validate-then-decrypt
•Patch!
58
59. What have we learned?
• Encryption attacks took the top spot for the 2nd year in a row.
• Web Browser privacy? Web browser security? Not so much.
• “Top Ten” attacks from previous years are being improved.
• Several attack techniques from previous years are now
actively being used maliciously in the wild.
59
60. Thank You...
• Sponsors: OWASP, Black Hat, WhiteHat
Security
• Panel of Experts: Ed Skoudis, Giorgio
Maone, Caleb Sima, Chris Wysopal, Jeff
Willams, Charlie Miller, Dan Kaminsky,
Steven Christey (Mitre), and Arian Evans
• All the security researchers for their
contributions
• Everyone in the Web Application Security
community who assisted
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com
60