HACKING 101Henallux, 28th November 2014

Olivier Houyoux

Technology Security Architect @ Nitroxis Sprl

SCHEDULE FOR THE DAY

1. Why are we here?

2. Real Life Examples

3. Owasp – Top 10 (2013)

4. Demo Web Hacking Simulation Walkthrough

5. Summary

6. Questions

DO WE NEED WEB APP.

SECURITY?

Well managed infrastructure

Important data on web applications

Malware spreading

EXAMPLES

1. Barack Obama

EXAMPLES

1. Barack Obama

2. Maria Sharapova

EXAMPLES

1. Barack Obama

2. Maria Sharapova

3. Samy Kamkar

EXAMPLES

1. Barack Obama

2. Maria Sharapova

3. Samy Kamkar

4. Kevin Poulsen

EXAMPLES

1. Barack Obama

2. Maria Sharapova

3. Samy Kamkar

4. Kevin Poulsen

5. …

OPEN WEB APPLICATION

SECURITY PROJECT

Make software security visible

Cheat Sheets, Tutorials, Testing guides…

Tools (WebGoat, WebScarab, …)

Library (ESAPI)

…

OWASP TOP 10

Broad consensus about what the most critical web

application security flaws are.

OWASP TOP 10

OWASP Top 10 - 2013

A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Known Vulnerable Components

A10 - Unvalidatde Redirects and Forwards

WEBGOAT

is a deliberately insecure web application designed to

teach web application security lessons.

A1 – INJECTION

User input injected without checking

SQL

LDAP

Command

XPATH

…

A1 – SQL INJECTION EXAMPLE 1

Connection conn = pool.getConnection();

String sql = "select * from user where username=‘" + username + "’

and password=‘" + password + "’";

Statement stmt = conn.createStatement();

ResultSet rs = stmt.executeQuery(sql);

A1 – SQL INJECTION EXAMPLE 1

Connection conn = pool.getConnection();

String sql = "select * from user where username=‘" + username + "’

and password=‘" + password + "’";

Statement stmt = conn.createStatement();

ResultSet rs = stmt.executeQuery(sql);

A2 – BROKEN AUTHENTICATION

User / Password

Brute force attack

Birthday paradox

Weak management functions

Change or recover password

A2 – SESSION MANAGEMENT

1. Session Hijacking

Stealing authenticated user’s session ID

2. Session Fixation

Forcing user’s session ID

A2 – SESSION HIJACKING EXAMPLE

A2 – SESSION HIJACKING EXAMPLE

A2 – SESSION FIXATION EXAMPLE

public class LoginServlet extends HttpServlet {

…

public void doPost(HttpServletRequest request,

HttpServletResponse response) {

String user = request.getParameter("user");

String pass = request.getParameter("password");

…

HttpSession session = request.getSession(true);

…

}

…

}

A2 – SESSION FIXATION EXAMPLE

public class LoginServlet extends HttpServlet {

…

public void doPost(HttpServletRequest request,

HttpServletResponse response) {

String user = request.getParameter("user");

String pass = request.getParameter("password");

…

HttpSession session = request.getSession(true);

…

}

…

}

A3 – CROSS-SITE SCRIPTING (XSS)

Untrusted data sent to victim without validation and / or

escaping

XSS allows attackers to execute script in browsers to:

hijacking users’ sessions,

redirecting user to malicious site,

…

1. Reflected XSS

2. Stored XSS

A3 – XSS EXAMPLE

<form name="update" method="post" action="...">

<input type="text" value="<%=userBean.getName()%>"/>

</form>

A3 – XSS EXAMPLE

<form name="update" method="post" action="...">

<input type="text" value="<%=userBean.getName()%>"/>

</form>

A3 – XSS EXAMPLE

<form name="update" method="post" action="...">

<input type="text" value="<%=userBean.getName()%>"/>

</form>

<input type="text" value="who_cares"/><script>...</script>"/>

A4 – INSECURE DIRECT OBJECT REF.

Reference to internal object like

file,

directory,

database key

without

access control check,

other protection.

A4 –DIRECT OBJECT REF. EXAMPLE

String query = "select * from accounts where account = ?";

PreparedStatement stmt = conn.prepareStatement(query);

stmt.setString(1, request.getParameter("account"));

ResultSet rs = stmt.executeQuery();

A4 –DIRECT OBJECT REF. EXAMPLE

String query = "select * from accounts where account = ?";

PreparedStatement stmt = conn.prepareStatement(query);

stmt.setString(1, request.getParameter("account"));

ResultSet rs = stmt.executeQuery();

http://foo.com/app/accountInfo?account=notmyaccount

A5 – SECURITY MISCONFIGURATION

Secure configuration defined and deployed for the:

application,

frameworks,

application server,

web server,

database server,

platform.

A5 – MISCONFIGURATION EXAMPLE

A5 – MISCONFIGURATION EXAMPLE

<?xml version='1.0' encoding='utf-8'?>

<Server port="8005" shutdown="SHUTDOWN">

<GlobalNamingResources>

<Resource name="UserDatabase" auth="Container" … />

</GlobalNamingResources>

<Service name="Catalina »>

<Connector port="80" protocol="HTTP/1.1" … />

<Connector port="443"

protocol="org.apache. … .Http11Protocol" … />

</Service>

</Server>

A5 – MISCONFIGURATION EXAMPLE

<?xml version='1.0' encoding='utf-8'?>

<Server port="8005" shutdown="SHUTDOWN">

<GlobalNamingResources>

<Resource name="UserDatabase" auth="Container" … />

</GlobalNamingResources>

<Service name="Catalina »>

<Connector port="80" protocol="HTTP/1.1" … />

<Connector port="443"

protocol="org.apache. … .Http11Protocol" … />

</Service>

</Server>

A6 – SENSITIVE DATA EXPOSURE

Protect sensitive data such as

credit cards,

authentication credentials

…

Apply extra protection (encryption at rest or in transit) and

precautions when exchanged with browser.

A6 – DATA EXPOSURE EXAMPLE 1

An application encrypts credit card numbers in a database

using automatic database encryption.

However, this means it also decrypts this data

automatically when retrieved, allowing an SQL injection

flaw to retrieve credit card numbers in clear text.

A6 – DATA EXPOSURE EXAMPLE 2

A site simply doesn’t use SSL for all authenticated pages.

Attacker simply monitors network traffic (like an open

wireless network), and steals the user’s session cookie.

A7 – MISSING ACCESS CONTROL

Verify function level acces:

before making functionality visible in GUI ✓

when each function is accessed ✗

A7 – ACCESS CONTROL EXAMPLE

@Stateless

public class OrderBean implements Order {

public String getDetail(String id) {

…

}

public String approve(String id) {

…

}

…

}

A7 – ACCESS CONTROL EXAMPLE

@Stateless

public class OrderBean implements Order {

public String getDetail(String id) {

…

}

public String approve(String id) {

…

}

…

}

A8 – CROSS-SITE REQUEST FORGERY

1. User authenticates to bank.com2. User visits forum.com

3. Page contains tag

<img

src=bank.com/transfer.jsp?account=atta

cker&amount=300000>

4. User’s browser makes GET request

bank.com/transfer.jsp?account=attacker&

amount=300000

without user knowing

A8 – CSRF EXAMPLE

Nearly everything is susceptible to CSRF, so no need to

hunt the bug …

A9 – USING VULNERABLE COMPONENTS

Common Vulnerabilities and Exposures database (https://cve.mitre.org)

A10 – UNVALIDATED REDIRECT

1. Lure the user into clicking a redirect link

http://www.trusted.com/redirector?to=http://www.evil.com

2. Code does not perform any validation

String location = (String) request.getParameter(« to »);

response.sendRedirect(location);

3. User thinks (s)he’s accessing trusted.com but is in fact

at evil.com

SUMMARY

LAYERS OF DEFENSE IN DEPTH

Policies, Procedures, Awareness

Physical

Perimeter

Internal Network

Host

App

Data

AND NOW … bWAPP

OWASP Top 10

CWE 25

Mitigations (SANS, OWASP Cheat Sheets, …)

Web Services (SOAP & REST)

Mobile

And more …

QUESTIONS ?

FOLLOW US ON …

@Nitroxis_sprl

nitroxis Nitroxis.BE

Training and Certification for

information Security

Professionals

Nitroxis sprl

ADD DEPTH TO YOUR INFORMATION SYSTEM

Olivier Houyoux Technology Security Architect

Version 1.1

Date 28/11/2014

Mail Contact (at) nitroxis.be

Website www.nitroxis.be