Web Application Exploits Computer Science and Engineering 1 Reading • Required: – Stuttard and Pinto: Chapter 3 – Review: OWASP: 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10 • Recommended: cool tutorials – Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre, and Parisa Tabriz, http://googlegruyere.appspot.com/part1#1__setup – How To Break Web Software - A look at security vulnerabilities in web software, http://www.youtube.com/watch?v=jXP7b-xby6U – DEFCON 19: Web Application Analysis With Owasp Hatkit, http://www.youtube.com/watch?v=JjJQ9b80xsE&feature=relmfu Computer Science and Engineering 2 • Web security: primary target to attacks • Web Application technologies – Client side – Server side – Application – Transfer protocol • Common vulnerabilities Computer Science and Engineering 3 Web Application Architecture XSS Malware Session hijack Redirection Communication … security Web service Injection attacks Information leakage DOS Unauth. modification Database Web server client Auth. service Access control Forged credentials Unauthorized access Computer Science and Engineering 4 Client Side • Request resources – http requests • Technologies to support functionality – Browser • • • • • HTML Hyperlinks Forms Scripts Custom client components Computer Science and Engineering 5 Server side • Receive client request, URL query string, HTTP cookies, or in request body • Technologies to supply functionality: – Scripting languages: PHP, VBScript, Perl – Web application platform: ASP.NET, Java – Web Servers: Apache, IIS, Netscape Enterprise – DBMS: Oracle, MySQL, SQL-Server, – Back-end components Computer Science and Engineering 6 The HTTP Protocol • • • • Hyper Text Transfer Protocol Stateless Application layer protocol -- Layered on top of TCP Client Server Model – Request-response communication • Originally developed to retrieve static text-based resources Computer Science and Engineering 7 HTTP Request • Request line 1. HTTP method 2. Requested URL 3. HTTP version • Header lines – Host, Referer, Cookie, User-Agent, Connection, etc. • Request body Computer Science and Engineering 8 GET • Passes all request data in the URL query line • GET /search?q= Web+Technologies HTTP/1.1 • Host: www.cse.edu… Computer Science and Engineering 9 Post • • • • Passes all data in the HTTP request body POST /search?HTTP/1.1 Host: www.cse.edu… q= Web+Technologies Computer Science and Engineering 10 HTTP Response • Status line 1. HTTP version 2. Numeric status call indicating the result of the request 3. Txt reason phrase describing the status of the response • Header lines – Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length • Response body Computer Science and Engineering 11 Status Codes • • • • • 1xx – Informational 2xx – the request was successful 3xx – the client is redirected to a different resource 4xx – the request contains an error of some kinds 5xx – the server encountered an error fulfilling the request Computer Science and Engineering 12 Commons Status Codes • • • • • • 200: OK 302: Location redirection 401: client is unauthorized for the resource 403: forbidden even if the client has the credentials 404: not found 500: internal server error caused by the request Computer Science and Engineering 13 Issues for HTTP Methods • GET – retrieves a resources – Send parameters to the requested resource – Be Aware! URLs are stored and displayed -> do not include sensitive data in the query string • POST – performs an action – Request parameters sent in the URL query string or in message body – Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc. Computer Science and Engineering 14 HTTPS • HTTP tunneled through SSL • HTTP Proxies – Using HTTP – Using HTTPS • Proxy is a man-in-the-middle • Pure TCP level relay Computer Science and Engineering 15 HTTP Authentication • Basic: sends user credentials as a Base64-encoded string in a request header • NTLM: Challenge-response using Windows NTLM protocol • Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials Computer Science and Engineering 16 State and Session • Client and server exchange and process data • Application needs to maintain the state of each user interactions – Server side structure: session – Client side: sent by the server and protected from tampering • Stateless HTTP token to identify user sessions Computer Science and Engineering 17 HTTP Vulnerabilities • Header-based attacks: not very common – Headers are simple – Any command or response that is not valid, ignored • Header are free form several options on how to interpret data – Buffer overflow may occur – Client- and server side executables : data may be passed to other applications Computer Science and Engineering 18 HTTP Vulnerabilities 2. • Protocol-based attacks: most common • Incorrect authentication – Access directories (username/password) by stolen credentials • Authentication travels as clear text • Challenge response • Cookes – Spoofing attacks Computer Science and Engineering 19 HTTP Vulnerabilities 3. • Traffic-based attacks • Denial of Service attacks • Traffic privacy violations Computer Science and Engineering 20 Web Application Characteristics Computer Science and Engineering 21 Functionality • Server side technologies: – Scripting languages – Web application platform – Web server software – Databases – Back-end components • Client-side technologies: – Browser Extension technologies Computer Science and Engineering 22 Application Characteristics • Understand what application does and how it behaves – Content – Functionality • Find out: – Application behavior – Core security mechanisms – Technologies being used • Client side • Server side Computer Science and Engineering 23 Enumerating Content and Functionality • Manual vs. automated browsing – Walk through the application – Follow every link – Navigate through multistage functions • Web spidering – Tools to follow all links until no new content is found – Can parse static HTML, multi-stage functionality, form-based navigation, client-side JavaScript Computer Science and Engineering 24 Robots.txt • Web servers maintain in root – Contains list of URLs not available for web spiders • Can be used by spiders as the seed – References to sensitive functionality Computer Science and Engineering 25 Automated Spidering • E.g., Burp Spider, WebScarab • General limitations: – Cannot handle dynamically created menus – Limited depth to find links – May fail input validation for multistage functionality – Unique content is identified by URL not good for form-based navigation – May fail authentication session Computer Science and Engineering 26 User Directed Spidering • User walks through the application and uses a spider to collect and analyze findings • Good for – Unusual or complex navigation needs – User control of input data – User can login to application and pass authentication – User can decide on requested functions Computer Science and Engineering 27 Hacking Steps 1. • Configure browser to use spider • Browse the application normally – Visit every link – Proceed through multi-stage functions – JavaScrip enabled/disabled; cookies enabled/disabled • Review site map to identify non-visited content • Do an automated spidering Computer Science and Engineering 28 Discovering Hidden Content • Not directly linked to or reachable from the main page – E.g., testing and debugging content, different functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc. • Added attack points, sensitive content, etc. • Automated, brute-force attack: Burp Intruder Computer Science and Engineering 29 Hacking Steps 2 • Make unusual requests and identify response • Use site map to identify hidden content • Use brute-force attacks to identify how application handles requests • Manually review responses • Inferencing from published content (e.g., naming) – Compile list of names of subdirectories – Identify naming schemes, file extensions – Review all client side code – Look at temporary files • Burp: Content Discovery – automate attack Computer Science and Engineering 30 Use Public Information • Find old resources • Search Engines: – Advanced Search: resource, login, links, related – Google domains – Omitted results – Cashed versions – Other domains of the same organization • Web archives, e.g., WayBack Machine Computer Science and Engineering 31 Web Server Vulnerabilities • Web server software vulnerability – Default content – Sample and diagnostic scripts – Standard functionality • Wikto: a tool that checks for flaws in web servers – http://sectools.org/tool/wikto/ Computer Science and Engineering 32 Additional Mappings • Functional paths – URL query parameters, REST-style URLs • Discovering Hidden Parameters – Try default parameter names, e.g, debug, test, hide, etc. – Monitor responses to identify anomalies • Analyzing Applications – Functionality, behavior, security • Server side functionality Computer Science and Engineering 33 Mapping the Attack Surface • Use the results of the analysis to find vulnerabilities Computer Science and Engineering 34 SOA Service Communication • Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer) • Communication over HHTP Computer Science and Engineering 35 Industry standards • XML – XML encryption – XML Signature – Canonical XML – Decryption Transformation for XML Signature • WS-Security • Security Assertion Markup Language (SAML) Computer Science and Engineering 36 Next Class • XML, RDF, Web application security Computer Science and Engineering 37