web application security high tech threats ivan marković it security consultant
TRANSCRIPT
![Page 1: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/1.jpg)
Web application security High tech threats
Ivan MarkovićIT Security Consultant
![Page 2: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/2.jpg)
Reference
![Page 3: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/3.jpg)
Web aplikacije
• Šta su web aplikacije i web tehnologije?• Klijent• Server
![Page 4: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/4.jpg)
Web aplikacije
• Zašto su web aplikacije u većini slučajeva prva meta zlonamernih korisnika?
• Dostupnost, održavanje, ...
![Page 5: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/5.jpg)
Web aplikacije
• Kako web aplikacije i propusti u njima ugrožavaju online i offline sisteme?
• Kako zaobilaze uobičajne metode zaštite?
![Page 6: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/6.jpg)
Web aplikacije / Top Threats
• A1: Injection• A2: Cross-Site Scripting (XSS)• A3: Broken Authentication and Session Management• A4: Insecure Direct Object ReferencesA• 5: Cross-Site Request Forgery (CSRF)• A6: Security Misconfiguration• A7: Insecure Cryptographic Storage• A8: Failure to Restrict URL Access• A9: Insufficient Transport Layer Protection• A10: Unvalidated Redirects and Forwards
![Page 7: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/7.jpg)
High Tech Vulnerabilities
• Kako kombinacija uobičajnih propusta niskog rizika postaje ulaz za hakere?
![Page 8: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/8.jpg)
EverCookie Virtually irrevocable persistent cookies
- Samy Kamkar, http://samy.pl/evercookie/
Storage mechanisms:- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage, Local Storage, Global Storage, Database Storage
via SQLite - Storing cookies in RGB values of auto-generated, force-cached PNGs using
HTML5 Canvas tag to read pixels (cookies) back out
![Page 9: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/9.jpg)
Fun with Cookies
• Visitor Tracking Without Cookies (or How To Abuse HTTP 301s) http://www.scatmania.org/2012/04/24/visitor-tracking-without-cookies/
• XSS: Gaining access to HttpOnly Cookie in 2012
http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html
![Page 10: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/10.jpg)
New DDoS tricks Slowloris
- Robert Hansen, http://ha.ckers.org/slowloris/- Keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing
Slow HTTP POST Attack- Onn Chee Wong, http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf- OSI Layer 7- Content-Length: 1000 (bytes) / but send it 1 byte per 110 seconds
![Page 11: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/11.jpg)
New DDoS tricks
Javascript LOIC- Low Orbit Ion Cannon - an open source network attack application, written in C#
HTML 5 WebWorkers and Cross Origin Requests- Lavakumar Kuppan, http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html
![Page 12: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/12.jpg)
Click Jacking
also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page
http://www.owasp.org/index.php/Clickjacking
![Page 13: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/13.jpg)
Click Jacking http://www.sectheory.com/clickjacking.htm
![Page 14: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/14.jpg)
Browser Auto Complete
I want to know your name, who you work for, where you live, your email address ...
- Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
Safari Address Book Autofill Internet Explorer stealing previously entered data Writing to auto complete Read remembered passwords
![Page 15: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/15.jpg)
Browser Auto Complete
Safari Address Book Autofill
![Page 16: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/16.jpg)
Browser Auto Complete
Safari Address Book Autofill
![Page 17: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/17.jpg)
Browser Auto Complete
Safari Address Book Autofill
<form> Name: <input type="text" name="name"> Company: <input type="text" name="company"> City: <input type="text" name="city">State: <input type="text" name="state"> Country: <input type="text" name="country"> Email: <input type="text" name="email"> </form>
![Page 18: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/18.jpg)
Browser Auto Complete
I want to know your name, who you work for, where you live, your email address ...
- Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
Safari Address Book Autofill Internet Explorer stealing previously entered data Writing to auto complete Read remembered passwords with XSS
![Page 19: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/19.jpg)
Browser and Web app plugins
Browser plugins, http://research.zscaler.com/2011/02/browser-plugins-and-security.html
Security considerations:
- see login/password credentials in clear text - send back the credentials to any website - modify the web pages seen by the user
- add/delete/modify files on the computer - run executables
![Page 20: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/20.jpg)
Browser plugins
Malicious browser plugins examples:
2007: Firebug goes evil: http://www.gnucitizen.org/blog/firebug-goes-evil/
console.log({'<script>alert("bing!")</script>':'exploit'})
2009: NoScript vs Adblock: http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=217700105
![Page 21: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/21.jpg)
Browser plugins
Malicious browser plugins examples:
2010: TROJAN: http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/
- Sothink Web Video Downloader / Win32.LdPinch.gen- Master Filer / Win32.Bifrose.32.Bifrose
Btw, how is situation in the wild ?
![Page 22: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/22.jpg)
Web app plugins
Web application plugins- Wordpress, Joomla, …
http://secunia.com/advisories/search/?search=wordpress
![Page 23: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/23.jpg)
Web app plugins
Web application plugins- Wordpress, Joomla, …
http://secunia.com/advisories/search/?search=joomla
![Page 24: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/24.jpg)
XSS in IE XSS Filter
Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/
Internet Explorer 8 implements an anti Cross-site Scripting (XSS) mechanism to detect certain types of XSS attacks. This feature can be abused by attackers in order to enable XSS on web sites and web pages that would otherwise be immune to XSS.
For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occuring. However, altering a server's response before it gets rendered by the browser may have unintended consequences.
![Page 25: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/25.jpg)
XSS in IE XSS Filter
Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/
Example:
<img alt="[injection here]" src="x.png">
Injection string: x onload=alert(0) x
<img alt="x onload=alert(0) x" src="x.png"> - will not execute the alert
<img alt#"x onload=alert(0) x" src="x.png"> - will execute the alert
![Page 26: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/26.jpg)
Cross Site Request Forgery
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated
http://secunia.com/advisories/search/?search=Cross+Site+Request+Forgery&sort_by=date
![Page 27: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/27.jpg)
Cross Site Request Forgery
Facebook:
http://www.john-jean.com/blog/advisories/facebook-csrf-and-xss-vulnerabilities-destructive-worms-on-a-social-network-350
Twitter:
http://techcrunch.com/2010/09/26/dont-click-the-wtf-link-on-twitter-unless-you-do-like-sex-with-goats
![Page 28: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/28.jpg)
HTTP Parameter Pollution
Stefano di Paola and Luca Carettoni, http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
How does your application respond if it receives multiple parameters all with the same name ?
Bypass firewall, Change application behaviour, …
![Page 29: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/29.jpg)
HTTP Parameter Pollution
![Page 30: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/30.jpg)
HTTP Parameter Contamination
HTTP PARAMETER CONTAMINATION (HPC) original idea comes from the innovative approach found in HPP research by exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string parameter contamination with reserved or non expected characters. Some facts: - The term Query String is commonly used to refer to the part between the “?” and the end of the URI - As defined in the RFC 3986, it is a series of field-value pairs - Pairs are separated by “&” or “;” - RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( ) Reserved: ; / ? : @ & = + $ , Unwise: { } | \ ^ [ ] `
![Page 31: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/31.jpg)
INTRANET Hacking
From Website to LAN
Browser plugins
Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/
CSS History Hack for Port Scanning (with and without Java Script): http://ha.ckers.org/blog/20100125/css-history-hack-in-firefox-without-javascript-for-intranet-portscanning/
![Page 32: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/32.jpg)
INTRANET Hacking From Website to LAN Cross Site Request Forgery
http://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/
![Page 33: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/33.jpg)
INTRANET Hacking
From Website to LAN
Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/
.: POC (CSRF / Change password)
http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD
.: POC (CSRF / DoS)
http://PUBLIC_IP_OF_USER/rebootinfo.cgi
![Page 34: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/34.jpg)
Exotic threats in 2012
• White Hat Security Exotic Threatshttp://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
![Page 35: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/35.jpg)
Playground
• Demo okruženje za analizu bezbednosti• BackTrack Linux• Metasploit
![Page 36: Web application security High tech threats Ivan Marković IT Security Consultant](https://reader038.vdocuments.net/reader038/viewer/2022103112/551b8b7d550346167e8b4fb1/html5/thumbnails/36.jpg)
PITANJA