Secure Programming and! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" Common Errors! PART I" Who am I?" !!Director and CSO of Integrating Web LTD! !!Bachelor Degree in Internet Sciences! brought to you by Michele “AntiSnatchOr” Orrù !!Independent Security Researcher! and Integrating Web LTD! !!Owner of http://antisnatchor.com security Computer System Security course lead by Prof. Ozalp Babaoglu! advisory blog! 3 December 2009! !!JEE developer" ! Outline
!" 2 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345"
Seminar outline (part I)" What we will discuss:"
!!Discuss the most relevant SANS top 25 !!CWE-20: Improper Input Validation ! ! !!CWE-116: Improper Encoding or Escaping of Output !
errors that concern Web Applications! ! !!Practical demonstrations of some !!CWE-209: Error Message Information Leak ! vulnerable Real World web applications !!CWE-89: Failure to Preserve SQL Query Structure (my totally independent security research)! (SQL injection) ! !!Understand the impact of these threats !!CWE-79: Failure to Preserve Web Page Structure on the most valuable web-app assets! (XSS) ! !!CWE-352: Cross-Site Request Forgery (XSRF)" Seminar outline (part I) What we will discuss
3 of 44! 4 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-20: CWE-20: Improper ! ! Input Validation" Example"
!! 8e6 R3000 Internet Filter (commercial HTTP(S) !! The biggest issue on today’s Internet Proxy filter solution)! Applications (not just WebApps)!
!! Improper Input Validation can lead to security ! vulnerabilities when attackers can modify input in unexpected ways for the application!
!! The only way to protect our applications is by understanding that all input can be malicious! CWE-20: Improper Input Validation Improper Input CWE-20: Example CWE-20:
5 of 44! 6 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-20: CWE-20: Example" Mitigation"
!! Credits: nnposter! !! Understand every potential attack areas:
!! DNS based website blacklist can be bypassed by parameters, arguments, cookies, headers, files, databases... ! providing a forged request with custom HTTP ! ! header! !! Whitelist approach instead of blacklist (you are Http request:! certainly going to miss some character encoding variants)!
GET / HTTP/1.1! !! WebApp case: use a WebApp Firewall X-DecoyHost: www.milw0rm.org! (ModSecurity/F5) or an Input Validation Host: www.blocked.org!
CWE-20: Example CWE-20: Framework for your language.! Mitigation CWE-20:
7 of 44! 8 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" ! CWE-20: Mitigation! CWE-20:MITIGATION ! ModSecurity" OWASP ESAPI"
!! A common set of interfaces for security controls ModSecurity such as:!
!! Authentication! !! Access Control! !! Input Validation! !! Output Encoding! !! Cryptography! !! Error handling/logging! CWE-20: Mitigation with CWE-20: ESAPI OWASP CWE-20:MITIGATION
9 of 44! 10 of 44! ! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-116: Improper ! CWE-20: MITIGATION Encoding/Escaping !
PHPIDS" ! of Output"
!! Insufficient output encoding is the often-ignored sibling to poor input validation! EncodingEscaping !! Input validation framework for PHP based applications! !! Even if input has been filtered, application output could not be safe: it need to be encoded !! Developed by skilled hackers (Mario Heiderich - .mario on sla.ckers.org)! too!
!! Common examples: HTML/JavaScript injection ! !! Try their demo with your nasty attack vectors here: http://demo.php-ids.org! on web based applications! !! Integrated as a module in Drupal, works with the powerful Zend Framework (http://forum.php- CWE-116: Improper CWE-116: of Output ids.org/comments.php?DiscussionID=113)! PHPIDS MITIGATION CWE-20: 11 of 44! 12 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-116: CWE-116: Example" Example"
!! Eclipse BIRT (reporting system that integrates !! Credits: antisnatchor [http://antisnatchor.com/ with Java/JEE applications)! 2008/12/18/eclipse-birt-reflected-xss]! !! Java Exception stack trace was not HTML-
! encoded, so we can inject an iframe! ! !!GET! !!/birt-viewer/run?__report='">
13 of 44! 14 of 44! !
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-116: CWE-209: Error Message Mitigation" Information Leak"
!! Always encode Java stack traces (better to don’t !! Chatty or debug error messages could disclose show them to prevent Information Leakage)! important important information to attackers! !
!! Always encode application output, especially if it !! This information is used in the Penetration contains previously user-supplied input! Testing phase called “Reconnaissance”!
!! WebApp firewall and ESAPI/PHPIDS (you lazy !! Even these little secrets can greatly simplify a developers :-))! more concerted attack that yields much bigger rewards! CWE-116: Mitigation CWE-116: CWE-209: Error Message Information Leak CWE-209:
15 of 44! 16 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-209: Examples! CWE-209: Examples!
1. www.dm.unibo.it" ! 1. www.dm.unibo.it" !
!! Credits: antisnatchor! !! Application response:! !! MySQL error when forging a malicious request altering the anno parameter!
GET /seminari/archivio.php?anno=2008%27 HTTP/1.1! Host: www.dm.unibo.it!
[...]! www.dm.unibo.it www.dm.unibo.it Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7! Keep-Alive: 300! !! Causing an SQL syntax error we discovered Proxy-Connection: keep-alive! that the DB backend is MySQL! Cookie: dm=[...]! !! We can now run more targeted attacks! CWE-209: CWE-209: CWE-209:
17 of 44! 18 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-209: Examples! CWE-209: Examples! 2. uniwex.unibo.it" 2. uniwex.unibo.it"
!! Credits: antisnatchor! ! ! !! Session Management was (IS actually) broken and can be manipulated! !! If we are the hacker riding the victim’s session, and the victim then logout from Uniwex, his session (and ours, because is the same) is invalidated.! unibo.unibo.it unibo.unibo.it !! If we invalidate a session and then we try to submit the previously “invalid” session token... MAGICALLY ...! CWE-209: CWE-209: CWE-209:
19 of 44! 20 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-209: Examples! CWE-89: ! 2. uniwex.unibo.it" SQL Injection"
!! The JSP page /unique/UniqueNewException.jsp ! !! These days most software is all about the data
is clearly leaved there for debug purposes! and how it can be served to maximize user and ! !! It shouldn’t be there in production!!!! business needs! !! !! This revealed us that Tomcat is used as The most common storage solution is a Application Server, and we’ve also obtained the Relational Database(Oracle, MySQL, Postgres, specific version of a few frameworks on which MS-SQL, Sybase)! unibo.unibo.it the application was built:! !! If attackers can influence the SQL that you use to communicate with your database, then they /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/struts-1.1.jar ! can do nasty things for fun and profit! /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/myfaces- api-1.1.4.jar! CWE-209: CWE-209: SQL Injection CWE-89:
21 of 44! 22 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-89: ! CWE-89:Example! SQL Injection" 1. www.dm.unibo.it" ! !! Discovering which web application parameters/ !! Credits: antisnatchor!
cookie/headers are querying the DB, we can test ! !! Confirmed unescaped numeric injection on GET if input is properly escaped or not! parameter “anno”! !! The previous example on www.dm.unibo.it !! We were able to obtain details about the demonstrates that input is not being escaped at application stack: Apache 2.2.3, PHP 5.2.0, all! MySQL >= 5.0! !! After we discovered the SQL injection we can !! For demonstration we retrieved the exact name www.dm.unibo.it fire-up our favorite injection tool to retrieve of the database name to which the web app is useful informations! bounded: dipartimento! CWE-89: SQL Injection CWE-89: CWE-89:
23 of 44! 24 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-89:Example! CWE-89: ! 2. www.virtus.it" Mitigation"
!! Credits: antisnatchor! !! Implement a validation framework (previously
!! Confirmed unescaped numeric injection on GET ! discussed) to protect your application! !!
parameter “ID” (SPNewsDettaglio.asp)! Use stored procedures! ! !! We were able to obtain details about the !! Hibernate on JEE, NHibernate on .NET! application stack: Microsoft IIS 6, ASP and SQL !! DB specific: Oracle DBMS_ASSERT directive, Server 2000! MySQL real_escape_string() function!
!! www.virtus.it We retrieved the exact name of the database !! Use a whitelist approach, permitting only name to which the web app is bounded: “known good input”! ServizioNews (and a few tables too)! CWE-89: CWE-89: Mitigation CWE-89:
25 of 44! 26 of 44! !
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-89: ! CWE-79: The Plague of! Dangers" Cross Site Scripting"
!! As you can see SQL injection can be devastating !! We can inject JavaScript, HTML, VBscript or for the integrity of your data! other browser-executable content into pages generated by the application!
!! Data loss is probably the most negative ! consequence for an Enterprise! !! The page is then accessed by other users, whose browsers execute that malicious script as if it came from the legitimate user (the victim)! !! If the web application (most of them, if not all) is storing web page content inside the DB, we can deface the site too! CWE-89: Dangers CWE-89: CWE-79: The Plague of Cross Site Scripting CWE-79: 27 of 44! 28 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" ! CWE-79: Examples! CWE-79: Examples! 1. www.cia.gov" 2. portal.hotspotsvankpn.com" ! www.cia.gov portal.hotspotsvankpn.com CWE-79: CWE-79: CWE-79:
29 of 44! 30 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-79: CWE-79: Mitigation" Mitigation"
!! A real world case example: Apache OFBiz !! The changes of StringUtil.java class:! implementation of ESAPI toolkit.!
!! After my JIRA issue they started to take really ! ! care of security (I’m glad to)!
!! See http://fisheye6.atlassian.com/changelog/ ofbiz?cs=746409 and http://antisnatchor.com/ 2008/12/11/apache-ofbiz-multiple-security- vulnerabilities! CWE-79: Mitigation CWE-79: Mitigation CWE-79:
31 of 44! 32 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-79: CWE-79: Mitigation" Mitigation"
!! The changes of ModelScreenWidget.java class:! !! Validate every parameter/cookie/header/input that can be manipulated by a potential attacker
! and then displayed on the page! !
!! Do not create your own filters: you’ll probably miss some attack vectors or encodings!
!! Use well known Encoding/Validation frameworks such as ESAPI,PHPIDS,Microsoft Anti-XSS (yes, Microsoft, don’t laugh please :-))! CWE-79: Mitigation CWE-79: Mitigation CWE-79:
33 of 44! 34 of 44! !
#$%&''((()*+,-./01+.(-2)345" #$%&''((()*+,-./01+.(-2)345"
#$%&''0+16+0,3#4/)345" ! #$%&''0+16+0,3#4/)345" CWE-352: Cross Site ! CWE-352: XSRF ! Request Forgery" Concrete Consequences"
!! It exploits the trust that a website has for the !! Performing illegal actions such as using victim's currently authenticated user and executes shopping cart, executing stock trades!
unwanted actions on a web application on his !! Changing DNS settings of home routers (thanks behalf! pdp & GNUCITIZEN)! !! Once the request gets to the application, it looks !! Performing a Denial Of Service attack on the as if it came from the user, not the attacker! application! !! If the victim has admin privileges on the !! Combining it with XSS to build WORMS! application: GAME OVER! CWE-352: XSRF Concrete Consequences CWE-352: CWE-352: Cross Site Request Forgery CWE-352:
35 of 44! 36 of 44! ! !
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-352: XSRF ! CWE-352: XSRF! Concrete Consequences" Who has been vulnerable?"
!! 1. Find a page with a lost-password form inside !! ING direct [We discovered CSRF vulnerabilities in and find out which fields would be updated ! ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer !! 2. Trick the administrator to load a hacker page funds from a user's account to the attacker's with a malicious request on it that submits a account.]! new email ! !! Youtube! !! 3. Administrator's e-mail is now changed to the !! New York Times! email submitted by hacker ! !! Gmail [http://directwebremoting.org/blog/joe/ !! 4. A hacker performs a lost-password request 2007/01/01/ and receives a new password! csrf_attacks_or_how_to_avoid_exposing_your_gm CWE-352: XSRF Concrete Consequences CWE-352: ail_contacts.html]! Who has been vulnerable? XSRF CWE-352: 37 of 44! 38 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-352: XSRF! CWE-352: XSRF! Example" 1. Apache OFBiz"
!! !!
A simple practical attack:! ! Read my advisory here: https:// ! !! http://x.x.x.x/account/doTransfer?from=666&to=667! issues.apache.org/jira/browse/OFBIZ-1959! !! We can create a malicious form that will add a
!! where 666 is a potential victim account and 667 the OFBiz attacker one. ! product (eventually with some JS inside) to the Catalog! !! Tricking the victim to load that URL will transfer money from one account to another one.! !! If the victim is already authenticated she will not even realize what she did ! CWE-352: XSRF Example CWE-352: Apache CWE-352:
39 of 44! 40 of 44! #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-352: XSRF! CWE-352: XSRF! 1. Apache OFBiz" Mitigation" ! !
! ! CWE-352: Apache CWE-352: XSRF Mitigation CWE-352:41 of 44! 42 of 44!
#$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" #$%&''((()*+,-./01+.(-2)345" #$%&''0+16+0,3#4/)345" CWE-352: XSRF! Mitigation" ! •! Use a secure framework such as ESAPI to add random token to Thanks for your ! your requests! attention!" •! Implement AJAX functionalities with secure libraries such as DWR-2.0 (Direct Web Remoting) that automatically prevents " XSRF! Questions? CWE-352: XSRF Mitigation CWE-352:
43 of 44! 44 of 44!