Scribd
Upload
439 views

How To Break Web Software

The document outlines how to break web software through functional and security testing of web applications and web services, discussing who Security Innovation is and their approach to software security solutions, and providing an overview of common web attacks like panning for gold, bypassing client-side validation, SQL injection, and buffer overflows. The course teaches how to identify vulnerabilities, conduct various attacks, protect against attacks, and includes examples and demos.

Uploaded by

neovik82
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
439 views

How To Break Web Software

The document outlines how to break web software through functional and security testing of web applications and web services, discussing who Security Innovation is and their approach to software security solutions, and providing an overview of common web attacks like panning for gold, bypassing client-side validation, SQL injection, and buffer overflows. The course teaches how to identify vulnerabilities, conduct various attacks, protect against attacks, and includes examples and demos.

Uploaded by

neovik82
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

How to Break Web

Software
Functional and Security Testing of Web
Applications and Web Services

Joe Basirico
Dev. Manager
Course outline

• Who we are and why we’re here


• The web is different
• The Attacks!
– Panning for gold
– Bypass client-side validation
– SQL injection
– Buffer overflows
– Fake Cryptography
Who is Security Innovation?

• Leading Software Security Solutions Firm, that delivers


• Professional Services (Risk Assessment and Risk Mitigation)
• Professional Education
• Tools & Guidance
– To ...
• Enterprise IT organizations
• Enterprise Software Development organizations
• Technology Vendors

– So Organizations can..
• Understand the vulnerabilities and risks that their software
systems pose
• Incorporate security and manage risk throughout the Software
Development and Management lifecycle.

Security Innovation has offices in Amsterdam, Boston, and Seattle,


and widely-adopted security testing methodologies and education
courses
Is this really that big of a deal?
(aka scare the pants off of you, slide)

Vulnerabilities
9000
8000
7000
6000
5000
4000 Vulnerabilities
3000
2000
1000
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
(Extrapolated)
http://www.cert.org/stats/fullstats.html
Need More?

• Microsoft, IBM , Sun , and CISCO have all adopted a


similar software methodology to what I’m going to explain
later

• They’ve moved from the Software Development Lifecycle to a


Secure Software Development Lifecycle

• This may seem subtle, but believe me it’s not!


More!?

• Attacks are up 450%!


• Breaches cost companies more than $450 Million dollars last
year
• SQL Slammer cost us about 1.2 Billion dollars
• Code Red – 2.6 Billion dollars
• Love letter (remember this one?) – 9 Billion dollars

This is just 900 milli


Course outline

• Who we are and why we’re here


• The web is different
• The Attacks!
– Panning for gold
– Bypass client-side validation
– SQL injection
– Buffer overflows
– Fake Cryptography
The web is different

• We’ve been connecting computers for years


• Today we use the web to solve very complex and difficult
tasks
– E-commerce
– E-mail
– Banking

• To do this we need very complex technologies


– ASP.net / JSP / CGI etc.
– AJAX / Script / ActiveX / Java Applets
The web is stateless

• Don’t let anybody tell you any different


• To track state through the web we stack more technology on
top
– Cookies
– Session Variables
Opposing goals

Reliability

Maintainability Performance

Security

Functionality Usability
The fault model

• The Server where the Web


content resides

• The network that connects


the two

• The client where the content


is to be served
The Attacks!
Complete list
• Gathering Information on the • Attacking User Supplied Input
Target Data
– Panning for gold – Cross-site scripting
– Guessing files and directories – SQL injection
– Holes left by other people – Directory traversal
• Vulnerabilities in sample applications
• Language Based Attacks
• Attacking the Client – Buffer overflows
– Bypass restrictions on input choices
– Canonicalization
– Bypass client-side validation – NULL-string attacks
• State-Based Attacks • Attacking the Server
– Hidden fields – SQL injection II – Stored procedures
– CHI parameters – Command injection
– Cookie poisoning – Fingerprinting the server
– URL jumping – Denial of service
– Session hijacking
• Authentication
– Fake Cryptography
– Breaking authentication
– Cross-site tracing
– Forcing weak cryptography
Attack overview

• Overview
• When to apply this attack
• How to conduct this attack
• How to protect against this attack
• Example or Demo
Course outline

• Who we are and why we’re here


• The web is different
• The Attacks!
– Panning for gold
– Bypass client-side validation
– SQL injection
– Buffer overflows
– Fake Cryptography
Attack 1 panning for gold
Overview

• Looking for information an attacker could use to leverage later


• Username/Passwords
• HTML comments
• Connection strings
• Error Messages
Panning for gold
How to conduct this attack

• Read the source code – boring!


• Map the pages of the site
• ViewSource for hidden fields, javascript, comments etc.
• Force all error message to occur
– We’ll get into this more later

• Use a tool!
– Grep is your friend ☺
Panning for gold
Grep – or other regex search

Item Description Regular Expression


HTML comments Usually nav/page section markers, but <!—[^-][\w\W]*?[^-]-->
sometimes interesting
Application Comments All app comments should be removed <!---[\w\W]*?---> Cold Fusion
//* Single Line Comments
/\*[\w\W]*?\*/ C style comments
^’.*
rem\s.* VB comments
IP addresses May reference servers other than the [0-9{1,3}\. [0-9{1,3}\. [0-9{1,3}\. [0-
primary server 9{1,3}
E-mail addresses May be private e-mail addresses for the [\w]*(\.[\w]*)*@[\w]*(\.[\w]*)
developers
SQL queries A giant nugget of gold! SELECT\s[w\*\)\(\,\s]+FROM\s[\w]+
Etc.
Database connection Could cause false positives but could help Provider|Data\sSource|Driver
strings you discover new database servers
Hidden input fields Can save a lot of time from looking for these <intput\s[w\W]*?type’(“)?hidden(“)?[\
later w\W]*?>
Panning for gold
Example
Panning for gold
Example 2
Panning for gold
Example 2
Panning for gold
Example 2
Attack 2 Bypass client side validation
Overview

• JavaScript is not a security feature!!!!

JavaScript is
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!

not a security
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!

feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
Attack 2 Bypass client side validation
Overview

• Validation is a tough problem


• Post-backs are expensive
• Bandwidth
• Server processor time
• Usability

• Hidden fields
• Input size restrictions
Bypass client side validation
How to conduct this attack

• “Turn off” events


• Save and edit Web Pages
• Use a tool
– Pagespy
– Localhost proxy
• Burp proxy
• Snark
• Paros
– DOM inspector
Bypass client side validation
Example

• Raleigh, North Carolina cable news channel shut down a Web


application designed to allow local schools and businesses to
report weather related closings
• The system allowed users to submit a message that would get
read and approved by a human…the problem: checks weren’t
done to ensure that users couldn’t change their message after
approval
• "It was a Web-based system that we had used two, almost
three years, with nobody taking advantage of it" News 14's
Charlie Schell
SQL injection
Overview

• The most used data storage mechanism


• SQL allows the web application to talk to the database
• Poorly coded SQL statements allow an attacker to append or
inject additional statements
SQL injection
How to conduct this attack

• Bypass client side validation functions


• Try SQL specific characters in all input fields
•Textboxes •Drop down list
•Hidden fields boxes
•URLs •Integers
•Anywhere!
Character Meaning URL Encoded*
‘ Close string %27
-- Comment %2d%2d
; End command %3b
How did this happen?!

Original Query (trying with username “sam” and blank password):


Select * From Financial_Records Where username = ‘sam’ and
password = ‘ ‘
Result: Login Failure

We put in:
sam’ --
(effectively removes the need for a password!)

New Query:
Select * From Financial_Records Where username = ‘sam’-- ’
and password = ‘ ‘
Result: Sam’s records without needing a password!
Attack 3 Buffer overflows
Overview

• The historic. The notorious. The Dangerous. The Buffer


Overflow!
• Overflowing a buffer and overwriting the return address can
allow an attacker to run arbitrary code on the server

• For in depth explanation please see me after class


Attack 3 Buffer overflows
How to conduct this attack

• Probably the easiest attack to conduct


– Can be difficult to fully exploit

• Simply fill every input field with as much data as possible


• Try places with maxlength fields and other developer
restrictions
• Difficult to get return on, though, with modern server/web
applications
– Search for legacy applications in native code
Buffer Overflows
Live Demo!
How did this happen?!
Fake cryptography
Overview

• Sensitive data must be encrypted


• Happening since the Roman Empire
• Crypto helps with Confidentiality and Integrity of data
• “Roll Your Own” crypto is a bad idea
• Tough to weigh performance with sensitivity
• Casual inspection of “encrypted” data often looks random
enough
Fake cryptography
How to conduct this attack

• Try variable length strings and look for = signs at the end
(base64 encoding)
• Change one letter and look how the encrypted string changes
– ROT
– XOR

• Use a tool
– Napkin
– Many online tools

• Find the developer and ask (gasp!)


Fake Cryptography
Hands On

• VGhpcyBpcyBzZWN1cmUgcmlnaHQ/
• dGhlIHF1aWNrIGJyb3duIGZveA==
• %73%75%70%65%72%20%73%65%63%75%72%65%21
• rtodq rdbtqd?
• F8238BA10DCB2F19F21D5A48FB735558
• 64C7F53D540AAFB387FEE20A40BF03854E0925B3
Complete list
• Gathering Information on the • Attacking User Supplied Input
Target Data
– Panning for gold – Cross-site scripting
– Guessing files and directories – SQL injection
– Holes left by other people – Directory traversal
• Vulnerabilities in sample applications
• Language Based Attacks
• Attacking the Client – Buffer overflows
– Bypass restrictions on input choices
– Canonicalization
– Bypass client-side validation – NULL-string attacks
• State-Based Attacks • Attacking the Server
– Hidden fields – SQL injection II – Stored procedures
– CHI parameters – Command injection
– Cookie poisoning – Fingerprinting the server
– URL jumping – Denial of service
– Session hijacking
• Authentication
– Fake Cryptography
– Breaking authentication
– Cross-site tracing
– Forcing weak cryptography
How to Contact Me - Joe Basirico

Snail Mail E-mail & Web


Security Innovation [email protected]
616 1st Ave
http://www.securityinnovation.com
Suite 400
Seattle WA, 98112

Telephone
c) 1 (206) 227-6458
w) 1 (206) 438-3910

Questions? Comments?

You might also like