![Page 1: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/1.jpg)
A Rojak of Singapore Web Exploits
Ryan Baxendale – OWASP Singapore
14th November 2012
![Page 2: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/2.jpg)
Who Am I?
I am Ryan
I live in Singapore
Security Consultant at Security-Assessment.com
I find bugs in web applications and hack things
![Page 3: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/3.jpg)
Agenda
Today's rojak includes bugs in
1. Microsoft SharePoint (Top10-A6-Security Misconfiguration)
2. Administrative Interfaces (Top10-A6-Security Misconfiguration)
3. JavaScript Encryption (Top10-A3-Broken Authentication)
4. “Too” Factor Authentication (Top10-A3-Broken Authentication)
5. Password Reset (XSRF + Horrible password reset)
6. 2 Requests Are Better Than 1 (WAF Bypass)
![Page 4: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/4.jpg)
Microsoft SharePoint
Intranet content management
and document management
SharePoint can be used to
provide:
intranet portals, document & file
management, collaboration, social
networks, extranets, websites,
enterprise search, and business
intelligence
'Publishing' feature can be used
to manage larger public website
You might not know that site xyz is
running on SharePoint
![Page 5: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/5.jpg)
Microsoft SharePoint
Intranet content management
and document management
SharePoint can be used to
provide:
intranet portals, document & file
management, collaboration, social
networks, extranets, websites,
enterprise search, and business
intelligence
'Publishing' feature can be used
to manage larger public website
You might not know that site xyz is
running on SharePoint
![Page 6: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/6.jpg)
Microsoft SharePoint
Find additional functionality through the SharePoint site
Try all the default or well know SharePoint pages:
/AllItems.aspx
/Common.aspx
/MyPage.aspx
/recyclebin.aspx
…
Nice list from
Stach&Liu – SharePoint Hacking Diggity Project
Also try to look for the admin web interface on a high port,
although probably not available over internet due to firewall
![Page 7: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/7.jpg)
Microsoft SharePoint
isaca.org/_layouts/mobile/mbllists.aspx
Username
![Page 8: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/8.jpg)
Microsoft SharePoint
Upload your own page, edit pages
The user that
created and
modified this
item
Links to internal
team sites and other
confidential things
Create a new
page, edit a
page
![Page 9: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/9.jpg)
Microsoft SharePoint
Find list of user accounts, guess passwords, get access
All the site content, pages,
things that should not be
seen by the public, etc
I want to hack
this account
This is the list of users
from Active Directory
![Page 10: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/10.jpg)
Microsoft SharePoint
Don’t have internal or confidential information on external
facing SharePoint sites
Firewall admin port
ACL to block external IP addresses
accessing SharePoint pages
![Page 11: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/11.jpg)
Administrative Interfaces
Manage web applications and content
on web servers
Admin interfaces let you run your own web
shell
OWASP states the following objectives:
Administrator level functions are
appropriately segregated from user activity
Users cannot access or utilize administrator
functionality
(boring..) Provide necessary audit and
traceability of administrative functionality
![Page 12: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/12.jpg)
Administrative Interfaces
Links to
admin
interfaces
Documentation,
if you need
help haxx0ring
Upload
metasploit
payload
Usually on port 8080 (Apache Tomcat)
Try default usernames and passwords (tomcat:tomcat,
admin:tomcat, both:tomcat, manager:tomcat, etc)
![Page 13: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/13.jpg)
Administrative Interfaces
Create a metasploit payload
WAR file and upload
![Page 14: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/14.jpg)
Administrative Interfaces
Create a metasploit payload
WAR file and upload
![Page 15: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/15.jpg)
Administrative Interfaces
Create a metasploit payload
WAR file and upload
![Page 16: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/16.jpg)
Administrative Interfaces
HTTP Methods (WebDAV)
PUT – Put a file on the server, a web shell perhaps?
DELETE – Delete a file
INDEX – List the files
PROPFIND – Find files, discover backup files
IIS 6.0
WebDAV by default only supports static Web pages, not dynamic
pages (ASP)
![Page 17: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/17.jpg)
Administrative Interfaces
Generate metasploit payload
Fix the payload
Upload with Cadaver
Run the payload
![Page 18: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/18.jpg)
Administrative Interfaces
Generate metasploit payload
Fix the payload
Upload with Cadaver
Run the payload
![Page 19: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/19.jpg)
Administrative Interfaces
Guess usernames and
passwords with hydra/medusa
then “PUT” a web shell
Password protected WebDAV methods
Nobody knew that the server had this functionality
So nobody changed the password
![Page 20: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/20.jpg)
Administrative Interfaces
Find WebDAV enabled servers with metasploit
![Page 21: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/21.jpg)
Administrative Interfaces
Don’t let users connect to admin interfaces
Firewall rules
https://www.owasp.org/index.php/Administrative_Interface
![Page 22: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/22.jpg)
JavaScript Encryption
JavaScript runs on the client side (browser)
<script> ... JavaScript ... </script>
JavaScript debuggers
Firebug (Firefox)
Chrome developer tools
Internet Explorer
View source
![Page 23: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/23.jpg)
JavaScript Encryption
Client: “We don’t use SSL/TLS because we have
encrypted passwords”
Implemented in JavaScript
Takes the first character of the username/password ex. ‘a’ and
changes it to ‘23’
Separates characters with ‘0’
‘admin’ gets sent as ‘2305060340560’, ‘a’ = 23, ‘d’ = 5, ‘m’ = 6...
“admin”… Seems like the password starts with “admin” too..
![Page 24: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/24.jpg)
JavaScript Encryption
I broke your JavaScript encryption with a l33t BlackHat
HaXx0r tool called...
Microsoft Excel
![Page 25: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/25.jpg)
JavaScript Encryption
JavaScript with Public/Private key encryption Hey ;)
Here’s my public key
User : AsianGirl2012
Password: ChickenRice1
User : J#^ZML@)*FMA&
Password: acE($2mvT$^m!fG
Encrypt( Public Key , Credentials )
} {
??? Decrypt( Private Key , Credentials )
User : AsianGirl2012
Password: ChickenRice1 } { Where is the
chicken rice?
![Page 26: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/26.jpg)
JavaScript Encryption
A substitution cipher is not encryption
JavaScript makes secret keys visible to the user
Use public/private key encryption in JavaScript
![Page 27: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/27.jpg)
“Too” Factor Authentication
Two-factor authentication requires the use of two of the three
authentication factors:
Something the user knows (password, PIN);
Something the user has (ATM card, smart card); and
Something the user is (biometric characteristic, such as a fingerprint)
Most of the time it ends up being knows (password) and has
(token)
“Too” factor authentication is...
![Page 28: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/28.jpg)
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
![Page 29: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/29.jpg)
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
![Page 30: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/30.jpg)
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
![Page 31: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/31.jpg)
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
Verbose error
message and step by
step authentication
![Page 32: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/32.jpg)
“Too” Factor Authentication
Aban
Abbas
Abbud
Abbudin
Abdul
Abdel
Abdal
Abdul
Adl
Abdul-Ahad
Abdul-Alim
Abdul-Aliyy
Abdul-Azim
Abdul-Aziz
Find a list of common names for the typical customers
Burp Intruder
Send every name as the username
Look at the response
Now we know all the
usernames
Continue by doing the
same thing on the next
step of this broken
authentication
![Page 33: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/33.jpg)
“Too” Factor Authentication
But wait there’s more…
![Page 34: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/34.jpg)
“Too” Factor Authentication
Some things are just not the same
2FA is a combination of two: know, have, is
![Page 35: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/35.jpg)
Password Reset
Password reset
Typically an admin function to change a user’s password to a randomly
generate password and securely transmit the new password to the
user
A typical reset password page for a user
Asks for email/username, maybe a secret question
Sends unique password reset link to email address
A typical change password page
Asks for old password, new password, confirm your new password
![Page 36: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/36.jpg)
Password Reset
Once upon a time a lazy developer needed to create a reset
password page
“Lets just take the change password page and make a few changes”
Great idea!......for pen testers
If a typical change password page takes username (from
session), old password, new password and confirmed new
password as input...
Creating a password reset page would only need the following input:
username and new password
![Page 37: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/37.jpg)
Password Reset
Password reset page accepted the following:
Hidden input, useraccount to administrator – because we are the
admin right?
Hidden input, oldPassword to administrator
Set Password and confirmpasswd to the new password
Set userID to the victim’s username
Lets get access to the admin account with Cross Site Request
Forgery (XSRF/CSRF)
Create a image tag with a request to change the password
<img
src="https://website/LoginServlet?action=resetpassword&user
account=administrator&oldPassword=administrator&Passwor
d=password4444&confirmpasswd=password4444&userID=ad
ministrator&CALLER=" />
![Page 38: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/38.jpg)
Password Reset
To get it working:
Admin needs to view a page with the CSRF img tag
Must be logged into the application in the same web
browser
Possible ways to share your img tag
Web forum
Profile signature
Create a note with HTML editor (tinymce)
Send a personal message
You get to login as Administrator with password4444
![Page 39: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/39.jpg)
Password Reset
Don’t be a lazy developer
![Page 40: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/40.jpg)
2 Requests Are Better Than 1
One day I was testing a web application
It gets tested often
And by lots of different people/companies
So at this point its one of the most boring (secure)
applications a pen tester can come across
![Page 41: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/41.jpg)
2 Requests Are Better Than 1
I found a directory traversal bug where I request for
/app/test../../../ and I get a directory listing
This wasn’t too interesting because I could only see the
directory listing, but never access those files or folders
Something strange was going on...
![Page 42: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/42.jpg)
2 Requests Are Better Than 1
Then using Burp Intruder with a list of common files and
folders (such as the dirBuster wordlist)
Found /app/test../../../console
![Page 43: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/43.jpg)
2 Requests Are Better Than 1
This bug was only in the UAT environment
I need to get this bug working in production
There's a web application firewall (WAF) that looks at all the
requests and decides if they should be forwarded on to the
web server
So how do we trick the WAF into forwarding anything
But the client has a WAF, so they’re safe right?...
![Page 44: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/44.jpg)
2 Requests Are Better Than 1
There’s a strange bug in a few webservers
“… Reports indicate that Microsoft IIS 5.0 truncates requests that contain
a body of greater than 48 KB in length. After 49152 bytes of a request
body are handled, IIS terminates the request and starts to parse a new
request.” (1)
“… There appears to be a bug … strangely, IIS/5.0 silently truncates the
body after 48K (49,152 bytes) … we can smuggle a request in the last
x bytes of the body.” (2)
“If the size of the request exceeds a particular threshold (by default, 48
KB), then the ISAPI or CGI code to which the request is directed needs to
be aware of chunked-transfer encoding to process the request correctly.”
(3)
(1) - www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21219
(2) - www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
(3) - hostingadministration.blogspot.sg/2008/01/urlscan-security-tool-faq.html
![Page 45: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/45.jpg)
2 Requests Are Better Than 1
A basic HTTP POST request before smuggling:
POST /crosstraining/aboutyou2.php HTTP/1.1
Host: www.webscantest.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.webscantest.com/crosstraining/aboutyou2.php
Cookie: SESSIONID_VULN_SITE=4vdvho53o3vk9tjr94lks786q3
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
returnto=aboutyou2.php&fname=Ryan&nick=Security-Assessment&lname=OWASP&submit=submit
![Page 46: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/46.jpg)
2 Requests Are Better Than 1
The idea is to send one big evil request, and a normal request
directly after it
The big evil request has to be more than 48kb
We have to include what we need to send (parameters etc)
Then fill the rest of the space with garbage
POST /test../../../console/adminlogin.jsp HTTP/1.1
Host: ….
Content-length: 49152
username=admin&password=admin&ThisIs48kbOfGarbage
ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage
ThisIs48kbOfGarbage……
GET /happy.nice.users.normal.page.jsp HTTP/1.1
Host:…
![Page 47: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/47.jpg)
2 Requests Are Better Than 1
48kb in bytes is 49152.
The first request must be larger than
48kb, and the content-length must be
larger than 48kb
Uncheck “Update Content-Length”
We want to manually specify that it’s a
bit more than 48kb
This is our malicious request
Now we fill the request with
48kb of garbage -----------------------(snip)------------------------
This is our “normal” request that returns
404, but allows us to get our “evil”
request to the web server
![Page 48: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/48.jpg)
2 Requests Are Better Than 1
Response from the server
As if we sent a normal request
Probably using IIS 5 or 6 with custom ISAPI filters or an
appliance such as CheckPoint FW-1 with “Web Intelligence”
![Page 49: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/49.jpg)
Now lets login
2 Requests Are Better Than 1
Username and password to
login
Login error
Wrong user and password
Burp Intruder to the
rescue!
Brute force the
password for admin
![Page 50: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/50.jpg)
2 Requests Are Better Than 1
Winning!
Lets deploy our own
web app and get shell :D
![Page 51: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/51.jpg)
2 Requests Are Better Than 1
WAF
Don’t rely on a web app firewall (WAF) to fix web app vulnerabilities
Fix the code
![Page 52: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/52.jpg)
Recap
Microsoft SharePoint
Keep internal and external sites separate
Administrative Interfaces
Don’t let users connect to them, change default passwords
JavaScript Encryption
Don’t use your own encryption, use public/private key crypto
“Too” Factor Authentication
Remove verbosity from error messages, find out what 2FA is
Password Reset
Don’t be a lazy developer
2 Requests Are Better Than 1
A web app firewall (WAF) doesn’t fix broken code, fix the code
![Page 53: A Rojak of Singapore Web Exploits - security … on port 8080 (Apache Tomcat) Try default usernames and passwords ... Lets get access to the admin account with Cross Site Request Forgery](https://reader031.vdocuments.net/reader031/viewer/2022022505/5abcc91a7f8b9a567c8e3183/html5/thumbnails/53.jpg)
Questions? Comments
Contact:
Invite more people to OWASP meetings
Sign up and be active on the OWASP Singapore mailing
list
https://lists.owasp.org/mailman/listinfo/owasp-singapore
黑客 ? Think you can hack? Got talent?
We are hiring!