Web Application Hacking Workshop Learn how to penetrate like a professional Tuesday, October 23, 12 Please check you have the hacking environment downloaded and unzipped - if not, please raise your hand you have Firefox w/ TamperData and FoxyProxy -plugins installed - if not, please download and/or raise your hand you have added a new proxy for localhost:8888 - if not, do it now! Tuesday, October 23, 12 Silverskintro Jani Kirmanen CISSP, GISP, GWAPT, GCPM Tuesday, October 23, 12 Jani & Niklas Professional Penetrators Tuesday, October 23, 12 What we do Reverse-engineer your mind Find out where you have hidden all the subpar code Enjoy writing exploit code for it Profit! Tuesday, October 23, 12 We also Collaborate with developers to implement secure systems Train developers to think better and to find disastrous vulnerabilities before we (or the bad guys) do Participate in developing WebGoat 6.0! No-profit! Tuesday, October 23, 12 Today’s menu Finding security vulnerabilities Writing exploit code Expecting more secure software Tuesday, October 23, 12 Limitations Time - we won’t be learning every technique / doing every exercise Different skill sets - we won’t get done at the same time Google - we won’t be searching the answers Tuesday, October 23, 12 Tools WebGoat 5.4 /home/WebGoat-5.4$ sh webgoat.sh start8080 Firefox with Tamperdata (Firefox with FoxyProxy + Burp Suite) Tuesday, October 23, 12 Injection Attacking the server side Tuesday, October 23, 12 /inˈjekSHən/ types: sql, ldap, html, javascript, command... manipulates semantics through syntax (conceptually) affects the server side exploits the fact the developer has paid zero-to-none attention to input validation Tuesday, October 23, 12 Attacker’s view concentrates on the special characters of the programming / scripting / query language typically delimiters for strings like quotes, single quotes, etc. uses encoding to evade input filtering Tuesday, October 23, 12 A classic example The application uses this SQL query in the authentication mechanism: SELECT * FROM users WHERE login='$login' AND password='$password'; Now, all the attacker has to do is... Tuesday, October 23, 12 ... exercise #1 Open http://localhost:8080/WebGoat/attack Navigate to Injection Flaws and start hacking! You can do as many you want or can manage. Note that you cannot do all the exercises as some require you to code something first, and we are not gonna. Don't worry if you are not as fast as someone else. This is your first time, right? Tuesday, October 23, 12 Developer’s view Never trust any input without validation When using external services like databases we create a query or other structured statement We have to protect the integrity of that statement Tuesday, October 23, 12 Better security Use type conversion to get rid of Strings (use Domain objects), if possible Use prepared statements or similar when using an external service like a database Implement input control as a centralized component Tuesday, October 23, 12 Cross-site scripting Attacking the client side Tuesday, October 23, 12 /ekS eS eS/ attacks the client side aka the browser aka the user exploits the fact the developer has paid none-to-null attention to output validation comes in different flavors: reflective, stored, dom-based Tuesday, October 23, 12 Attacker’s view targets places where user input is echoed into HTML, Javascript, CSS - even Flash! manipulates the response to include malicious code from another site (hence the name) uses encoding to evade input/output filtering Tuesday, October 23, 12 A classic example An application has a search functionality that echoes the search term verbatim. The attacker sends special input to verify the functionality has an XSS vulnerability Now the attacker can create a malicious payload that tricks the user to... Tuesday, October 23, 12 ... exercise #2 Open http://localhost:8080/WebGoat/attack Navigate to Cross-site scripting and start hacking! You can do as many you want or can manage. Note: Lab Stages 1 and 5 only! Tuesday, October 23, 12 Developer’s view Everything relating to input validation still applies Typically the output is combined from many sources and “injected” into a template of some kind We have to protect the integrity of that template Tuesday, October 23, 12 Better security Use output encoding when composing the output Use domain objects with centralized access control to comply with data classification Implement output control as a centralized component Tuesday, October 23, 12 Privilege escalation “Minulla on kuulkaa poliisin oikeudet” Tuesday, October 23, 12 [ˈɛskəˌleɪtə] accessing functionality and data without authorization vertical: accessing admin functionality horizontal: accessing other peoples data Tuesday, October 23, 12 Attacker’s view targets direct object references aka sensitive identifiers if there is a parameter action=view, there might be action=create or action=update as well exploits the fact the developer regards the user interface as an access control Tuesday, October 23, 12 A classic example Executing admin functionality through access control bypass. Consider an application which allows admins to view users’ accounts, update information etc. The developer chose guessable parameter names in functionality mapping Now, all the attacker has to do is... Tuesday, October 23, 12 ... exercise #3 Open http://localhost:8080/WebGoat/attack Navigate to Access control flaws and start hacking! You can do as many you want or can manage. Note that you cannot do all the exercises as some require you to code something first, and we are not gonna. Don't worry if you are not as fast as someone else. This is your first time, right? Tuesday, October 23, 12 Developer’s view use role based access control properly use indirection to hide sensitive identifiers implement access control as a centralized component Tuesday, October 23, 12 That’s all folks! Please leave your business card and take one of ours Contact us: [email protected] or www.silverskin.com See you at the after party!!! Tuesday, October 23, 12