How to Break Web

Software
Functional and Security Testing of Web
Applications and Web Services

Joe Basirico
Dev. Manager
Course outline

• Who we are and why we’re here

• The web is different
• The Attacks!
– Panning for gold
– Bypass client-side validation
– SQL injection
– Buffer overflows
– Fake Cryptography
Who is Security Innovation?

• Leading Software Security Solutions Firm, that delivers

• Professional Services (Risk Assessment and Risk Mitigation)
• Professional Education
• Tools & Guidance
– To ...
• Enterprise IT organizations
• Enterprise Software Development organizations
• Technology Vendors

– So Organizations can..
• Understand the vulnerabilities and risks that their software
systems pose
• Incorporate security and manage risk throughout the Software
Development and Management lifecycle.

Security Innovation has offices in Amsterdam, Boston, and Seattle,

and widely-adopted security testing methodologies and education
courses
Is this really that big of a deal?
(aka scare the pants off of you, slide)

Vulnerabilities
9000
8000
7000
6000
5000
4000 Vulnerabilities
3000
2000
1000
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
(Extrapolated)
http://www.cert.org/stats/fullstats.html
Need More?

• Microsoft, IBM , Sun , and CISCO have all adopted a

similar software methodology to what I’m going to explain
later

• They’ve moved from the Software Development Lifecycle to a

Secure Software Development Lifecycle

• This may seem subtle, but believe me it’s not!

More!?

• Attacks are up 450%!

• Breaches cost companies more than $450 Million dollars last
year
• SQL Slammer cost us about 1.2 Billion dollars
• Code Red – 2.6 Billion dollars
• Love letter (remember this one?) – 9 Billion dollars

This is just 900 milli

Course outline

• Who we are and why we’re here

• The web is different
• The Attacks!
– Panning for gold
– Bypass client-side validation
– SQL injection
– Buffer overflows
– Fake Cryptography
The web is different

• We’ve been connecting computers for years

• Today we use the web to solve very complex and difficult
tasks
– E-commerce
– E-mail
– Banking

• To do this we need very complex technologies

– ASP.net / JSP / CGI etc.
– AJAX / Script / ActiveX / Java Applets
The web is stateless

• Don’t let anybody tell you any different

• To track state through the web we stack more technology on
top
– Cookies
– Session Variables
Opposing goals

Reliability

Maintainability Performance

Security

Functionality Usability
The fault model

• The Server where the Web

content resides

• The network that connects

the two

• The client where the content

is to be served
The Attacks!
Complete list
• Gathering Information on the • Attacking User Supplied Input
Target Data
– Panning for gold – Cross-site scripting
– Guessing files and directories – SQL injection
– Holes left by other people – Directory traversal
• Vulnerabilities in sample applications
• Language Based Attacks
• Attacking the Client – Buffer overflows
– Bypass restrictions on input choices
– Canonicalization
– Bypass client-side validation – NULL-string attacks
• State-Based Attacks • Attacking the Server
– Hidden fields – SQL injection II – Stored procedures
– CHI parameters – Command injection
– Cookie poisoning – Fingerprinting the server
– URL jumping – Denial of service
– Session hijacking
• Authentication
– Fake Cryptography
– Breaking authentication
– Cross-site tracing
– Forcing weak cryptography
Attack overview

• Overview
• When to apply this attack
• How to conduct this attack
• How to protect against this attack
• Example or Demo
Course outline

• Who we are and why we’re here

• The web is different
• The Attacks!
– Panning for gold
– Bypass client-side validation
– SQL injection
– Buffer overflows
– Fake Cryptography
Attack 1 panning for gold
Overview

• Looking for information an attacker could use to leverage later

• Username/Passwords
• HTML comments
• Connection strings
• Error Messages
Panning for gold
How to conduct this attack

• Read the source code – boring!

• Map the pages of the site
• ViewSource for hidden fields, javascript, comments etc.
• Force all error message to occur
– We’ll get into this more later

• Use a tool!
– Grep is your friend ☺
Panning for gold
Grep – or other regex search

Item Description Regular Expression

HTML comments Usually nav/page section markers, but <!—[^-][\w\W]*?[^-]-->
sometimes interesting
Application Comments All app comments should be removed <!---[\w\W]*?---> Cold Fusion
//* Single Line Comments
/\*[\w\W]*?\*/ C style comments
^’.*
rem\s.* VB comments
IP addresses May reference servers other than the [0-9{1,3}\. [0-9{1,3}\. [0-9{1,3}\. [0-
primary server 9{1,3}
E-mail addresses May be private e-mail addresses for the [\w]*(\.[\w]*)*@[\w]*(\.[\w]*)
developers
SQL queries A giant nugget of gold! SELECT\s[w\*\)\(\,\s]+FROM\s[\w]+
Etc.
Database connection Could cause false positives but could help Provider|Data\sSource|Driver
strings you discover new database servers
Hidden input fields Can save a lot of time from looking for these <intput\s[w\W]*?type’(“)?hidden(“)?[\
later w\W]*?>
Panning for gold
Example
Panning for gold
Example 2
Panning for gold
Example 2
Panning for gold
Example 2
Attack 2 Bypass client side validation
Overview

• JavaScript is not a security feature!!!!

JavaScript is
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!

not a security
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!

feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
• JavaScript is not a security feature!!!!
Attack 2 Bypass client side validation
Overview

• Validation is a tough problem

• Post-backs are expensive
• Bandwidth
• Server processor time
• Usability

• Hidden fields
• Input size restrictions
Bypass client side validation
How to conduct this attack

• “Turn off” events

• Save and edit Web Pages
• Use a tool
– Pagespy
– Localhost proxy
• Burp proxy
• Snark
• Paros
– DOM inspector
Bypass client side validation
Example

• Raleigh, North Carolina cable news channel shut down a Web

application designed to allow local schools and businesses to
report weather related closings
• The system allowed users to submit a message that would get
read and approved by a human…the problem: checks weren’t
done to ensure that users couldn’t change their message after
approval
• "It was a Web-based system that we had used two, almost
three years, with nobody taking advantage of it" News 14's
Charlie Schell
SQL injection
Overview

• The most used data storage mechanism

• SQL allows the web application to talk to the database
• Poorly coded SQL statements allow an attacker to append or
inject additional statements
SQL injection
How to conduct this attack

• Bypass client side validation functions

• Try SQL specific characters in all input fields
•Textboxes •Drop down list
•Hidden fields boxes
•URLs •Integers
•Anywhere!
Character Meaning URL Encoded*
‘ Close string %27
-- Comment %2d%2d
; End command %3b
How did this happen?!

Original Query (trying with username “sam” and blank password):

Select * From Financial_Records Where username = ‘sam’ and
password = ‘ ‘
Result: Login Failure

We put in:
sam’ --
(effectively removes the need for a password!)

New Query:
Select * From Financial_Records Where username = ‘sam’-- ’
and password = ‘ ‘
Result: Sam’s records without needing a password!
Attack 3 Buffer overflows
Overview

• The historic. The notorious. The Dangerous. The Buffer

Overflow!
• Overflowing a buffer and overwriting the return address can
allow an attacker to run arbitrary code on the server

• For in depth explanation please see me after class

Attack 3 Buffer overflows
How to conduct this attack

• Probably the easiest attack to conduct

– Can be difficult to fully exploit

• Simply fill every input field with as much data as possible

• Try places with maxlength fields and other developer
restrictions
• Difficult to get return on, though, with modern server/web
applications
– Search for legacy applications in native code
Buffer Overflows
Live Demo!
How did this happen?!
Fake cryptography
Overview

• Sensitive data must be encrypted

• Happening since the Roman Empire
• Crypto helps with Confidentiality and Integrity of data
• “Roll Your Own” crypto is a bad idea
• Tough to weigh performance with sensitivity
• Casual inspection of “encrypted” data often looks random
enough
Fake cryptography
How to conduct this attack

• Try variable length strings and look for = signs at the end
(base64 encoding)
• Change one letter and look how the encrypted string changes
– ROT
– XOR

• Use a tool
– Napkin
– Many online tools

• Find the developer and ask (gasp!)

Fake Cryptography
Hands On

• VGhpcyBpcyBzZWN1cmUgcmlnaHQ/
• dGhlIHF1aWNrIGJyb3duIGZveA==
• %73%75%70%65%72%20%73%65%63%75%72%65%21
• rtodq rdbtqd?
• F8238BA10DCB2F19F21D5A48FB735558
• 64C7F53D540AAFB387FEE20A40BF03854E0925B3
Complete list
• Gathering Information on the • Attacking User Supplied Input
Target Data
– Panning for gold – Cross-site scripting
– Guessing files and directories – SQL injection
– Holes left by other people – Directory traversal
• Vulnerabilities in sample applications
• Language Based Attacks
• Attacking the Client – Buffer overflows
– Bypass restrictions on input choices
– Canonicalization
– Bypass client-side validation – NULL-string attacks
• State-Based Attacks • Attacking the Server
– Hidden fields – SQL injection II – Stored procedures
– CHI parameters – Command injection
– Cookie poisoning – Fingerprinting the server
– URL jumping – Denial of service
– Session hijacking
• Authentication
– Fake Cryptography
– Breaking authentication
– Cross-site tracing
– Forcing weak cryptography
How to Contact Me - Joe Basirico

Snail Mail E-mail & Web

Security Innovation jbasirico@securityinnovation.com
616 1st Ave
http://www.securityinnovation.com
Suite 400
Seattle WA, 98112

Telephone
c) 1 (206) 227-6458
w) 1 (206) 438-3910

Questions? Comments?