SlideShare ist ein Scribd-Unternehmen logo

Real web-attack-scenario

OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)
Technologie
1 von 29
Downloaden Sie, um offline zu lesen
Web application attacks in practice (or how the common real application attack looks like) Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
Contents  Achieving the attacker's anonymity  Looking for SQL/XSS injections  SQL code obfuscation  Cracking the hashes  Exploiting admin web interface  Local root escalation  Cleaning the traces   Backdooring        www.nethemba.com       
Anonymity In order to achieve the maximum anonymity,  the attacker has various choices:  TOR – the easiest way (problem can be with  bandwidth, especially in aggressive attacks)  hacking any Internet vulnerable server (there are  millions) and escalating root privileges  using anonymous shell accounts (freeshell.eu)  buying anonymous server accesses, anonymous    proxies using stolen credit cards        www.nethemba.com       
The attacker has to be aware of  sanitizing its “browser footprint” (e.g. using privoxy)  DNS leaks (using TOR internal DNS resolver)  Traffic analysis  Eavesdropping by exit nodes (by not sending any sensitive information that can reveal the attacker's identity)          www.nethemba.com       
Strong anonymity can be  achieved  quite easily!          www.nethemba.com       
Let's look for SQL/XSS injections  port scanning can be very aggressive and  easily detected  web spidering and looking for certain SQL/XSS  injections is much more undetectable (without  WAF/IDS/IPS and using POST injections it  looks like a legitimate traffic)  it's easy to enumerate most SQL injection  “vectors” (and also it's quite easy to block most    of them using WAF/IPS)        www.nethemba.com       
Arithmetic Blind SQL injections No need to use AND or OR operators!  SELECT field FROM table WHERE  id=abs(param)  SELECT field FROM table WHERE  id=A+ASCII(B)­C   SELECT field FROM table WHERE id=A+(1/ (ASCII(B)­C))  B is substring(passwd,1,1), C is counter, when    ASCII(B)=C, “divide by zero” exception occurs         www.nethemba.com       
Time-based blind SQL injections Depends on injection query SELECT  IF(expression, true, false) and it can be used in  all database servers:  MySQL ­  BENCHMARK(5000000,MD5(CHAR(116)))  MSSQL – 'WAIT FOR DELAY' 0:0:10  PostgreSQL ­ pg_sleep()     using database dependent “Heavy queries”        www.nethemba.com       
Time-based Blind SQL injections using Heavy Queries  the attacker has to find heavy slow queries that  can be consequently used as “delay” (e.g. time­ expensive cross­joining conditions)  program.php?id=1 and (SELECT count(*)  FROM sysusers AS sys1, sysusers as sys2,  sysusers as sys3, sysusers AS sys4, sysusers  AS sys5, sysusers AS sys6, sysusers AS sys7,  sysusers AS sys8)>1 and 300>(select top 1    ascii(substring(name,1,1)) from sysusers)        www.nethemba.com       
Marathon Tool  automates time­based blind SQL injection  attacks using Heavy Queries in SQL server  MySQL, MS Access, Oracle DB server  extracts data using heavy queries from all these  databases  http://www.codeplex.com/marathontool          www.nethemba.com       
SQL injection tools  SQL injection can be fully automatized by using  many tools (sqlmap, SQL Power Injector, 0x90,  SQLiX, sqlninja and many commercial ones)  many of them support various SQL injection  methods, including “arithmetic” or “time delay”  blind SQL injection  the problem can be with the old DBs without  information schemas (like MySQL 4.x) where the   attacker has to guess the tables names, columns        www.nethemba.com       
“Potential” SQL injections  can be practically exploited  in 99% cases!          www.nethemba.com       
The application is vulnerable to XSS/SQL injection, but it uses WAF/IPS  injection payload can be obfuscated by the  attacker, e.g. using Hackvertor  many WAFs can be evaded by this technique  (including mod_security, PHP IDS and many  commercial WAFs)          www.nethemba.com       
mod_security & PHP IDS bypass Special UTF encoding, malformed hex entities  & other tricks are used to bypass WAFs:  mod_security bypass <div/style=`­:expressio&#x5c&#x36&#x65(u00 6&#x34;omai&#x6e=x)` x=modsecurity.org>  PHPIDS bypass <div/style=­=expressio&#x5c&#x36&#x65(­ execScript(x,y)­x) x=MsgBox­1 y=vbs>          www.nethemba.com       
WAFs are just workarounds! No WAF/IPS can 100% protect  you from input validation attacks  (even if your WAF vendor claims it :­)          www.nethemba.com       
The attacker's interests The attacker is mainly interested in:  any sensitive information (credit card numbers,  usernames, passwords, certificates, keys, ..)  administrator/root passwords / hashes (in order  to escalate his privileges, access to admin web  interface or gain full database access)          www.nethemba.com       
Cracking the hashes Hashes are invaluable source for the attacker  doing cracking by using:  big word­lists/dictionaries  brute­forcing (this can be very time consuming)  offline or online rainbow tables (for all hashes  which do not use salt including DES, LM,  NTLM, MD5, A5/1, ...)          www.nethemba.com       
Admin web interface  the admin web interface is almost always much  more complex than the main application, less  restrictive allowing using own SQL  statements or running own system  commands and it is very often available from  the Internet (!)  the attacker cracks the admin hashes and gains  the access to the administrator web interface          www.nethemba.com       
Another way to gain the admin web access I.  exploits a potential XSS vulnerability in the  application, the admin interface has to be in the  same SOP like the main application  it requires no admin interaction (in case of  persistent XSS, just reading “XSS­infected”  forum by administrator)  it requires admin interaction (in case of reflexive    or dom­based XSS), e.g. clicking “infected” link         www.nethemba.com       
Injected javascript functionality  reads admin session ID from the cookie  if the cookie uses HttpOnly flag, it performs  TRACE request using XMLHTTPRequest and  receives the cookie in HTTP response  can perform CSRF request (and e.g. change  admin password)  can do a lot of ugly things (e.g. portscanning  admin's intranet)          www.nethemba.com       
Another way to gain the admin web access II.  exploits bad session management  implementation (when the application uses just  cookies for session ID), thus the application  does not need to be vulnerable to SQL/XSS (!)  the attacker can perform CSRF request (send  arbitrary GET/POST request under  administrator), e.g. change admin password,  send forgotten password, set admin privileges    to another user, etc.        www.nethemba.com       
Exploiting of local system  possibility to use own SQL statements (e.g. with  execute privileges or reading/writing local  files) or run own system commands almost  always leads to gaining the local system user  access (apache, www­data, webuser, ..)  consequently, exploiting the kernel is obviously  easy (there are many public available local root  exploits for all Linux kernels <= 2.6.31)          www.nethemba.com       
Care about your kernel and  local system security! (e.g. using on­the­fly kernel patching)          www.nethemba.com       
Cleaning the traces  after the successful attack, web server / WAF  /IPS / IDS logs are full of SQL injection attempts  when the attacker gains local root/admin, it's  usually easy to clean his traces (modify web  server / WAF / IPS / IDS logs, remove  suspicious entries from the database, ...)          www.nethemba.com       
Always store logs on the read­ only medium or send them to the  remote non­hackable log server!          www.nethemba.com       
Backdooring  nowadays, the best way of backdooring is to  use LKM rootkits – they are stealthy, non­ detectable, and completely immune against file­ system checksums/hashing (like Tripwire)  compromised server can be used as another  attacker proxy, or sold as a part of botnet on the  hacker's blackmarkets          www.nethemba.com       
Summary  security should be always “multi­layered”  write secure code, use prepared statements  use whitelisting instead of blacklisting   do input and also output validation rd  use 3  layered database architecture  care about your local system security and  kernel          www.nethemba.com       
References  http://proidea.maszyna.pl/CONFidence09/2/CONFidence2009_chema_jose.pdf  http://www.owasp.org/index.php/Blind_SQL_Injection  http://proidea.maszyna.pl/CONFidence09/2/CONFidence2009_gareth_heyes.pdf          www.nethemba.com       
Thank you for your attention! pavol.luptak@nethemba.com          www.nethemba.com       

Empfohlen

New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2OWASP (Open Web Application Security Project)
 
Se linux course1
Se linux course1Se linux course1
Se linux course1OWASP (Open Web Application Security Project)
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploitOWASP (Open Web Application Security Project)
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 

Empfohlen

New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2OWASP (Open Web Application Security Project)
 
Se linux course1
Se linux course1Se linux course1
Se linux course1OWASP (Open Web Application Security Project)
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploitOWASP (Open Web Application Security Project)
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionNazar Tymoshyk, CEH, Ph.D.
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.pptOmprakashVerma56
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalRich Helton
 

Weitere ähnliche Inhalte

Was ist angesagt?

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionNazar Tymoshyk, CEH, Ph.D.
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 

Was ist angesagt? (20)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Inception framework
Inception frameworkInception framework
Inception framework
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 

Ähnlich wie Real web-attack-scenario

C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalRich Helton
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 

Ähnlich wie Real web-attack-scenario (20)

WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Not only a XSS
Not only a XSSNot only a XSS
Not only a XSS
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
4.Xss
4.Xss4.Xss
4.Xss
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Secure Coding
Secure Coding Secure Coding
Secure Coding
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 

Mehr von OWASP (Open Web Application Security Project)

Mehr von OWASP (Open Web Application Security Project) (12)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4
 
Php sec
Php secPhp sec
Php sec
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slides
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

Kürzlich hochgeladen

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Kürzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Real web-attack-scenario

  • 1. Web application attacks in practice (or how the common real application attack looks like) Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
  • 2. Contents  Achieving the attacker's anonymity  Looking for SQL/XSS injections  SQL code obfuscation  Cracking the hashes  Exploiting admin web interface  Local root escalation  Cleaning the traces   Backdooring        www.nethemba.com       
  • 3. Anonymity In order to achieve the maximum anonymity,  the attacker has various choices:  TOR – the easiest way (problem can be with  bandwidth, especially in aggressive attacks)  hacking any Internet vulnerable server (there are  millions) and escalating root privileges  using anonymous shell accounts (freeshell.eu)  buying anonymous server accesses, anonymous    proxies using stolen credit cards        www.nethemba.com       
  • 4. The attacker has to be aware of  sanitizing its “browser footprint” (e.g. using privoxy)  DNS leaks (using TOR internal DNS resolver)  Traffic analysis  Eavesdropping by exit nodes (by not sending any sensitive information that can reveal the attacker's identity)          www.nethemba.com       
  • 5. Strong anonymity can be  achieved  quite easily!          www.nethemba.com       
  • 6. Let's look for SQL/XSS injections  port scanning can be very aggressive and  easily detected  web spidering and looking for certain SQL/XSS  injections is much more undetectable (without  WAF/IDS/IPS and using POST injections it  looks like a legitimate traffic)  it's easy to enumerate most SQL injection  “vectors” (and also it's quite easy to block most    of them using WAF/IPS)        www.nethemba.com       
  • 7. Arithmetic Blind SQL injections No need to use AND or OR operators!  SELECT field FROM table WHERE  id=abs(param)  SELECT field FROM table WHERE  id=A+ASCII(B)­C   SELECT field FROM table WHERE id=A+(1/ (ASCII(B)­C))  B is substring(passwd,1,1), C is counter, when    ASCII(B)=C, “divide by zero” exception occurs         www.nethemba.com       
  • 8. Time-based blind SQL injections Depends on injection query SELECT  IF(expression, true, false) and it can be used in  all database servers:  MySQL ­  BENCHMARK(5000000,MD5(CHAR(116)))  MSSQL – 'WAIT FOR DELAY' 0:0:10  PostgreSQL ­ pg_sleep()     using database dependent “Heavy queries”        www.nethemba.com       
  • 9. Time-based Blind SQL injections using Heavy Queries  the attacker has to find heavy slow queries that  can be consequently used as “delay” (e.g. time­ expensive cross­joining conditions)  program.php?id=1 and (SELECT count(*)  FROM sysusers AS sys1, sysusers as sys2,  sysusers as sys3, sysusers AS sys4, sysusers  AS sys5, sysusers AS sys6, sysusers AS sys7,  sysusers AS sys8)>1 and 300>(select top 1    ascii(substring(name,1,1)) from sysusers)        www.nethemba.com       
  • 10. Marathon Tool  automates time­based blind SQL injection  attacks using Heavy Queries in SQL server  MySQL, MS Access, Oracle DB server  extracts data using heavy queries from all these  databases  http://www.codeplex.com/marathontool          www.nethemba.com       
  • 11. SQL injection tools  SQL injection can be fully automatized by using  many tools (sqlmap, SQL Power Injector, 0x90,  SQLiX, sqlninja and many commercial ones)  many of them support various SQL injection  methods, including “arithmetic” or “time delay”  blind SQL injection  the problem can be with the old DBs without  information schemas (like MySQL 4.x) where the   attacker has to guess the tables names, columns        www.nethemba.com       
  • 12. “Potential” SQL injections  can be practically exploited  in 99% cases!          www.nethemba.com       
  • 13. The application is vulnerable to XSS/SQL injection, but it uses WAF/IPS  injection payload can be obfuscated by the  attacker, e.g. using Hackvertor  many WAFs can be evaded by this technique  (including mod_security, PHP IDS and many  commercial WAFs)          www.nethemba.com       
  • 14. mod_security & PHP IDS bypass Special UTF encoding, malformed hex entities  & other tricks are used to bypass WAFs:  mod_security bypass <div/style=`­:expressio&#x5c&#x36&#x65(u00 6&#x34;omai&#x6e=x)` x=modsecurity.org>  PHPIDS bypass <div/style=­=expressio&#x5c&#x36&#x65(­ execScript(x,y)­x) x=MsgBox­1 y=vbs>          www.nethemba.com       
  • 15. WAFs are just workarounds! No WAF/IPS can 100% protect  you from input validation attacks  (even if your WAF vendor claims it :­)          www.nethemba.com       
  • 16. The attacker's interests The attacker is mainly interested in:  any sensitive information (credit card numbers,  usernames, passwords, certificates, keys, ..)  administrator/root passwords / hashes (in order  to escalate his privileges, access to admin web  interface or gain full database access)          www.nethemba.com       
  • 17. Cracking the hashes Hashes are invaluable source for the attacker  doing cracking by using:  big word­lists/dictionaries  brute­forcing (this can be very time consuming)  offline or online rainbow tables (for all hashes  which do not use salt including DES, LM,  NTLM, MD5, A5/1, ...)          www.nethemba.com       
  • 18. Admin web interface  the admin web interface is almost always much  more complex than the main application, less  restrictive allowing using own SQL  statements or running own system  commands and it is very often available from  the Internet (!)  the attacker cracks the admin hashes and gains  the access to the administrator web interface          www.nethemba.com       
  • 19. Another way to gain the admin web access I.  exploits a potential XSS vulnerability in the  application, the admin interface has to be in the  same SOP like the main application  it requires no admin interaction (in case of  persistent XSS, just reading “XSS­infected”  forum by administrator)  it requires admin interaction (in case of reflexive    or dom­based XSS), e.g. clicking “infected” link         www.nethemba.com       
  • 20. Injected javascript functionality  reads admin session ID from the cookie  if the cookie uses HttpOnly flag, it performs  TRACE request using XMLHTTPRequest and  receives the cookie in HTTP response  can perform CSRF request (and e.g. change  admin password)  can do a lot of ugly things (e.g. portscanning  admin's intranet)          www.nethemba.com       
  • 21. Another way to gain the admin web access II.  exploits bad session management  implementation (when the application uses just  cookies for session ID), thus the application  does not need to be vulnerable to SQL/XSS (!)  the attacker can perform CSRF request (send  arbitrary GET/POST request under  administrator), e.g. change admin password,  send forgotten password, set admin privileges    to another user, etc.        www.nethemba.com       
  • 22. Exploiting of local system  possibility to use own SQL statements (e.g. with  execute privileges or reading/writing local  files) or run own system commands almost  always leads to gaining the local system user  access (apache, www­data, webuser, ..)  consequently, exploiting the kernel is obviously  easy (there are many public available local root  exploits for all Linux kernels <= 2.6.31)          www.nethemba.com       
  • 23. Care about your kernel and  local system security! (e.g. using on­the­fly kernel patching)          www.nethemba.com       
  • 24. Cleaning the traces  after the successful attack, web server / WAF  /IPS / IDS logs are full of SQL injection attempts  when the attacker gains local root/admin, it's  usually easy to clean his traces (modify web  server / WAF / IPS / IDS logs, remove  suspicious entries from the database, ...)          www.nethemba.com       
  • 25. Always store logs on the read­ only medium or send them to the  remote non­hackable log server!          www.nethemba.com       
  • 26. Backdooring  nowadays, the best way of backdooring is to  use LKM rootkits – they are stealthy, non­ detectable, and completely immune against file­ system checksums/hashing (like Tripwire)  compromised server can be used as another  attacker proxy, or sold as a part of botnet on the  hacker's blackmarkets          www.nethemba.com       
  • 27. Summary  security should be always “multi­layered”  write secure code, use prepared statements  use whitelisting instead of blacklisting   do input and also output validation rd  use 3  layered database architecture  care about your local system security and  kernel          www.nethemba.com       
  • 28. References  http://proidea.maszyna.pl/CONFidence09/2/CONFidence2009_chema_jose.pdf  http://www.owasp.org/index.php/Blind_SQL_Injection  http://proidea.maszyna.pl/CONFidence09/2/CONFidence2009_gareth_heyes.pdf          www.nethemba.com       
  • 29. Thank you for your attention! pavol.luptak@nethemba.com          www.nethemba.com