andrew useckas csa presentation hacking custom webapps 4 3
TRANSCRIPT
www.cloudsecurityalliance.org
Custom web applicationsas a way into yourinternal networkAndrew Useckas
Copyright © 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Introduction
• Securing custom web applications is more challenging than most people realize:
- Security is often overlooked during design and development
- As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world
- There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud
- No “security patch” for custom WebApps (vs. infrastructure)
• It’s simply not as difficult to compromise a web application as most people think
- You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
About Me
• CTO at Threat X working on a new approach to Web Application security.
• Over 15 years of experience in penetration testing / ethical hacking.
• Author and architect of multiple security sensors.• Consulted for multiple enterprises in technical and
compliance aspects of security.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Agenda
• Basic overview of hacker’s mindset.• Overview of most currently popular security measures.• Web Application Attacks
• Authentication• Session Management• Access Controls• Client Side checks• Server Side checks
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Who is the target?
• According to Verizon 2016 DBIR Report:• 40% of confirmed breaches were Web App Attacks.• 95% of confirmed WebApp breaches financially
motivated.• Top Industries attacked: Finance, Information,
Retail.• Higher percentage of confirmed data disclosure as
security measures are lacking.• Botnets. Is my company too small to be attacked?• My perimeter is secure – we run quarterly scans.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
The wild west of WebApps
• Security is often an afterthought. Time to market is more important than security.
• Developer education on safe coding techniques is lacking.
• Traditional Layer 3 firewall does nothing for WebApp Security.
• IDS / IPS systems do very little as the focus is more on the network applications.
• New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors).
• Piping all the logs to a SIEM tool may overwhelm the administrators.
• Most of these tools are useless in a cloud deployment model.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Tools
• Browser – Firefox• Intercepting Proxy – Burpsuite• SQLMap• Target apps – Bodgeit from Google
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Authentication
• Login forms are often the first thing a hacker will try to break.
• Common issues:• Weak or default passwords• Default pages• Guessable protected URIs• Navigation tree leaks in JS• Lack of proper server side sanitization
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Session Management
• Sessions are used to track users• First line of defense• Common attacks
• Session hijacking• Missing idle session timeouts• Session riding (CSRF)• Cookie manipulation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Access Controls
• Defective access controls are often used after the initial penetration.• Hidden information in HTML• Information leaks through JS• Horizontal privilege escalation• Vertical privilege escalation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Client Side Checks
• Validation of input fields before they are passed to the server
• Usually based on JS• Can be easily bypassed with transparent proxy
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Server Side Checks
• Server side usually talking to a database engine such as MySql.
• User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi).
• SQLi can be used to• Bypass authentication controls• Bypass access controls• Execute full database dumps• Write script files to the remote file system. Scripts
can then be executed from the browser giving an attacker shell access to the remote system
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Further Exploits
• It is possible to upload server side scripts via backends such as MySQL.
• Scripts can then be executed from the browser giving shell access.
• Sample injection:UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Parting Recommendations
• Secure development and QA• Next-generation Web Application Firewall• Pen testing
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
References
• Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/