Web Application Hacking Workshop Learn how to penetrate like a professional

Transcription

Web Application Hacking Workshop Learn how to penetrate like a professional
Web Application
Hacking
Workshop
Learn how to penetrate like a professional
Tuesday, October 23, 12
Please check
you have the hacking environment downloaded and
unzipped - if not, please raise your hand
you have Firefox w/ TamperData and FoxyProxy -plugins
installed - if not, please download and/or raise your hand
you have added a new proxy for localhost:8888
- if not, do it now!
Tuesday, October 23, 12
Silverskintro
Jani Kirmanen
CISSP, GISP, GWAPT, GCPM
Tuesday, October 23, 12
Jani
&
Niklas
Professional Penetrators
Tuesday, October 23, 12
What we do
Reverse-engineer your mind
Find out where you have hidden all the subpar code
Enjoy writing exploit code for it
Profit!
Tuesday, October 23, 12
We also
Collaborate with developers to implement secure systems
Train developers to think better and to find disastrous
vulnerabilities before we (or the bad guys) do
Participate in developing WebGoat 6.0!
No-profit!
Tuesday, October 23, 12
Today’s menu
Finding security vulnerabilities
Writing exploit code
Expecting more secure software
Tuesday, October 23, 12
Limitations
Time - we won’t be learning every technique / doing every
exercise
Different skill sets - we won’t get done at the same time
Google - we won’t be searching the answers
Tuesday, October 23, 12
Tools
WebGoat 5.4
/home/WebGoat-5.4$ sh webgoat.sh start8080
Firefox with Tamperdata
(Firefox with FoxyProxy + Burp Suite)
Tuesday, October 23, 12
Injection
Attacking the server side
Tuesday, October 23, 12
/inˈjekSHən/
types: sql, ldap, html, javascript, command...
manipulates semantics through syntax
(conceptually) affects the server side
exploits the fact the developer has paid zero-to-none
attention to input validation
Tuesday, October 23, 12
Attacker’s view
concentrates on the special characters of the
programming / scripting / query language
typically delimiters for strings like quotes, single quotes, etc.
uses encoding to evade input filtering
Tuesday, October 23, 12
A classic example
The application uses this SQL query in the authentication
mechanism:
SELECT * FROM users
WHERE login='$login'
AND password='$password';
Now, all the attacker has to do is...
Tuesday, October 23, 12
... exercise #1
Open http://localhost:8080/WebGoat/attack
Navigate to Injection Flaws and start hacking!
You can do as many you want or can manage.
Note that you cannot do all the exercises as some require
you to code something first, and we are not gonna.
Don't worry if you are not as fast as someone else. This is
your first time, right?
Tuesday, October 23, 12
Developer’s view
Never trust any input without validation
When using external services like databases we create a
query or other structured statement
We have to protect the integrity of that statement
Tuesday, October 23, 12
Better security
Use type conversion to get rid of Strings
(use Domain objects), if possible
Use prepared statements or similar when using an
external service like a database
Implement input control as a centralized component
Tuesday, October 23, 12
Cross-site
scripting
Attacking the client side
Tuesday, October 23, 12
/ekS eS eS/
attacks the client side aka the browser aka the user
exploits the fact the developer has paid none-to-null
attention to output validation
comes in different flavors: reflective, stored, dom-based
Tuesday, October 23, 12
Attacker’s view
targets places where user input is echoed into HTML,
Javascript, CSS - even Flash!
manipulates the response to include malicious code from
another site (hence the name)
uses encoding to evade input/output filtering
Tuesday, October 23, 12
A classic example
An application has a search functionality that echoes the
search term verbatim.
The attacker sends special input to verify the functionality
has an XSS vulnerability
Now the attacker can create a malicious payload that
tricks the user to...
Tuesday, October 23, 12
... exercise #2
Open http://localhost:8080/WebGoat/attack
Navigate to Cross-site scripting and start hacking!
You can do as many you want or can manage.
Note: Lab Stages 1 and 5 only!
Tuesday, October 23, 12
Developer’s view
Everything relating to input validation still applies
Typically the output is combined from many sources and
“injected” into a template of some kind
We have to protect the integrity of that template
Tuesday, October 23, 12
Better security
Use output encoding when composing the output
Use domain objects with centralized access control to
comply with data classification
Implement output control as a centralized component
Tuesday, October 23, 12
Privilege
escalation
“Minulla on kuulkaa poliisin oikeudet”
Tuesday, October 23, 12
[ˈɛskəˌleɪtə]
accessing functionality and data without authorization
vertical: accessing admin functionality
horizontal: accessing other peoples data
Tuesday, October 23, 12
Attacker’s view
targets direct object references aka sensitive identifiers
if there is a parameter action=view, there might be
action=create or action=update as well
exploits the fact the developer regards the user interface
as an access control
Tuesday, October 23, 12
A classic example
Executing admin functionality through access control
bypass.
Consider an application which allows admins to view
users’ accounts, update information etc.
The developer chose guessable parameter names in
functionality mapping
Now, all the attacker has to do is...
Tuesday, October 23, 12
... exercise #3
Open http://localhost:8080/WebGoat/attack
Navigate to Access control flaws and start hacking!
You can do as many you want or can manage.
Note that you cannot do all the exercises as some require
you to code something first, and we are not gonna.
Don't worry if you are not as fast as someone else. This is
your first time, right?
Tuesday, October 23, 12
Developer’s view
use role based access control properly
use indirection to hide sensitive identifiers
implement access control as a centralized component
Tuesday, October 23, 12
That’s all folks!
Please leave your business card and take one of ours
Contact us: jani@silverskin.fi or www.silverskin.com
See you at the after party!!!
Tuesday, October 23, 12