5MMSSI - Information Systems Security 1 - vulnerabilities and … · 2011-09-22 · 5MMSSI -...
Transcript of 5MMSSI - Information Systems Security 1 - vulnerabilities and … · 2011-09-22 · 5MMSSI -...
5MMSSI - Information Systems Security1 - vulnerabilities and attacks
Fabien Duchene1
Karim Hossen1
1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag
2011-2012Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 1/36 2011-2012 1 / 36
Outline
1 Web based vulnerabilitiesInjectionSQL InjectionPath vulnerabilityCSRFXSS - Cross-Site scripting
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 2/36 2011-2012 2 / 36
Remarks
NOT exhaustive. a selection of several interesting vulnerabilities andattacksMany others do exists 1
1[OWASP vulnerabilities] OWASP vulnerabilitiesFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 3/36 2011-2012 3 / 36
Web based vulnerabilities
Input related vulnerabilitiesAttacker’s goal:
attack name targeted subsys-tem
parsing evaluation
buffer overflow ex-ploitation
binary executable x
format string exploita-tion
binary executable x x
SQL injection database x xXSS web application x xCSRF web application x x
Causenon sufficiently sanitized inputsinsecure use of input parameters
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 4/36 2011-2012 4 / 36
Web based vulnerabilities Injection
Injection I
2
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 5/36 2011-2012 5 / 36
Web based vulnerabilities Injection
Injection II
Threat level [OWASP 2011]Exploitability +++ EASYPrevalence ++ COMMONDetectability ++ AVERAGEImpact +++ SEVERE
Counter-measuresinput sanitization: application dependent
2[Kunz 2011] Skype Vulnerabilities: Zero Day Exploitation 2011,HITBSecConf 2011 (Malaysia)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 6/36 2011-2012 6 / 36
Web based vulnerabilities SQL Injection
SQL Injection Attack (SQli) I
subsystem:goal:
Several SQL injection attacks [Wikipedia - SQL injection]incorrectly filtered escape charactersincorrect type handlingblind SQL injection
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 7/36 2011-2012 7 / 36
Web based vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” I
Incorrect type handlingdata is not strongly typedin the example: an integer is expected, but the language interpreterevaluates the whole expression
1 s t a t e m e n t := ”SELECT ∗ FROM w e a t h e r d a t a WHERE s t a t i o n= ” +a v a r i a b l e + ” ; ”
Example: webgoat SQLi 3
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 8/36 2011-2012 8 / 36
Web based vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” II
Basic form. We submit it once and observe:
Once we submit, the station parameter seems to be used in the dataretrieval. Goal: to extract all the data from that SQL table
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 9/36 2011-2012 9 / 36
Web based vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” III
Have a look at the source code, and observe
Since it is simpler to perform request by HTTP GET, give it a try:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 10/36 2011-2012 10 / 36
Web based vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” IV
It works, the station parameter sent via a GET request is used by theweb application:
Let us try to inject:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 11/36 2011-2012 11 / 36
Web based vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” V
exploitation succeeds: we are able to extract all the records from thattable
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 12/36 2011-2012 12 / 36
Web based vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” VI
Also works if we use HTTP POST, here with Firefox Hackbar 4
Note: we only tried to get the data, but think about5
1 s t a t i o n =103 OR 1=1 ; DROP t a b l e w e a t h e r d a t a
3[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection4[Firefox hackbar add-on] Firefox hackbar add-on5Most SQL server implementations allow multiple statements. API do
generally not: PHP:mysql query() and Python:sqlite3.[.].execute() do notsupport this. Some functions such as Python:sqllite3.[.].executescript() howeverdoFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 13/36 2011-2012 13 / 36
Web based vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” I
Incorrect type handlinguser input is not filtered for escape characters (eg: ’ ” ..)parameters are passed without using prepared statement
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +” ’ ; ”
How would you set the variable userName to bypass theauthentication?
A possible answer:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 14/36 2011-2012 14 / 36
Web based vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” II
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1
WHERE name=’”+userName+” ’ ; ”
How do we prevent the logon attempt counter to increase for thatusername?A possible answer:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 15/36 2011-2012 15 / 36
Web based vulnerabilities SQL Injection
“Blind” SQLi I
Blind SQL injection?production environment do not let you see the error outputswhen trying to inject in such a system: “blind injection”more injection techniques on [Hackipedia - SQL injection]
Example: webgoat blind integer SQLIA 6
Assume a simple SELECT WHERE request such as:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 16/36 2011-2012 16 / 36
Web based vulnerabilities SQL Injection
“Blind” SQLi II
1 SELECT ‘ f i e l d n a m e ‘ from ‘ tab le name ‘ WHERE ‘ f i e l d 1 ‘= ’ a r g 1 ’
If we try a random number:
If we try to input a non integer:
Is the application sensible to blind injection?
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 17/36 2011-2012 17 / 36
Web based vulnerabilities SQL Injection
“Blind” SQLi III
Does such a record exist?
Now let us explore the possible space via
... POWER(2,30)
... POWER(2,11):
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 18/36 2011-2012 18 / 36
Web based vulnerabilities SQL Injection
“Blind” SQLi IV
Thus the value is betweenNow let us continue the dichotomy:
Still too high...
Now too low ...
We iterate that process, and finally:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 19/36 2011-2012 19 / 36
Web based vulnerabilities SQL Injection
“Blind” SQLi V
1 101 AND (SELECT p i n FROM p i n s WHERE cc number=1111222233334444)<(POWER( 2 , 1 1 )+POWER( 2 , 8 )+POWER( 2 , 5 )+POWER( 2 , 4 )+POWER( 2 , 3 )+POWER( 2 , 2 )+POWER( 2 , 0 ) )
211 + 28 + 25 + 24 + 23 + 22 + 20 = 2365
Let us verify one last time that the value is 2364
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 20/36 2011-2012 20 / 36
Web based vulnerabilities SQL Injection
“Blind” SQLi VI7
Blind string SQL Injection AttackSimilar:
by using the CHAR(x) (x: integer ; ex in ASCII encoding:CHAR(41)=’A’ ; CHAR(61)=’a’)ASCII(c) (c: character ; eg: ASCII(’a’)=61)and SUBSTRING(str,start,length) SQL functions
Encoding-dependent: ASCII, UTF8, UTF16 ...Heuristic: would promote characters of the assumed alphabet
6[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection7[Mavituna - SQL injection sheet 2007] Mavituna - SQL injection sheet
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 21/36 2011-2012 21 / 36
Web based vulnerabilities SQL Injection
SQLi blind string injection: exercise
we want to find the first character of the field user name of the tableusers of the record with user id equal to 6969 ... thanks to thefollowing SQL request: (and we are able to manipulate $bet id)we know that bet id = 3679 is a valid ID
1 ’SELECT MAX( ‘ bet amount ‘ ) FROM ‘ bets ‘ WHERE ‘ b e t i d ‘= ’ +$ b e t i d + ’ ; ’
A possible answer:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 22/36 2011-2012 22 / 36
Web based vulnerabilities SQL Injection
SQLi Prevention
input sanitizationonly allow some characters.. or explicitly deny some that have a meaning 8
strongly type the parametersUse parameterized statements
1 j a v a . s q l . P r e p a r e d S t a t e m e n t prep = connect ion . p r e p a r e S t a t e m e n t(
”SELECT ∗ FROM u s e r s WHERE LASTNAME = ? ANDAGE = ? ” ) ;
3 prep . s e t S t r i n g ( 1 , l a s t n a m e ) ;prep . s e t I n t ( 2 , age ) ;
5 prep . e x e c u t e Q u e r y ( ) ;
8problem: might be encoding dependent (eg: UTF-8, UTF-16)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 23/36 2011-2012 23 / 36
Web based vulnerabilities Path vulnerability
Path vulnerability
Path vulnerabilityability to access (read and/or execute and/or write..) files, folders thatwere initially not intended to be accessible from the web-application
Path Traversal aka “../” (dot-dot-slash) vulnerability“LFI” Local File Inclusion“RFI” Remote File Inclusion
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 24/36 2011-2012 24 / 36
Web based vulnerabilities Path vulnerability
Path vulnerability example (LFI, RFI)
1 <?php$ c o l o r = ’ b l u e ’ ;
3 i f ( i s s e t ( $ GET [ ’LANGUAGE ’ ] ) )$ l a n g u a g e = $ GET [ ’LANGUAGE ’ ] ;
5 i n c l u d e ( $ l a n g u a g e . ’ . php ’ ) ;?>
7<form method=” g e t ”>
9 < s e l e c t name=”LANGUAGE”><o p t i o n v a l u e=” e n g l i s h ”>e n g l i s h </o p t i o n>
11 <o p t i o n v a l u e=” c h i n e s e ”>c h i n e s e </o p t i o n></ s e l e c t >
13 < i n p u t t y p e=” submit ”></form>
1–files/file–include.php
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 25/36 2011-2012 25 / 36
Web based vulnerabilities Path vulnerability
Path vulnerability example
How would you perform an HTTP GET request in order tolist the content of the /etc/passwd file?LFI. A possible answer:run code from a remote file?RFI. A possible answer:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 26/36 2011-2012 26 / 36
Web based vulnerabilities Path vulnerability
Path vulnerability example (Directory traversal)
Consider a similar PHP code, replace the include line:. . .
2 i n c l u d e ( ”/home/webapp1/ p u b l i c h t m l / code / l a n g u a g e s /” .$ l a n g u a g e ) ;
. . .
How would you read the RSA SSH private key ( /.ssh/id rsa) of theuser orlando (/home/orlando) ?Directory traversal. A possible answer:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 27/36 2011-2012 27 / 36
Web based vulnerabilities Path vulnerability
Path vulnerability - countermeasures
(once more) input sanitizationlimit file inclusion to a selected subset of directories. This can bedone at several layers:
interpreter (eg: PHP (allow url fopen allow url include), ASP.Net)web-server (eg: Apache httpd) configuration)chroot jails or similar systems (children processes will only be able toopen files within the defined chroot jail authorization)
enforce strict ACL on sensitive files and run websites on differentidentity than the owner(s) of those sensitive files
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 28/36 2011-2012 28 / 36
Web based vulnerabilities CSRF
CSRF
Cross Site Request Forgeryattacker tricks a victim to load a webpageby loading that webpage, the victim will perform the action plannedby the attacker
Causesweb application is not able to distinguish between
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 29/36 2011-2012 29 / 36
Web based vulnerabilities CSRF
CSRF example I
Aimelyne wants to trick Ilyas to receive 2000 USD from him via thewebsite payme.blabla
Application logic discoveryA uses the payme.blabla for a small amount 5 USD to Melissa... and discovers that the following request is performed:
1 GET h t t p : / / bank . com/ t r a n s f e r . do ? to=M e l i s s a&amount=5 HTTP/ 1 . 1
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 30/36 2011-2012 30 / 36
Web based vulnerabilities CSRF
CSRF example II
Malicious link constructionHow would A construct a malicious link so that people who will performthat request would (if authenticated) send here 2000 USD?
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 31/36 2011-2012 31 / 36
Web based vulnerabilities CSRF
CSRF example III
Transmission to the victimHow would A send that link to the victim?A possible answer:
The victim gets trickedAssuming Ilyas is authenticated, if he clicks the link, Aimelyne will receivethe money.
What is the problem that now could occur?Answer:How to prevent that?A solution:
9
9We here assumed a GET request. POST request could also be tricked (eg:HTML form, input submission triggered via javascript)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 32/36 2011-2012 32 / 36
Web based vulnerabilities CSRF
CSRF countermeasures
client side:browser plugin: [RequestPolicy firefox add-on], [CsFire firefox add-on]
server side:for each form request, include a “fresh state token”
freshness requires a sufficient randomizationeg. dependencies: user identity, session, time, webpage from which therequest come from, form “status”ASP.Net: viewstateJava: Nothing out of the box, but ability to build it. OWASPCSRFGuard
checking the HTTP header refererlimiting the lifetime of tickets (eg: cookies)
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 33/36 2011-2012 33 / 36
Web based vulnerabilities XSS - Cross-Site scripting
XSS (will be updated)
will be updated
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 34/36 2011-2012 34 / 36
Appendix For Further Reading
Hackipedia - SQL injection.http://hakipedia.com/index.php/SQL_Injection.Johan Adriaans, Pedro Laguna. Firefox hackbar add-on.https://addons.mozilla.org/en-US/firefox/addon/hackbar/.Kunz, Benjamin (2011). Skype Vulnerabilities: Zero Day Exploitation2011, HITBSecConf 2011 (Malaysia).http://conference.hitb.org/hitbsecconf2011kul/?page_id=1757.Mavituna - SQL injection sheet (2007).http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/.OWASP. OWASP vulnerabilities.https://www.owasp.org/index.php/Category:Vulnerability.— (2011). Injection - OWASP top 10 - 2010.https://www.owasp.org/index.php/Top_10_2010-A1.Philippe De Ryck, Lieven Desmet. CsFire firefox add-on.https://addons.mozilla.org/en-US/firefox/addon/csfire/.
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 35/36 2011-2012 35 / 36
Appendix For Further Reading
Samuel, Justin. RequestPolicy firefox add-on. https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/.Webgoat - numeric SQL injection.http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_InjectionFlaws_NumericSQLInject/WebGoat_InjectionFlaws_NumericSQLInject.html.Wikipedia - SQL injection. https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection.
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 36/36 2011-2012 36 / 36