live hacking demo - oracle.comocom/documents/webcontent... · live hacking demo five ways to defeat...
TRANSCRIPT
© Pentest Limited 2011. All rights reserved
Agenda
• Demonstration of our sample website
• Demonstration of a number of typical
techniques to exploit our website
– Parameter tampering
– Backup file
– Worm attack
– Code upload
• Demo of client side exploit
• Questions
© Pentest Limited 2011. All rights reserved
Acme +Points
• Simple “Loyalty Site” (very simple!)
• Number of sample user accounts
– Alice, Bob, Carol
• Points awarded
• Profile information
• Recipe ideas
© Pentest Limited 2011. All rights reserved
Acme Co. Architecture
© Pentest Limited 2011. All rights reserved
Citigroup hack
• In June 2011 The New York Times
reported that hackers had exploited a
parameter tampering vulnerability in the
Citigroup website1
Parameter Tampering
1 http://www.nytimes.com/2011/06/14/technology/14security.html
© Pentest Limited 2011. All rights reserved
The issue
• Attack involves the manipulation of parameters
exchanged between client and server, e.g.
hidden form fields or URL parameters
• Attack may be successful if there are missing
or flawed access controls, authorisation,
integrity or logic validation checks
• Allows modification of application operation
e.g. a malicious user could access another
user’s data
Parameter Tampering
© Pentest Limited 2011. All rights reserved
Exploitation
• Demo
– Alice logs in
– Finds parameter tampering vulnerability
– Exploits vulnerability to view Bob’s account
details page
– Finds sensitive information
Parameter Tampering
© Pentest Limited 2011. All rights reserved
Citigroup hack impact
• May 10th 2011, 360,083 accounts were
compromised1
• $2.7 million was stolen from about 3,400
accounts1
Parameter Tampering
1 http://www.nytimes.com/2011/06/14/technology/14security.html
© Pentest Limited 2011. All rights reserved
Example real world Backup files
© Pentest Limited 2011. All rights reserved
The issue
• Attackers find unreferenced and/or
forgotten files
• Typically an administration/maintenance
issue
• Allows unauthorised access to application
source code or security sensitive files
Backup files
© Pentest Limited 2011. All rights reserved
Exploitation
• Demo
– Alice logs in
– Finds server backup files
– Snooping for sensitive/useful information
– This could potentially be used to aid further
attacks (as we may see later )
Backup files
© Pentest Limited 2011. All rights reserved
Example impact Backup files
© Pentest Limited 2011. All rights reserved
Cross-site Scripting Worms
• The Samy worm, the largest known XSS
worm, infected over 1 million MySpace
profiles in less than 20 hours of its October
4, 2005 release.
• The worm infected the site with JavaScript
viral code and made Samy, the hacker,
everyone’s pseudo “friend” and “hero.”
• Others include Justin.tv, Orkut, Twitter,
Reddit, Facebook (most recent this year!)
Cross-site Scripting (XSS)
© Pentest Limited 2011. All rights reserved
The issue
• XSS is an injection problem
• Malicious scripts are injected into the
otherwise benign and trusted web sites
• Failure to safely escape user input
• Allows a malicious user to take control of
other users’ sessions, install malware or
modify the presentation of another site
• Can often be made self-propagating
Cross-site Scripting (XSS)
© Pentest Limited 2011. All rights reserved
Exploitation
• Demo
– Alice searches for XSS vulnerabilities
– Alice inserts malicious script which
propagates as a Worm
– Bob views Alice’s recipe and infects his own
recipe with a malicious script
– Carol views Bob’s infected recipe and the
worm spreads further
– And so on, and so on ...
Cross-site Scripting (XSS)
© Pentest Limited 2011. All rights reserved
Castrol XSS Cross-site Scripting (XSS)
http://www.xssed.com/news/106/BP.com_defaced_with_XSS_to_show_Gulf_of
_Mexico_oil_spill_protesters/
© Pentest Limited 2011. All rights reserved
Sony PSN hack
• Sony admits that it has been hacked many
times in 2011! 1
• PlayStation Network (PSN) hack in April
probably had the biggest impact
Code upload flaw
1 http://blog.us.playstation.com/2011/10/11/an-important-message-
from-sonys-chief-information-security-officer/
© Pentest Limited 2011. All rights reserved
The issue
• Failure to properly validate file name and
content
• Allows a malicious user to take control of
the web server
Code upload flaw
© Pentest Limited 2011. All rights reserved
Exploitation
• Demo
– Alice attempts to upload a rogue recipe
picture, which is really a PHP file, and fails
– Alice uses a null byte to confuse the
extension checker and uploads successfully
– Alice requests the PHP file using her browser,
causing it to execute on the server
– Alice uses Netcat and PHP-reverse-shell to
gain a shell – a full server compromise
Code upload flaw
© Pentest Limited 2011. All rights reserved
Sony impact
• The highlights
– 77 Million registered accounts
– Gamers left without access for nearly a month
– Sony stock falls 8% in just over a week
– Sony stated that the costs of the PSN outage
were $171 million1
– Multiple other incidents!
Code upload flaw
1 http://www.ibtimes.com/articles/150363/20110523/sony-estimates-cost-
of-earthquake-hacking.htm
© Pentest Limited 2011. All rights reserved
Sony Press Release
© Pentest Limited 2011. All rights reserved
Application security matters
• All these attacks work regardless of:
– Network firewalls
– SSL encryption
• "The intrusion through the firewalls was
done by mimicking normal transactions,
which could not be detected at the firewalls.
We have not experienced this type of illegal
access before," - Shinji Hasejima, senior vice
president and chief information officer of Sony.
© Pentest Limited 2011. All rights reserved
Preventative measures
• Code improvements - input validation, secure
frameworks
• Developer training
• Web server configuration – hardening
• Code review
• Penetration testing
© Pentest Limited 2011. All rights reserved
Hack number 5 – Client-side
© Pentest Limited 2011. All rights reserved
RSA hack
• Details on the RSA blog revealed that the
internal network was hacked in 2011 using
client-side Zero-day exploit1
Client-side exploits
1 http://blogs.rsa.com/rivner/anatomy-of-an-attack/
© Pentest Limited 2011. All rights reserved
The issue
• Exploits that take advantage of
vulnerabilities in client software, such as
IE, Adobe Acrobat, Apple QuickTime
• Attackers can leverage a compromised
workstation to attack other more critical
systems behind the firewall
• Use of Zero-day exploits becoming more
prevalent
Client-side exploits
© Pentest Limited 2011. All rights reserved
Exploitation
• Demo
– Alice prepares “poisoned” recipe
– Bob views Alice’s “poisoned” recipe
– Client-side exploit runs and connects back to
Alice’s PC
– Alice has full access to Bob’s PC
Client-side exploits
© Pentest Limited 2011. All rights reserved
We all need Internet access! Client-side exploits
© Pentest Limited 2011. All rights reserved
Boom! Where’s the fireworks? Client-side exploits
© Pentest Limited 2011. All rights reserved
Anatomy of the RSA attack
• The attacker sent two different phishing emails over a two-day
period
• Sent to a small group of employees; not high profile or high
value targets
• The spreadsheet exploited an unknown vulnerability (Zero-
day) in Adobe Flash that installs a backdoor (now CVE-2011-
0609)
• Backdoor connects out to a command-and-control server
giving the attackers remote access to the infected computer at
EMC/RSA
• From there, they were able to reach the systems and data
they were ultimately after
• Advanced Persistent Threat?
Client-side exploits
© Pentest Limited 2011. All rights reserved
Defence mechanisms
• Education - current threats such as social
engineering, APTs, targeted attacks and spear
phishing
• Patching – client side
• Assume that some attacks will get through -
design a security architecture that limits and
compartmentalises the impact of a given
compromise
• Monitoring - detect anomalous behaviours from
a variety of vantage points in your infrastructure
© Pentest Limited 2011. All rights reserved
Recap
• Demo of site
– Parameter tampering
– Backup file
– Worm attack
– File upload
• Client-side
– Exploitation of vulnerable client software
• Other named techniques e.g.
– SQL injection, XSRF, Buffer overflows …