Secure Programming and! Common Errors! PART II"

Secure Programming and!
Common Errors!
PART II"
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
brought to you by Michele “AntiSnatchOr” Orrù
and Integrating Web LTD!
Computer System Security course lead by Prof. Ozalp Babaoglu!
9 December 2009!
!!Director and CSO of Integrating Web LTD!
!!Bachelor Degree in Internet Sciences!
!!Independent Security Researcher!
!!Owner of http://antisnatchor.com security
advisory blog!
!!JEE developer"
!"
2 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
!!Discuss other important attack vectors,
not limited to Web Applications!
!!Practical screen-casts that show how
attackers exploit common flows !
!!Understand the impact of these threats
on your privacy, data and identity!
What we will discuss:"
Seminar outline (part II)!
Seminar outline (part II)"
#$%&''0+16+0,3#4/)345"
3 of 25!
!!CWE-22: Path Traversal + screen-cast !
!!CWE-89: Failure to Preserve SQL Query Structure
(SQL injection) + screen-cast !
!!CWE-79: Failure to Preserve Web Page Structure
(XSS) + 2 screen-cast!
!!Appendix: do you think HTTPS is secure? Not
completely true… !
What we will discuss!
#$%&''((()*+,-./01+.(-2)345"
Who am I?!
Who am I?"
4 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
CWE-22: Example!
www.essedi.it"
CWE-22: Path Traversal "
If these user supplied parameters are not
validated (and the application is not chrooted/
jailed), then an attacker can manipulate them to
read/write sensitive information/files on the OS.!
!!
!!
!!
Credits: antisnatchor!
Path traversal vulnerability on ONERROR
parameter!
The HTML file requested as a value of ONERROR,
can be manipulated to retrieve non-IIS owned
files!
5 of 25!
#$%&''((()*+,-./01+.(-2)345"
6 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
#$%&''0+16+0,3#4/)345"
Links"
Screen-Cast!
www.essedi.it"
CWE-22: www.essedi.it!
Good books: !
7 of 25!
!!
!!#$%&''((()05074+)34)89':-2;<%%=*3014+;>039-/6;>0+?2449;@*634A-/*+.'?%'
BCDB!DBDDE'/-FG6/H!H!I*-GJKLEM6G24496MN*?G!OPBOPCQDDM6/GE;!"
!!#$%&''((()05074+)345':-2;R-38/*,S;K-61+.;T4492449;RS6,-5013'?%'
BUQPU!CEVO'/-FG6/H!HVI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;V""
!!
!!
!!
SANS/MITRE: #$%&''3(-)5*,/-)4/.'?0,0'?-W+*14+6'OO)#,5="
OWASP: #$%&''((()4(06%)4/.'*+?-X)%#%'Y0,#HK/0A-/60="
Good hacker: #$%&''9870UU)2=4.6%4,)345'OBBE'BD'3449*-;%0,#;
,/0A-/60=)#,5="
!!
PHP security guru: #$%&''((()686%-9,)4/.'OBBE'!O'BU'%#%;UOD;
0+?;7*%0/3#*A--X,/03$4'""
CWE-22: Links!
!!
Many applications read from or write to a file
system parsing user supplied parameters that
specify the file or the operation!
CWE-22: Path Traversal !
!!
#$%&''0+16+0,3#4/)345"
CWE-22: www.essedi.it!
#$%&''((()*+,-./01+.(-2)345"
8 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
CWE-89: !
SQL Injection"
If attackers can influence the SQL that you use
to communicate with your database, then they
can do nasty things for fun and profit!
Thanks to Bernardo for SQLmap!
!!
!!
!!
!!
http://sqlmap.sourceforge.net!
Open source, written in python!
Full database manipulation with MySQL, Oracle,
PostgreSQL and Microsoft SQL Server!
Metasploit plugin to exploit MS09-004 (M. SQL Server
2000/2005 heap based buffer overflow)!
!!
!!
!!
!!
Credits: antisnatchor!
Confirmed unescaped numeric injection on GET
parameter “anno” (patched from many months)!
We were able to obtain details about the
application stack: Apache 2.2.3, PHP 5.2.0,
MySQL >= 5.0!
For demonstration we retrieved the exact name
of the database name to which the web app is
bounded: dipartimento!
9 of 25!
#$%&''((()*+,-./01+.(-2)345"
10 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
#$%&''0+16+0,3#4/)345"
Screen-Cast!
www.dm.unibo.it"
CWE-89: www.dm.unibo.it!
Links"
11 of 25!
Good books:!
!!
!!#$%&''((()05074+)34)89':-2;<%%=*3014+;>039-/6;>0+?2449;@*634A-/*+.'?%'
BCDB!DBDDE'/-FG6/H!H!I*-GJKLEM6G24496MN*?G!OPBOPCQDDM6/GE;!"
!!#$%&''((()05074+)345'@0,0206-;>039-/6;>0+?2449;@-F-+?*+.;R-/A-/6'?%'
BDPCUDEB!C'/-FG6/H!HOI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;O"
!!#$%&''((()05074+)345':-2;R-38/*,S;K-61+.;T4492449;RS6,-5013'?%'
BUQPU!CEVO'/-FG6/H!HVI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;V""
SQLmap author: !
!!
!!#$%&''((()6=*?-6#0/-)+-,'*+N8*6'6N=;*+Z-314+;+4,;4+=S;0+?;!!"
CWE-89: Links!
!!
CWE-89:Example!
www.dm.unibo.it"
CWE-89: SQL Injection!
!!
#$%&''0+16+0,3#4/)345"
CWE-89: www.dm.unibo.it!
#$%&''((()*+,-./01+.(-2)345"
12 of 25!
CWE-79: Cross Site
Scripting"
!!
When a page with our malicious code is
accessed by other users, their browsers will
execute our scripts on their contexts!
Really difficult to create a powerful anti-XSS
filter:!
!!
!!
!!
Multiple data encoding handling!
Data truncation handling!
New vectors (CSS, JSON, XUL)!
#$%&''0+16+0,3#4/)345"
CWE-79: Example!
1. KonaKart"
!!
!!
Credits: antisnatchor!
KonaKart is a free Java based web application to
manage e-commerce websites
(www.konakart.com)!
!!
Stored XSS has been found and verified in the
backend!
More info here:
!!
Let see how we can exploit them!
!!
#$%&''0+16+0,3#4/)345'OBBE'!O'OO'94+090/,;OOPB;/-6%4+6*2=-;?*63=468/-'""
13 of 25!
#$%&''((()*+,-./01+.(-2)345"
14 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
#$%&''0+16+0,3#4/)345"
CWE-79: Examples!
2. WMSmonitor"
Screen-Cast!
!!
CWE-79: KonaKart!
KonaKart"
!!
15 of 25!
!!
!!
Credits: antisnatchor!
Internal Penetration Test at INFN (National Institute
of Nuclear Physics)!
Workload Management System (distribute job
execution between multiple Computing Elements on
a Grid infrastructure) monitor!
Some serious flows have been identified!
!!
Unsecure handling of X.509 client certificates!
Reflected XSS!
TRACE method enabled!
!!
Let see how can we take full control of the victim browser !
!!
!!
CWE-79: WMSmonitor!
!!
#$%&''((()*+,-./01+.(-2)345"
CWE-79: KonaKart!
#$%&''0+16+0,3#4/)345"
CWE-79: The Plague of Cross Site Scripting!
#$%&''((()*+,-./01+.(-2)345"
16 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
#$%&''0+16+0,3#4/)345"
Links"
Wade Alcorn’s works:!
!!
!!
CWE-79: WMSmonitor!
!!
WMSmonitor"
!!
Rsnake works:!
XSS cheat sheet: #$%&''#0)39-/6)4/.'X66)#,5="
XSS worm context: #$%&''#0)39-/6)4/.'2=4.'OBBEB!BP'?*5*+81A-;
!!
!!
!!
((()2*+?6#-==)+-,'%0%-/6'0X66A"
X66;(4/5;34+,-6,;?/050;0+?;6,0,86;8%?0,-'"""
AntiSnatcOr works research:!
!!
Advisories on SecurityFocus:
#$%&''0+16+0,3#4/)345'OBBQ'!B'!C'W+0==S;4+;28.,/0N'"
17 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
#$%&''0+16+0,3#4/)345"
Appendix: do you think
HTTPS is secure?"
Links"
Good books:!
!!
!!
CWE-79: Links!
!!
!!#$%&''((()05074+)34)89':-2;<%%=*3014+;>039-/6;>0+?2449;@*634A-/*+.'?%'
BCDB!DBDDE'/-FG6/H!H!I*-GJKLEM6G24496MN*?G!OPBOPCQDDM6/GE;!""
!!#$%&''((()05074+)345'[RR;<$0396;R3/*%1+.;\X%=4*,6;@-F-+6-'?%'!UQDCQ!UCV'
/-FG6/H!HCI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;C"
!!#$%&''((()05074+)345':-2;R-38/*,S;K-61+.;T4492449;RS6,-5013'?%'
BUQPU!CEVO'/-FG6/H!HVI*-GJKLEM6G24496MN*?G!OPBOE!UCDM6/GE;V"""
18 of 25!
19 of 25!
!!
!!
SSL/TLS are cryptographically secure (RSA/DSA/
Symmetric Encryption) !
But they have well known limitations and
security flows!
They all suffer from MITM attacks and network
protocol manipulation!
Some aspects such as OSCP and different
implementations (OpenSSL, Mozilla NSS) are
flowed!
Appendix: HTTPS insecurity!
Screen-Cast!
BeEF: #$%&''((()2*+?6#-==)+-,',44=6'!""#'""
Inter-Protocol Exploitation: #$%&''((()2*+?6#-==)+-,'%0%-/6'*%-"
The Advanced Cross-Site Scripting Virus: #$%&''
CWE-79: Links!
!!
20 of 25!
!!
!!
Appendix: do you think
HTTPS is secure?"
!!
!!
Old exploit method (still useful)!
MITM and fake certificate injection!
!!
!!
!!
!!
!!
!!
21 of 25!
#$%&''((()*+,-./01+.(-2)345"
ARP spoofing!
IP forwarding!
Sniffing!
webmitm!
Cons: the victim will see that the certificate is
not valid (BTW, almost all of you don’t take care
to Firefox’s alerts on certificates problems)!
Press OK " … That’s FINE !
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
#$%&''0+16+0,3#4/)345"
22 of 25!
#$%&''0+16+0,3#4/)345"
Screen-Cast!
Fake certificate injection"
Appendix: HTTPS insecurity!
Links"
23 of 25!
Vimeo screencasts:!
!!
!!#$%&''((()A*5-4)345'P!CQ!!Q"
!!#$%&''(((),#48.#,3/*5-)4/.'64](0/-'66=6,/*%'A*?-4'66=6,/*%)54A""
!!
Papers:!
OCSP: #$%&''(((),#48.#,3/*5-)4/.'%0%-/6'436%;0$039)%?F"
!!Null-byte: #$%&''(((),#48.#,3/*5-)4/.'%0%-/6'+8==;%/-WX;0$0396)%?F"
!!Fake-cert: #$%&''0+16+0,3#4/)345'(4/96'6+*^+.;66=;,=6;34++-314+6;,#/48.#;F09-;
!!
3-/1W30,-;*+Z-314+'"
Appendix: Links!
!!
Latest research of Moxie Marlinspike
(http://www.thoughtcrime.org)!
Sslstrip: It transparently hijack HTTP traffic on a
network, watch for HTTPS links and redirects,
then map those links into either look-alike HTTP
links or homograph-similar HTTPS links.!
We can use as the old certificate injection
method: ARP-spoofing + traffic redirection +
sniffing!
Eventually altering BGP routing tables on
routers, for remote sniffing!
Appendix: HTTPS insecurity!
Appendix: do you think
HTTPS is secure?"
!!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
Appendix: HTTPS insecurity!
#$%&''((()*+,-./01+.(-2)345"
24 of 25!
#$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345"
Questions?"
Thanks for your !
attention!"
25 of 25!