live hacking demo - oracle.comocom/documents/webcontent... · live hacking demo five ways to defeat...

© Pentest Limited 2011. All rights reserved

Live Hacking Demo

Five ways to defeat your defences


Agenda

• Demonstration of our sample website

• Demonstration of a number of typical

techniques to exploit our website

– Parameter tampering

– Backup file

– Worm attack

– Code upload

• Demo of client side exploit

• Questions

http://www.pentest.co.uk/contact.shtml


Acme +Points

• Simple “Loyalty Site” (very simple!)

• Number of sample user accounts

– Alice, Bob, Carol

• Points awarded

• Profile information

• Recipe ideas



Acme Co. Architecture



Hack number 1



Citigroup hack

• In June 2011 The New York Times

reported that hackers had exploited a

parameter tampering vulnerability in the

Citigroup website1

Parameter Tampering

1 http://www.nytimes.com/2011/06/14/technology/14security.html



The issue

• Attack involves the manipulation of parameters

exchanged between client and server, e.g.

hidden form fields or URL parameters

• Attack may be successful if there are missing

or flawed access controls, authorisation,

integrity or logic validation checks

• Allows modification of application operation

e.g. a malicious user could access another

user’s data

Parameter Tampering



Exploitation

• Demo

– Alice logs in

– Finds parameter tampering vulnerability

– Exploits vulnerability to view Bob’s account

details page

– Finds sensitive information

Parameter Tampering



Citigroup hack impact

• May 10th 2011, 360,083 accounts were

compromised1

• $2.7 million was stolen from about 3,400

accounts1

Parameter Tampering

1 http://www.nytimes.com/2011/06/14/technology/14security.html



Hack number 2



Example real world Backup files



The issue

• Attackers find unreferenced and/or

forgotten files

• Typically an administration/maintenance

issue

• Allows unauthorised access to application

source code or security sensitive files

Backup files



Exploitation

• Demo

– Alice logs in

– Finds server backup files

– Snooping for sensitive/useful information

– This could potentially be used to aid further

attacks (as we may see later )

Backup files



Example impact Backup files



Hack number 3



Cross-site Scripting Worms

• The Samy worm, the largest known XSS

worm, infected over 1 million MySpace

profiles in less than 20 hours of its October

4, 2005 release.

• The worm infected the site with JavaScript

viral code and made Samy, the hacker,

everyone’s pseudo “friend” and “hero.”

• Others include Justin.tv, Orkut, Twitter,

Reddit, Facebook (most recent this year!)

Cross-site Scripting (XSS)



The issue

• XSS is an injection problem

• Malicious scripts are injected into the

otherwise benign and trusted web sites

• Failure to safely escape user input

• Allows a malicious user to take control of

other users’ sessions, install malware or

modify the presentation of another site

• Can often be made self-propagating




Exploitation

• Demo

– Alice searches for XSS vulnerabilities

– Alice inserts malicious script which

propagates as a Worm

– Bob views Alice’s recipe and infects his own

recipe with a malicious script

– Carol views Bob’s infected recipe and the

worm spreads further

– And so on, and so on ...




Castrol XSS Cross-site Scripting (XSS)

http://www.xssed.com/news/106/BP.com_defaced_with_XSS_to_show_Gulf_of

_Mexico_oil_spill_protesters/



Questions



Hack number 4



Sony PSN hack

• Sony admits that it has been hacked many

times in 2011! 1

• PlayStation Network (PSN) hack in April

probably had the biggest impact

Code upload flaw

1 http://blog.us.playstation.com/2011/10/11/an-important-message-

from-sonys-chief-information-security-officer/



The issue

• Failure to properly validate file name and

content

• Allows a malicious user to take control of

the web server

Code upload flaw



Exploitation

• Demo

– Alice attempts to upload a rogue recipe

picture, which is really a PHP file, and fails

– Alice uses a null byte to confuse the

extension checker and uploads successfully

– Alice requests the PHP file using her browser,

causing it to execute on the server

– Alice uses Netcat and PHP-reverse-shell to

gain a shell – a full server compromise

Code upload flaw



Sony impact

• The highlights

– 77 Million registered accounts

– Gamers left without access for nearly a month

– Sony stock falls 8% in just over a week

– Sony stated that the costs of the PSN outage

were $171 million1

– Multiple other incidents!

Code upload flaw

1 http://www.ibtimes.com/articles/150363/20110523/sony-estimates-cost-

of-earthquake-hacking.htm



Sony Press Release



Application security matters

• All these attacks work regardless of:

– Network firewalls

– SSL encryption

• "The intrusion through the firewalls was

done by mimicking normal transactions,

which could not be detected at the firewalls.

We have not experienced this type of illegal

access before," - Shinji Hasejima, senior vice

president and chief information officer of Sony.



Preventative measures

• Code improvements - input validation, secure

frameworks

• Developer training

• Web server configuration – hardening

• Code review

• Penetration testing



Hack number 5 – Client-side



RSA hack

• Details on the RSA blog revealed that the

internal network was hacked in 2011 using

client-side Zero-day exploit1

Client-side exploits

1 http://blogs.rsa.com/rivner/anatomy-of-an-attack/



The issue

• Exploits that take advantage of

vulnerabilities in client software, such as

IE, Adobe Acrobat, Apple QuickTime

• Attackers can leverage a compromised

workstation to attack other more critical

systems behind the firewall

• Use of Zero-day exploits becoming more

prevalent




Exploitation

• Demo

– Alice prepares “poisoned” recipe

– Bob views Alice’s “poisoned” recipe

– Client-side exploit runs and connects back to

Alice’s PC

– Alice has full access to Bob’s PC




We all need Internet access! Client-side exploits



Boom! Where’s the fireworks? Client-side exploits



Anatomy of the RSA attack

• The attacker sent two different phishing emails over a two-day

period

• Sent to a small group of employees; not high profile or high

value targets

• The spreadsheet exploited an unknown vulnerability (Zero-

day) in Adobe Flash that installs a backdoor (now CVE-2011-

0609)

• Backdoor connects out to a command-and-control server

giving the attackers remote access to the infected computer at

EMC/RSA

• From there, they were able to reach the systems and data

they were ultimately after

• Advanced Persistent Threat?




Defence mechanisms

• Education - current threats such as social

engineering, APTs, targeted attacks and spear

phishing

• Patching – client side

• Assume that some attacks will get through -

design a security architecture that limits and

compartmentalises the impact of a given

compromise

• Monitoring - detect anomalous behaviours from

a variety of vantage points in your infrastructure



Recap

• Demo of site

– Parameter tampering

– Backup file

– Worm attack

– File upload

• Client-side

– Exploitation of vulnerable client software

• Other named techniques e.g.

– SQL injection, XSRF, Buffer overflows …



Questions


live hacking demo - oracle.comocom/documents/webcontent... · live hacking demo five ways to defeat...

Documents