A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong
1. Lap Around Web Application
Vulnerabilities
Walter Wong
MVP – Visual Developer (Security)
walter_wws@hotmail.com
http://spaces.live.com/walterwws
2. Top 10 Web Application
vulnerabilities in 2007
1 • Cross-site Scripting (XSS)
2 • Injection Flaws
3 • Malicious File Execution
4 • Insecure Direct Object Reference
5 • Cross Site Request Forgery
6 • Information Leakage and Improper Error Handling
7 • Broken Authentication and Session Management
8 • Insecure Cryptographic Storage
9 • Insecure Communications
10 • Failure to Restrict URL Access
Source: http://www.owasp.org/index.php/top_10_2007
3. Agenda
The foundation of attack
Advance attack techniques
Obfuscation
Automated Testing
4. Foundation of attack
Application attack also known as “layer 7
attack”
Program is just a set of instruction.
Developer is the key protector
All input is evil (Writing Secure Code by Michael
Howard and David LeBlanc)
6. SQL Injection
Build SQL statement using string concatenation
Attacker change the semantics of SQL query
Developer prefer string concatenation because
is easy but they also known the safer method
but requires more thought
15. Path Traversal
Access files that application not intend to
access
To read any files in the system
Using “dot-dot-slash” to backtrack the folder
Example:
http://app.com/GetImage.aspx?file=....windowsrepairsam
16. Scenario #3
To prevent “Resource cannot be found”, developer
create a page to check whether the picture file it
exist or not. If doesn’t exist it will show the generic
image.
18. Advance Technique
Utilizing the basic attack techniques
Able to unveil a lot of privacy information of
servers
Example:
WMI Attack
Host File Hijacking
19. WMI Attack
WMI = Windows Management Instrumentation
WMI is a essential tools for IT Administrator to
manage the servers and workstations
Damages:
Retrieve server’s information
Remotely uninstall application
22. Host File Hijacking
Windows rely on DNS and Host file to resolve
the target IP address
Host file location :
%windir%system32driversetchosts
Damages:
Corrupt the host file so it can redirect the data to
malicious server
23. Scenario #5
Attacker redirect the traffic for www.abc.com to
different IP address. Imagine a antivirus
application refer the wrong IP address to
download the latest signature file.
25. Obfuscation
The default .Net assembly format allow
developer to disassemble and decompile.
Obfuscate is a process to rebuilds the .Net
assembly into a new format that is impossible
to dissemble, decompile and difficult to
understand.
Prevent competitors and hackers from getting
your source code.
26. Scenario #6
Attacker download the .Net assembly through
Path Traversal attack. He successfully dissemble
and decompile the assembly. Attacker now able to
view all the logic behind the source code.
28. Automated Testing
Develop your own testing tools
Automate your testing process
Visual Studio Tester Edition have a capability to
do automated testing
29. The Dark Side……
Brutal Force attack are using the same
technique
It is a common attack to “try” out password
To prevent such attack, identify the source.
MAC Address
IP Address
Login username
30. Scenario #7
Develop a simple application to automate the
brutal force attack on wireless router.
32. Steps to Defense Against Attackers
Validate both client-side and server-side input
Duplicated the validation functions in both
client-side and server side
NO SQL Injection – use Parameter class in .Net
NO XSS – Validate Input, Validate Output (VIVO)
Obfuscate your code TODAY!
Be innovative and creative in testing