Ethical H ackin g an d

Coun term easures

Coun term easures

Version 6

Mo d u le XVII

Scen ario

Kim berly a web application developer works for a ban k

Kim berly, a web application developer works for a ban k,

X Ban k4u.

Recen tly

X Ban k4u

in troduced a n ew service called

“Mortgage Application Service”. Kim berly was assign ed the task

of creatin g the application which supported the n ew service.

She fin ds

Shrin kW arp,

an ASP based application on the In tern et.

The application suited perfectly for her developm en t. She

n egotiates the price with the ven dor an d purchases the software

for the firm .

She was successful in im plem en tin g the project in tim e. XBan k4u

was ready to serve its custom ers on lin e for the n ew service usin g

the application that Kim berly had design ed.

A week later XBan k4u website was defaced!

News

Module Objective

This m odule will fam iliarize you with :

• Web Application Setup

• Objectives of Web Application H ackin g

• Objectives of Web Application H ackin g

• An atom y of an Attack

• Web Application Threats

• Coun term easures

• Coun term easures

Module Flow

Web Application Setup _{An atom y of an Attack}

Web Application H ackin g Coun term easures

W b A li i

Web Application Threats Web Application

Web Application Setup

A clien t/ server software application that in teracts

pp

with users or other system s usin g H TTP

Modern application s are written in J ava (or

sim ilar lan guages) an d run on distributed

Web Application H ackin g

E

l i

i

b h

i

• Defacin g websites

Exploitative behaviors

• Stealin g credit card

in form ation

• Exploitin g server-side

scriptin g

scriptin g

• Exploitin g buffer overflows

• Dom ain Nam e Server (DNS)

attacks

• Em ployin g m alicious code

• Den ial of Service

An atom y of an Attack

SCANNING

INFORMATION GATH ERING

TESTING

TESTING

PLANNING TH E ATTACK PLANNING TH E ATTACK

Web Application Threats

Cross site scriptin g Log tam perin g

Cross-site scriptin g SQL in jection

Com m an d in jection

Log tam perin g

Error m essage in terception attack Obfuscation application

j

Cookie/ session poison in g Param eter/ form tam perin g

pp Platform exploits DMZ protocol attacks

Buffer overflow

Directory traversal/ forceful browsin g

Security m an agem en t exploits Web services attacks

Cryptographic in terception Cookie sn oopin g

Zero day attack

Network access attacks

Cross-Site Scriptin g/ XSS Flaws

Cross-site scriptin g occurs when an attacker uses a web application to sen d m alicious code; gen erally J avaScript

code; gen erally J avaScript

Stored attacks are those where the in jected code is perm an en tly stored on the target servers in a database

Reflected attacks are those where the in jected code takes an other route to the victim , such as in an em ail m essage

Disclosure of the user’s session cookie allows an attacker to hijack the user’s session an d take over the accoun t

I it i ti d fil di l d T j h i t ll d

In cross-site scriptin g, en d user files are disclosed, Trojan horse program s are in stalled, the user to som e other page is redirected, an d presen tation of the con ten t is m odified

An Exam ple of XSS

A hacker realizes that the XSECURITY website suffers from a cross-site scriptin g bug

The hacker sen ds you an e-m ail that claim s you have just won a vacation getaway an d all you have to do is "click here" to claim your prize

The URL for the hypertext lin k is www.xsecurity.com / default.asp?n am e=<script>evilScript()</ script>

When you click this lin k, the website tries to be frien dly by greetin g you, but in stead displays, “Welcom e Back !”

What happen ed to your n am e? By clickin g the lin k in the e-m ail, you have told the XSECURITY website that your n am e is <script>evilScript()</ script>

The web server gen erated H TML with this “n am e” em bedded an d sen ds it to your browser

Your browser correctly in terprets this as script an d run s the script

Coun term easures

Validate all headers, cookies, query strin gs, form fields, an d hidden fields (i.e., all param eters) again st a rigorous

specification

Ad t t i t it li Adopt a strin gen t security policy

SQL In jection

SQL In jection uses SQL to directly m an ipulate database’s data SQL In jection uses SQL to directly m an ipulate database s data

A tt k l bl b li ti t b l it d

An attacker can use a vuln erable web application to bypass n orm al security m easures an d obtain direct access to the valuable data

SQL In jection attacks can often be executed from the address bar, from within application fields, an d through queries an d searches

• Check the user’s in put provided to database queries

V lid d i i i bl d

Coun term easure

Com m an d In jection Flaws

Com m an d in jection flaws relay the m alicious code through a web application to an other system

Attacks in clude calls to the operatin g system via system calls, the use of extern al program s via shell com m an ds as well as the use of extern al program s via shell com m an ds, as well as calls to the backen d databases via SQL (i.e., SQL in jection )

Coun term easures

Use lan guage-specific libraries that avoid problem s due to shell com m an ds

Validate the data provided to preven t an y m alicious con ten t

Structure requests so that all supplied param eters are treated as data, rather than poten tially executable con ten t

Cookie/ Session Poison in g

Cookies are used to m ain tain session state in the otherwise stateless H TTP protocol

Poison in g allows an attacker to in ject the m alicious

con ten t, m odify the user's on -lin e experien ce, an d obtain y p the un authorized in form ation

A b d f iti th i d t A proxy can be used for rewritin g the session data,

Coun term easures

Do n ot store plain text or weakly en crypted password in a Do n ot store plain text or weakly en crypted password in a cookie

Im plem en t cookie’s tim eout

Cookie’s authen tication creden tials should be associated with an IP address

Param eter/ Form Tam perin g

k d f h h dd Param eter/ Form tam perin g takes advan tage of the hidden fields that work as the on ly security m easure in som e

application s

Modifyin g this hidden field value will cause the web application to chan ge accordin g to the n ew data in corporated

It can cause theft of services, escalation of access, an d session hijackin g

Buffer Overflow

Buffer overflow is the corrupt execution stack of a web application

Buffer overflow flaws in custom web

li ti l lik l t b d t t d application s are less likely to be detected

Alm ost all kn own web servers, application servers, an d web application

en viron m en ts are susceptible to attack (but n ot J ava an d J 2EE en viron m en ts

Coun term easures

Validate in put len gth in form s

Check boun ds an d m ain tain extra care when usin g loops to copy data

copy data

Directory Traversal/ Forceful

Browsin g

Browsin g

Directory traversal/ forceful browsin g attack occurs when the attacker is able to browse directories an d files outside the n orm al application access

Itexposes the directory structure of the application, and te poses t e d ecto y st uctu e o t e app cat o , a d often the un derlyin g web server an d operatin g system

Coun term easures

Defin e access rights to the protected areas of the website

Apply checks/ hot fixes that preven t the exploitation of the vuln erability such as Un icode to affect directory traversal vuln erability such as Un icode to affect directory traversal

Cryptographic In terception

Usin g cryptography, a con fiden tial m essage can be securely sen t

b i

between two parties

En crypted traffic flows through n etwork firewalls an d IDS system s En crypted traffic flows through n etwork firewalls an d IDS system s an d is n ot in spected

If an attacker is able to take advan tage of a secured chan n el, he/ she can exploit it m ore efficien tly than an open chan n el

• Use of Secure Sockets Layer (SSL) an d advan ced private key protection

Coun term easure

Cookie Sn oopin g

In an attem pt to protect cookies, site developers often en code the cookies

cookies

Easily reversible en codin g m ethods such as Base64 an d ROT13

(rotatin g the letters of the alphabet 13 characters) give a false sen se of (rotatin g the letters of the alphabet 13 characters) give a false sen se of the security regardin g the use of cookies

Cookie sn oopin g techn iques can use a local proxy to en um erate cookies Cookie sn oopin g techn iques can use a local proxy to en um erate cookies

Coun term easures:

• Use en crypted cookies

• Em bed source’s IP address in the cookie

• In tegrate cookie’s m echan ism fully with SSL fun ction ality • In tegrate cookie s m echan ism fully with SSL fun ction ality

Authen tication H ijackin g

Authen tication prom pts a user to supply the

d i l h ll h li i

creden tials that allow access to the application

It can be accom plished through:

• Basic authen tication

• Stron g authen tication m ethods

Web application s authen ticate in varyin g m ethods

En forcin g a con sisten t authen tication policy between m ultiple an d disparate application s can prove to be a real challen ge

Coun term easures

Use authen tication m ethods that use secure chan n els wherever possible Use authen tication m ethods that use secure chan n els wherever possible

In stan t SSL can be con figured easily to en crypt all traffic between the clien t an d g y yp the application

U ki i h ibl

Log Tam perin g

Logs are kept to track the usage pattern s of the application Logs are kept to track the usage pattern s of the application

Log tam perin g allows attackers to cover their tracks or alter web tran saction records

records

Attackers strive to delete logs, m odify logs, chan ge user in form ation , or otherwise destroy eviden ce of an y attack

otherwise destroy eviden ce of an y attack

Coun term easure

• Digitally sign an d stam p logs • Separate logs for system even ts

• Main tain tran saction log for all application even ts

Coun term easure

Error Message In terception

In form ation in error m essages is often rich with site-specific in form ation that can be used to:

• Determ in e the techn ologies used in the web application s • Determ in e whether the attack attem pt was successful • Receive hin ts for attack m ethods to try n ext

Coun term easure

• Website cloakin g capabilities m ake en terprise web resources in visible to hackers

Attack Obfuscation

Attackers often work hard to m ask an d otherwise hide their attacks to avoid detection

Most com m on m ethod of attack obfuscation in volves en codin g portion s of the attack with Un icode, UTF-8 , or URL en codin g

Multiple levels of en codin g can be used to further bury the attack

It is used for theft of service, accoun t hijackin g, in form ation disclosure, website defacem en t, an d so on

• Thoroughly in spect all traffic

Coun term easures:

Platform Exploits

Web application s are built upon application platform s such as Web application s are built upon application platform s, such as BEA Weblogic, ColdFusion , IBM WebSphere, Microsoft .NET, an d Sun J AVA techn ologies

Vuln erabilities in clude the m iscon figuration of the application , bugs, in secure in tern al routin es, hidden processes an d

com m an ds, an d third-party en han cem en ts

The exploit of application platform vuln erabilities can allow:

• Access to developer areas

DMZ Protocol Attacks

DMZ (Dem ilitarized Zon e) is a sem i-trusted n etwork zon e that separates the un trusted In tern et from the com pan y's trusted in tern al n etwork

Most com pan ies lim it the protocols allowed to flow through their DMZ

An attacker who is able to com prom ise a system that allows other DMZ

protocols, has access to other DMZ an d in tern al system s. This level of access can lead to:

can lead to:

• Com prom ise of the web application an d data • Defacem en t of websites

Coun term easures

Deploy a robust security policy

Adopt a soun d auditin g policy

Use sign atures to detect an d block well-kn own attacks

• Sign atures m ust be available for all form s of attack an d m ust

b ti ll d t d

Security Man agem en t Exploits

the security that is specific to each application

Web Services Attacks

Web services allow process-to-process com m un ication between web application s

An attacker can in ject a m alicious script in to a web service that will en able disclosure an d m odification of the data that will en able disclosure an d m odification of the data

Coun term easures:

• Turn off web services that are n ot required for regular operation s

• Provision for m ultiple layers of protection

Coun term easures:

Zero-Day Attacks

Zero-day attacks take place between the tim e a vuln erability is discovered by a h tt k d th ti th t th d i ti t h researcher or attacker and the tim e that the vendor issues a corrective patch

Most day attacks are on ly available as han d-crafted exploit code, but

zero-d h d id i

day worm s have caused rapid pan ic

Zero-day vuln erability is the laun chin g poin t for further exploitation of the web li ti d i t

Coun term easures:

application and en viron m ent

• No security solution can claim that they will totally protect again st all zero-day attacks

• En force strin gen t security policies

D l fi ll d bl h i ti (h i ti

Network Access Attacks

All traffic to an d from a web application traverses n etworks

All traffic to an d from a web application traverses n etworks

These attacks use techn iques like spoofin g, bridgin g, ACL bypass, an d

k k

stack attacks

Sn iffin g n etwork traffic will allow viewin g of application com m an ds,

authen tication in form ation an d application data as it traverses the

authen tication in form ation , an d application data as it traverses the

n etwork

C

• Shut down un n ecessary services thereby shuttin g un n ecessary listen in g ports

D fi fi ll l t l l iti t t ffi

Coun term easures

TCP Fragm en tation

Every m essage that is tran sferred between com puters by a data n etwork is broken down Every m essage that is tran sferred between com puters by a data n etwork is broken down in to packets

Oft k t li it d t d t i d i f i t bilit ith h i l Often packets are lim ited to a pre-determ in ed size for in teroperability with physical n etworks

A tt k di tl i t b ld if th t th "P h" fl i t hi h An attack directly again st a web server would specify that the "Push" flag is set, which would force every packet in to the web server’s m em ory. In this way, an attack would be delivered piece-by-piece, without the ability to detect the attack

U k t filt i d i d fi ll l t th hl

Coun term easure:

In stan t Source

In stan t Source tool allows you to

see an d edit the H TML source code

of the web pages

of the web pages

It can be executed from In tern et

It can be executed from In tern et

Explorer where a n ew toolbar

win dow displays the source code

for an y selected part of the page in

th b

i d

the browser win dow

H ackin g Tool: Wget

Wget is a com m an d lin e tool for Win dows an d Un ix that will down load the con ten ts of a ge s a co a d e oo o do s a d U a do oad e co e s o a website

It works n on -in teractively in the backgroun d after the user logs off

It works particularly well with slow or un stable con n ection s by con tin uin g to retrieve a docum en t un til the docum en t is fully down loaded

Both http an d ftp retrievals can be tim e stam ped, so Wget can see if the rem ote file has chan ged sin ce the last retrieval an d autom atically retrieve the n ew version if it has

WebSleuth: Screen shot

WebSleuth is a tool that com bin es spiderin g

WebSleuth is a tool that com bin es spiderin g

with the capability of a person al proxy such

as Achilles

BlackWidow

Black widow is a website scan n er, a site m appin g

Em ail addresses extern al Em ail addresses, extern al lin ks, an d even lin k

SiteScope Tool

Foun dston e SiteScope is a free tool that helps website own ers, developers, an d m an agers to easily m ap out the n avigation of a web applicationy p g pp

This tool creates a site m ap an d gathers

WSDigger Tool – Web Services

Testin g Tool

Testin g Tool

WSDigger is a free open source tool design ed by Foun dston e to autom ate black-box web services security testin g

It is m ore than a tool; it is a web services testin g fram ework

services testin g fram ework

CookieDigger Tool

CookieDigger helps iden tify weak cookie gen eration an d in secure im plem en tation s of the session m an agem en t by web application sg y pp

The tool works by collectin g an d an alyzin g cookies issued by a web application for m ultiple users

SSL Digger Tool

SSLDigger is a tool to assess the stren gth of SSL servers by testin g the

supported ciphers

supported ciphers

H ackin g Tool: Win dowBom b

An em ail sen t with this htm l code attached will create pop-up win dows un til the PC's m em ory gets exhausted

Burp: Position in g Payloads

Burp is a tool for perform in g autom ated attacks again st

web-en abled application s

Burp: Con figurin g Payloads an d

Con ten t En um eration

Con ten t En um eration

Burp com es precon figured with attack payloads an d it can check for com m on databases on a Lotus Dom in o server

Burp: Password Guessin g

Burp Proxy: In terceptin g

H TTP/ S Traffic

H TTP/ S Traffic

Burp Proxy: H ex-editin g of

In tercepted Traffic

In tercepted Traffic

Burp Proxy: Browser Access to

Request H istory

Request H istory

B i t i l t hi t f t t b th Burp proxy m ain tain s a com plete history of every request sen t by the

Tool: Burpsuite

Burp suite is an in tegrated platform for attackin g web application s

It allows an attacker to com bin e m an ual an d autom ated techn iques to en um erate, an alyze, attack, an d exploit web application s

The arious burp tools ork together effecti el to share in form ation an d allo fin din gs The various burp tools work together effectively to share in form ation an d allow fin din gs iden tified within on e tool to form the basis of an attack usin g an other

Key features in clude:

• Ability to passively spider an application in a n on -in trusive m an n er

• On e-click tran sfer of in terestin g requests between plug-in s, e.g. from proxy request history, or a web page form en um erated with burp spider

• Exten sibility via IBurpExten der in terface, which allows third-party code to exten d

y

y p , p y

fun ction ality of burp suite

• Cen trally con figured settin gs for down stream proxies, web an d proxy authen tication , an d loggin g

H ackin g Tool: cURL

cURL is a m ulti-protocol tran sfer library

It is a clien t side URL tran sfer library supportin g FTP, FTPS, H TTP, H TTPS, GOPH ER, TELNET, DICT, FILE, an d LDAP

cURL supports H TTPS certificates, H TTP POST, H TTP PUT, FTP uploadin g, Kerberos, H TTP form -based upload, proxies, cookies, user+password authen tication , file tran sfer

htt t li d

dotDefen der

d

D f

d

i

b

li

i

k

i

l h

bl

k

dotDefen der is a web application attack protection tool that blocks

attacks that are m an ifested within the H TTP request logic such as:

• S QL In je ctio n - dotDefen der in tercepts an d blocks attem pts to in ject SQL statem en ts that corrupt or gain access to the corporate data

• P ro xy Ta ke o ve r - dotDefen der in tercepts an d blocks attem pts to divert traffic to an un authorized site

• Cro s s -s ite S crip tin g - dotDefen der in tercepts an d blocks attem pts to in ject m alicious scripts that hijack the m achin es of subsequen t site visitors

• H e a d e r Ta m p e rin g - dotDefen der iden tifies an d blocks requests con tain in g the corrupted header data p

Acun etix Web Scan n er

Acun etix Web Scan n er:

Screen shot

AppScan – Web Application

Scan n er

Scan n er

AppScan provides security testin g throughout the application developm en t lifecycle, which tests security assuran ce in the developm en t stage

• Cross Site Scriptin g

Vuln erability detects by sim ulatin g hacker attacks such as: • Cross-Site Scriptin g

• H TTP Respon se Splittin g • Param eter Tam perin g • H idden Field Man ipulation • Backdoors/ Debug Option s • Stealth Com m an dingg • Forceful Browsin g

• Application Buffer Overflows • Cookie Poison in g

• Third-party m iscon figuration s • Kn own vuln erabilities

Tool: Falcove Web Vuln erability

Scan n er

Scan n er

Falcove is used by web-site own ers to see whether their web sites are

hackable or vuln erable to attacks

hackable or vuln erable to attacks

It fin ds vuln erabilities before hackers do an d takes n ecessary

precaution s to im plem en t the corrective action s

p

p

• Gives you an idea whether your website is

Features:

• Gives you an idea whether your website is secure again st web attacks

• Crawler feature autom atically checks for web vuln erabilities

A dit ll d i t t i l di d • Audits all dyn am ic con ten t in cludin g password

fields, shoppin g carts, an d other web application s

Falcove Web Vuln erability Scan n er:

Screen shot

Tool: NetBrute

NetBrute scan s a ran ge of IP addresses for shared resources that have been shared via Microsoft File resources that have been shared via Microsoft File an d Prin ter Sharin g

It shows an y SMB com patible shared resources (i.e. Sam ba Servers on a Un ix/ Lin ux m achin e)

It is used by system adm in istrators or hom e users to see what types of resources are shared an d to warn the com puter users if an y un secured

resources are displayed resources are displayed

Tool: Em sa Web Mon itor

Em sa web m on itor is a sm all web m on itorin g

program that run s on your desktop an d allows the user to m on itor uptim e status of several websites

It works by periodically pin gin g the rem ote sites, an d showin g the pin g tim e as well as a sm all

h th t ll th t q i k i t graph that allows the user to quick y view recen t m on itorin g history

Tool: KeepNI

Keep an eye on your web site’s fun ction ality

Keep an eye on your web site s fun ction ality

It assures that your site is up an d fully fun ction al every

ti

tim e

When ever a m alfun ction is detected, KeepNI

i

di

l

l

im m ediately alerts you

KeepNI has an exten sive loggin g facility to watch an d

l

alert

Tool: Parosproxy

Parosproxy is written in J ava an d useful for testin g web

Parosproxy is written in J ava an d useful for testin g web

application s an d in secure session s

Tool: WebScarab

WebScarab is a J ava fram ework for an alyzin g application s that com m un icate usin g the H TTP an d H TTPS protocols

usin g the H TTP an d H TTPS protocols

It operates as an in terceptin g proxy, allowin g operator to review an d m odify requests created by the browser before they are sen t to the server an d vice versa requests created by the browser before they are sen t to the server an d vice versa

WebScarab can in tercept both H TTP an d H TTPS com m un ication

Tool: Watchfire AppScan

Watchfire® AppScan ® autom ates web application security

pp

pp

y

audits to en sure the security an d com plian ce of websites

f

• Fully outsourced web application vuln erability

Ben efits:

y pp y

m an agem en t

• Direct access to Watchfire security experts an d in dustry best practices

• Best path to actionable data for web application ’s est pat to act o ab e data o eb app cat o s security m an agem en t

• Dram atically reduces the learn in g curve an d adoption tim e

Tool: WebWatchBot

W bW t hB t i

it

i

d

l

i ft

WebWatchBot is a m on itorin g an d an alysis software

for web sites an d IP devices in cludin g Pin g, H TTP,

H TTPS, SMTP, POP3, FTP, Port, an d DNS checks

It provides in -depth m on itorin g an d alertin g

fun ction ality as well as tools to an alyze an d visualize

historical data with real tim e chartin g an d graphs

historical data with real-tim e chartin g an d graphs

Addition al features in clude an option to run as a

p

Ratproxy

Ratproxy is a sem i-autom ated an d largely passive web application security dit t l

audit tool

It is design ed specifically for an accurate an d sen sitive detection , an d It is design ed specifically for an accurate an d sen sitive detection , an d autom atic an n otation of poten tial problem s

i i i d f i l d i b d h b i

H ow Does it Avoid False

Positives?

Positives?

For accurately reportin g of problem s an d to

reduce the n um ber of false alarm s ratproxy

• What the declared an d actually detected MIME type for the

d i ?

reduce the n um ber of false alarm s, ratproxy

has to con sidered the followin g poin ts:

docum en t is?

• H ow pages respon d to havin g cookie-based authen tication rem oved?

• Whether requests seem to con tain n on -trivial sufficien tly Whether requests seem to con tain n on trivial, sufficien tly

com plex security token s, or other m echan ism s that m ay m ake the URL difficult to predict?

• Whether an y n on -trivial parts of the query are echoed back in the d i h t t t?

respon se, and in what con text?

Tool: Mapper

Mapper helps you m ap the files, file param eters, an d values of an y site you wish to test

Sim ply browse the site as a n orm al user while recordin g your session with Achilles (Mapper supports other proxies as well) an d run Mapper on the Achilles (Mapper supports other proxies as well), an d run Mapper on the resultin g log file

It will create an Excel CSV file that allows you to study the directory an d file structure of the site the param eter n am es of every dyn am ic page en coun tered structure of the site, the param eter n am es of every dyn am ic page en coun tered (such as ASP/ J SP/ CGI), an d their values for every tim e you request for them

It helps you to quickly locate design errors an d param eters that m ay be pron e to

j i i bl

SQL Injection or param eter tam perin g problem s

What H appen ed Next

Kim berly could n ot solve the m ystery behin d the hack.

J ason Sprin gfield, an Ethical hacker was called in to

in vestigate the case

in vestigate the case.

J ason con ducted a pen etration test on the website of

XBan k4u. The test results exposed a vuln erability in the

Shrin kWarp application which could lead to web page

defacem en t.

S

th

l

h l

f

d

th b it

l

Sum m ary

Web application s are clien t/ server software application s that in teract with users or Web application s are clien t/ server software application s that in teract with users or other system s usin g H TTP

Attackers m ay try to deface the website, steal credit card in form ation , in ject m alicious codes, exploit server side scriptin gs, an d so on

Com m an d in jection , XSS attacks, Sql In jection , Cookie Sn oopin g, cryptographic In terception , an d Buffer Overflow are som e of the threats again st web application s