ethical hacking -webapplicationsecurity
TRANSCRIPT
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
1/77
Web & Desktop
Application SecurityRafel Ivgi
Security-Art
1 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
2/77
Who am I?
Over 12 years in development, technology and informationsecurity.
Published more than 100 articles in the field of informationsecurity including MS04-025, MS05-005 .
Was Head of information security research team MCRC at
Finjan in 2004.
Graduate of 8200 technological unit, two times winningpartner of the Israel Defense Award.
Web & Desktop Application Security2
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
3/77
Who am I?
3 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
4/77
Who am I?
4 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
5/77
Who am I?
5 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
6/77
Table Of Contents XSS Introduction (Reflected XSS)
XSS Introduction (Stored XSS) XSS-Shell
XSS Worms Introduction XSS Worms - the future of SPAM XSS Worms - D.o.S attacks XSS Worms - Automated exploiting bots
Request Validation
White-list vs. Black-list filtering
SQL Injection Introduction
SQL Injection The Practice SQL Injection Taking over the SQL injection as a lead to other vulnerabilities SQL injection Harvesting tools SQL injection Prevention
6 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
7/77
Table Of Contents CSRF - Introduction
CSRF The risks and common uses Tokens vs. Personal Information as a solution for CSRF
Un-validated Redirects and Forwards - Introduction Un-validated Redirects and Forwards Common uses and
Risks Validating Redirects and Forwards
Introduction to browser security History stealing using CSS IE 8 anti XSS, is it really safe? Exploiting the Browser Exploiting the Browser Logical exploits
Exploiting the Browser 3rd party extensions
Smart D.o.S
0-day, Hotmail Stored XSS
7 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
8/77
Penetration Test Methods
Black box In this type of penetration test, the attackerhave no information regarding the system under
observation.
Gray box in this type of penetration test, the attacker havesome initial information regarding the system, such as:
User and password combination to access inner parts of thesystem.
Network architecture scheme.
8 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
9/77
Penetration Test Methods
White box in this type of penetration test, the attacker hasall the information regarding the system, such as:
Source code.
DB access.
Network architecture scheme.
Admin user and password combination.
9 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
10/77
XSS Introduction
(Reflected XSS)
XSS is a vulnerability which exists on the server side, butposes a risk only for the servers clients
The attack occurs when a web server replies the user withthe exact raw data received from the user.
In order to exploit the vulnerability:
the attacker supplies the user with a link once clicked, the user sends data to the server the server replies it the browser executes it
10 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
11/77
XSS Introduction
(Reflected XSS)
The attacker may send malicious JS code that will execute inthe context of the given site.
This code is able to: Exploit the browser Steal cookies Perform GET and POST requests using the user`s credentials
Perform content spoofing attacks Deface the site
11 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
12/77
XSS Introduction
(Stored XSS)
Another vector of this attack is called Stored XSS, unlikethe previous vector, in this attack there is no need to
navigate the user to a specially crafted URL.
This attack requires the attacker to find a permanent placewithin the application that can store his code, for example: blog`s comments
user`s profile settings etc
12 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
13/77
XSS-Shell
XSS-Shell is an attack platform designed to be launchedfrom an XSS vector.
The usage of this platform is as following: The attacker sends the user a link referring to a vulnerable site Upon clicking this link the client`s browser runs the JS code of
the XSS-Shell platform
This code hijacks the browser and starts receiving commandsfrom the server The attacker can send new commands that will be evaluated in
the client`s browser as long as this attack is active The client can stop the attack in two ways:
Manually navigate to the different site using the navigation bar
Closing the browser completely
13 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
14/77
XSS Worms
In the age of social networks and mash web sites, a singleXSS attack in a major site can be turned into an army of
computers, just waiting for commands from the attacker.
Using the power of JS code there is even no need to try andexploit the browser, most uses of Bot-nets today are D.O.Sand SPAM attacks.
14 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
15/77
XSS Worms
The Future of SPAM
While SPAM attacks are still hard to launch using JS, thereare several ways attackers use to achieve this goal.
Mime injections is an uprising attack that allows an attackerto inject text into the mime headers of an outgoing mail andchange the values of those headers before being sent.
The vulnerability is mostly common in Contact Us forms
which lack input validation on fields such as: From To Subject Date and so on
15 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
16/77
XSS Worms
the future of SPAM
Correct usage of this vulnerability will allow the attacker tocraft their own email and send it to their victims using the
vulnerable third party site.
This method of SPAM will also bypass the Secure DomainTokens that validates the senders domain.
The attacker can use a XSS worm to take advantage of suchInject-able sites in order to produce a SPAM network with noTrojan Horses or any kind of backdoor tools.
16 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
17/77
XSS Worms
the future of SPAM
17 Web & Desktop Application Security
Original message
Manipulated message oldemail headers becomes hidden
text
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
18/77
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
19/77
XSS Worms
Information Gathering
Beyond malicious attacks on third party sites, the attackermay use their worm to gather sensitive information from their
victims
The attacker can harvest the following details using the XSSalone: Password (using a perfect phishing attack)
Name Age Email Friend list (that will also be attacked to become future victims)
19 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
20/77
XSS Worms
Automated exploiting bots
Another usage of an XSS worm is to automatically scan andexploit other vulnerabilities.
In order to achieve this goal the attacker needs to exploitone of the victim`s browser and execute a backdoor that willact as the server.
The server will then be used by all the other victims or,Fetchers.
20 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
21/77
XSS Worms
Automated exploiting bots
The Fetchers will send a request to the server asking for anew list to attack.
The server will then use Google or any other search engineto get a list of sites that suit the attack and return it to thefetcher.
The fetcher now asks the server for the content of a certainsite on the list.
Once the value returns, the fetcher parse out the inner linkfrom this page.
21 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
22/77
XSS Worms
Automated exploiting bots
The fetcher checks for patterns on those links for knownvulnerabilities such as SQL Injections.
For each pattern found, the fetcher tries to exploit themachine using preset values.
Successful exploitations will cause the attacked machine toreport itself to the attacker thus entering to the attack circle.
This may have a low ratio of success but when talking aboutan XSS Worm in the sufficient magnitude and consideringthe fact that this process is fully automatic the result is highlysatisfying for the attacker
22 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
23/77
Request Validation
One way of preventing these attacks is to use automatedtools like Request Validation from Microsoft.
This tool blocks HTML characters on every GET and POSTrequest to the server.
While such tools seemingly pose a good solution, the
attacker only has to break them once.
23 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
24/77
Request Validation
By Googling how to break .NET request validation onesolution using inline CSS to run JS pops up.
However, in most cases the attacker cannot get to the stagewhere they write inline CSS because the input is notreflected within a HTML tag.
24 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
25/77
White-list vs. Black-list filtering Automated tools cannot be trusted on their own, the
application must have a built in inner filtering mechanism.
There are two concepts when talking about filteringmechanisms: Black list White list
25 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
26/77
White-list vs. Black-list filtering
Black-list filtering goes over the input and checks to see ifany preset Bad Keywords appear.
If so, the application either removes them from the input orthrows an exception saying the input is invalid.
The problem with this mechanism is that it`s not 100% proof.
The application will never cover all types of encoding themethods of attacks.
26 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
27/77
White-list vs. Black-list filtering
White list filtering on the other hand sets a template for eachtype of field in the system.
Every input is then compared to the template using regularexpression.
The incompatible parts of the input are removed and the
application is left with a clean value that is known to be safe.
27 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
28/77
White-list vs. Black-list filtering
Vulnerable
Secure
28 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
29/77
SQL Injection Introduction
SQL Injection is a vulnerability which exists on the serverside and poses a risk to the Database server of the
application.
The attack occurs when a web server passes the exact rawdata received from the user to the Database server.
In order to exploit the vulnerability: The attacker must identify an input to the application that isinvolved in a database query
Once found, the attacker can manipulate this argument in orderto change the nature of the original query
29 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
30/77
SQL Injection Introduction The following VB code generates a SQL statement using a
parameter from the user
In case the value is in the correct template, the application willwork as planned
Select lname, fname FROM users WHERE id=1
Dim SSN as String
Dim SqlQuery as StringSSN = Request.QueryString(ID")SqlQuery = "SELECT lname, fname FROM users WHERE id = '" + ID + "'"
Select lname, fname FROM users WHERE id=1
30 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
31/77
SQL Injection Introduction On the other hand, the following input will completelychange the nature of this query:1 or 1=1
The statement will appear as following:
The outcome of the last statement will always result in the
value: true.
An attacker does the same manipulation in the login SQLstatement.
By making sure the statement will always result in true, theattacker is able to instantly log in to the system.
31 Web & Desktop Application Security
Select lname, fname FROM users WHERE id=1 or 1=1
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
32/77
SQL Injection The Practice In addition to login credentials the attacker can also go after
the information within the Database itself, for example Credit
Cards.
The attacker can use several vectors when trying to readdata from the SQL server.
32 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
33/77
SQL Injection The Practice
Error Based SQL Injection When comparing columns of different types, the SQL server
throws an exception.
In this exception it explains exactly why the statement failed,for example: the attacker can compare the value of the @@version
parameter, which is string, to an integer value
the server in response will say the value of @@version (and
the value itself!) cannot be treated as an integer.
33 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
34/77
SQL Injection The Practice
Error Based SQL Injection
34 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
35/77
SQL Injection The Practice
Union Based SQL Injection In case the server does not output errors or if the attacker
would like a faster way to get the data out of the server theSQL Union statement comes to hand
The following query will act as the test case:
select name from users where user_id=100
the attacker can control the value of user_id and may
manipulate the query as following:
select name from users where user_id=-1 union all selectpassword from users where user_name=admin
instead of the name of the current user logged in, the
application will output the password of the admin user.
35 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
36/77
SQL Injection Taking Over the
Machine
An attacker can do more than just read, insert and modifyrecords into the Database.
With the right permissions, an attacker is able to run binarycode on the actual server running the SQL engine.
For example, in MSSQL the procedure xp_cmdshell can be
used to run the code it gets as a parameter with thepermissions of the user running the SQL Server.
36 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
37/77
SQL Injection Taking over the machine
In SQL Server 2005 the function was disabled for securityissues, but of course Microsoft left a Reconfigure function
that can turn it back on.
The SQL query will look as following:
; EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
37 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
38/77
SQL Injection Taking over the machine
Another form of action is to use the msiexec function thatdownloads a MSI package and installs it using system
privileges.
Once the attacker has control over the machine they canthen use it as a Bot in order to automatically exploit othervulnerable sites.
38 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
39/77
SQL injection as a lead to other
vulnerabilities
Once the attacker has control over the Database server theycan with great ease manipulate the system and create
additional security holes.
For example, the attacker can change data in the SQLServer to bypass all of the input validations against XSSattacks.
This is why the application must always filter the input it gets,and should not consider certain sources as safe.
39 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
40/77
SQL injection Harvesting tools
There are a few key applications that make the usage ofSQL injections practically automated.
The number one application will be Pangolin.
Pangolin is designed to extract data from almost every typeof SQL server: MSSQL
MySQL Oracle DB2 and more
40 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
41/77
SQL injection Harvesting tools
In addition to data extraction Pangolin has the ability to: Execute code on the remote machine
Write files to the remote host Directory and file manager Registry editor Custom SQL statements and more
41 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
42/77
SQL injection Harvesting tools
42 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
43/77
SQL injection Prevention
Just like with XSS, there are plug-ins that attempt to preventthese attacks, along with many WAF products in the market.
The problem with these products remains the same, itcannot be a single line of defense. These products getbroken.
The application must have a filtering module that preventsthese attacks on its own.
In the case of SQL Injection the most important part is toencode the parameter before sending it to the SQL Serverso that characters like will have no affect.
43 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
44/77
SQL injection Prevention
A common problem is the parameters that are not bound byquotes, like integers, these parameters must be validated asan integer before sent further on in the application.
Another vector of prevention is the use of parameterizedqueries inside stored procedures.
This way the variables cannot be treated as SQL CODE butonly as values of those variables.
Once this is done, no matter what the attacker sends as aninput, it could never be parsed as a part of the SQLstatement.
44 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
45/77
SQL injection Prevention
To add another layer of security, it is recommended to breakdown the stored procedures into smaller units of code.
Each with its own permissions, to avoid a scenario of onestored procedure having both read and write permissions.
In addition, the parameters should be sanitized inside thestored procedures as a last line of defense.
45 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
46/77
CSRF - Introduction
Cross Site Request Forgery (CSRF) is a client side attackthat takes advantage of insecure web applications.
To understand this vulnerability let us take a website thathas a user management section: The credentials for the site are saved in the cookie. The site has a Change Password form.
46 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
47/77
CSRF - Introduction
47 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
48/77
CSRF The risks and common uses
The form has one input, the new desired password.
The attacker also discovered an XSS vulnerability in a hightraffic third party site.
The attacker can use this XSS and cause the victim togenerate a post to the original form on the first site.
The browser will then send an HTTP POST request to thefirst server, it will automatically include the cookie that it hadsaved and the password will change as the attacker desired.
48 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
49/77
CSRF The risks and common uses
The attacker can make the user post any form (rather GETor POST method) without the user having any way of
controlling the event.
The user has no way of knowing about the event occurring(without the use of sniffing or analysis tools).
49 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
50/77
CSRF The risks and common uses
Most attackers choose the obvious forms to exploit: Password change Password reminder question change
Email change Money transfer
50 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
51/77
Tokens vs. Personal Information as a
solution for CSRF
Tokens work in the following way: The user requests a page. The server generates a random token and appends it as a
hidden field to the form. The user fills out the form and submits it back to the server. The server can now compare the token it has saved and the
one received by the user in order to verify the submit processwas legitimate.
51 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
52/77
Tokens vs. Personal Information as a
solution for CSRF
Personal Information is used to validate the request islegitimate and human generated.
Two ways are generally used in this method: Old password Security question
The problem with this method of action is that it is not 100%secure, personal information can be found out by theattacker and then the security mechanism has no meaning.
Combining both methods and adding a Captcha mechanismis the best way to defend against this type of attacks.
52 Web & Desktop Application Security
Unvalidated Redirects and
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
53/77
Unvalidated Redirects and
Forwards - Introduction Many sites today use redirections and forwards to third party
sites.
Each unvalidated redirection or forward to third party sitesare potentially an attack vector waiting to be exploited.
There are a few risks when talking about
unvalidated referrals.
53 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
54/77
Unvalidated Redirects and Forwards
Common uses and Risks The number one use of this unvalidated feature will be to
implement an XSS attack on a third party site.
This XSS cannot affect the referring site, it still uses thatsite`s credibility to unleash the attack.
54 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
55/77
Unvalidated Redirects and Forwards
Common uses and Risks For example, the following link bypasses the Facebook
redirect checks:
Or coded to the more practical way:
In a more unobvious way:
http://www.facebook.com/l.php?u=http://attacker_site.com&h=781d3
http://www.facebook.com/l.php?u=%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%5f%73%69%74
%65%2e%63%6f%6d&h=781d3
55 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
56/77
Unvalidated Redirects and Forwards
Common uses and Risks Another vector of attack is Content Spoofing.
If the attacker can control the content of a frame inside a
major news web server, they could then create false posts ofinformation that will endanger the credibility of the site inaddition to the profit generated to the attacker.
56 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
57/77
Validating Redirects and Forwards The application must validate the URL before forwarding the
user thus assuring the link is safe.
In case the application cannot validate the URL it shouldprompt the user of the redirection before forwarding it.
57 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
58/77
Introduction to browser security These days many attackers have realized that owning a
BotNet that can be used to send Spam or to Perform CreditCard frauds and Identity theft is highly profitable.
In order to create these BotNets the attacker uses a numberof methods to get the most off of the users they catch in theirwebs.
58 Web & Desktop Application Security
Hi t t li i CSS
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
59/77
History stealing using CSS
One of the most sophisticated logical ways to focus yourattack and gather information on a victim is to steal thebrowser`s history.
This can be done quite easily by any Trojan Horse orSpyware software but what if the attacker does not want toinfect every user with his backdoor?
A good private 0-day vulnerability should not be wasted on
random victims. What if the attacker could know in advance if the potential
victim has a specific online bank account and only then usethe exploit and infect the machine
59 Web & Desktop Application Security
Hi t t li i CSS
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
60/77
History stealing using CSS
Stealing the entire history without running code on the
machine is currently not possible.
However it is possible to determine whether a user did or did
not visit a specific URL.
All the attacker needs to do is to generate a list of specific
interesting URLs such as: Bank login pages Social network login pages Common search engines and search values
60 Web & Desktop Application Security
Histor stealing sing CSS
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
61/77
History stealing using CSS
Once the list is prepared the attacker can dynamically add anew HREF html tag referring to a link on the list.
It is known that once you click a link it changes color.
What is unknown is the fact that the color of the link can bechecked using CSS.
Then the attacker can simply define a JS loop that checksfor each link if the color is set to the default color or not, inother words - has it been visited or not.
61 Web & Desktop Application Security
History stealing using CSS
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
62/77
History stealing using CSS
62 Web & Desktop Application Security
IE 8 anti XSS is it really safe?
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
63/77
IE 8 anti XSS, is it really safe?
Microsoft created a mechanism that should protect the usersfrom class-1 XSS vulnerabilities.
The feature was broken in IE8 beta 2, by Mr. Rafel Ivgi, inseveral different ways.
The most critical method was fixed in the final release of theproduct but there are still ways to bypass this defense.
63 Web & Desktop Application Security
IE 8 anti XSS is it really safe?
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
64/77
IE 8 anti XSS, is it really safe?
One of these ways is CRLF.
CRLF (Carriage Return and Line Feed) is a very significant
sequence of characters for programmers.
These two special characters represent the End Of Headermarker (EOH) for many Internet protocols.
In the HTTP protocol, two sequences of these characters are
used as a separation between the headers and messagecontent.
64 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
65/77
IE 8 anti XSS, is it really safe? CRLF is considered class-1 XSS.
The difference is that in CRLF you can manipulate the HTTP
headers in additions to the HTML page.
This means that the attacker can override the encodingheader of the original page and set it to UTF-7
Once this is done, the XSS can be encoded using UTF-7
and the XSS-filter does not block the request.
The browser of course renders the page and runs the XSSas it should.
Web & Desktop Application Security65
IE 8 anti XSS is it really safe?
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
66/77
IE 8 anti XSS, is it really safe?
66 Web & Desktop Application Security
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
67/77
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
68/77
Exploiting the Browser Logical exploits
Logical exploits take advantage of insecure design rather
then exploiting a classic overflow vulnerabilities.
An example to a logical weakness would be the use of
NetBIOS through Internet Explorer
Allows reading files on the local machine, bypassing all the
domain restrictions and browser protections.
This was vulnerable up until 6 months ago on all windows
operating systems from 9x to windows 7 using any version of
Internet Explorer.
68 Web & Desktop Application Security
Exploiting the Browser 3rd party
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
69/77
Exploiting the Browser 3 party
extensions Browser vendors are in an ongoing battle with security
researchers to keep the browser secure and unexploitable: Flash
Adobe acrobat reader Automated download acceleration software Network sniffing and analysis tools
69 Web & Desktop Application Security
Smart D o S
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
70/77
Smart D.o.S
A new kind of D.o.S has started to spread.
This method uses a feature in the current web browsers that
is made to prevent users from surfing to malicious websites.
Firefox for example checks using Google's Safe Browsing
whether the site currently requested is safe or not.
In case the result determines that the site is malicious the
browser automatically blocks the connection to the site.
70 Web & Desktop Application Security
Smart D.o.S
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
71/77
Smart D.o.S
An attacker can find a vulnerability in a competitive website
for example and plant a public malicious code within the
sites pages.
Within a short time, Google will index the site in question and
discover the exploiting code.
It will then automatically update the Google Safe Browsingdatabase
From now on every attempt to view the site will result with
the following sight:
71 Web & Desktop Application Security
Smart D.o.S
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
72/77
Smart D.o.S
72 Web & Desktop Application Security
Smart D.o.S
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
73/77
After the site has been indexed as malicious it is highlydifficult to undo the process: The webmaster must find all the instances of the appended
code and remove it. The vulnerability that was used must be blocked or fixing the
problem will only be affective for a short period of time. Contact Google and demand another indexation of the site.
Most webmasters dont have the skills to do the above whichthen requires the hiring of a specialist.
All in all the company under attack has lost a few days ofinternet activity and spent a lot of money dealing with the
outcome of the attack.
73 Web & Desktop Application Security
0-Day Exploit, Hotmail Stored XSS
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
74/77
0 Day Exploit, Hotmail Stored XSS
74 Web & Desktop Application Security
0-Day Technique Bypassing Microsoft
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
75/77
0 Day Technique, Bypassing MicrosoftRequest Validation
Extensive research leads us to another solution, apparentlyin the Unicode table the Characters appear twice: u001C and uFF1C for
The ones starting with FF are not filtered by Microsoft`s tool.
Meaning this line of defense is broken and every site using itis now vulnerable to the same attack.
75 Web & Desktop Application Security
Questions?
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
76/77
76 Web & Desktop Application Security
Contact Information:
-
8/7/2019 Ethical Hacking -Webapplicationsecurity
77/77
Jody Keyser
www.aliadocorp.com
1-888-373-0680
Thank You
Web & Desktop Application Security77