comprehensive web app vulnerability analysis with … byrne - sans pen... · comprehensive web app...
TRANSCRIPT
Comprehensive Web App Vulnerability Analysis with Grendel -ScanGrendel -Scan
David ByrneTrustwave
Eric DupreyDish Network
Features
� Miscellaneous� Written in Java� Windows, Linux & OS X ports
� Manual testing� Internal intercepting / testing proxyInternal intercepting / testing proxy� HTTP request fuzzer� Manual requests
Selected Test Modules
� Spider� HTML tag requester� Form baseline� Search engine recon
� File enumerationFile enumeration� Session management
� Session ID strength� URL session IDs� Session fixation� Authentication enforcement - experimental
� Cross-site scripting (XSS)
Selected Test Modules
� SQL injection� Error-based� SQL tautologies - experimental
� Miscellaneous tests� CRLF injectionCRLF injection� Directory traversal – experimental� Generic fuzzing
� Information Leakage� Platform error messages � Robots.txt� Comment lister
Selected Test Modules
� Web server configuration� Cross-site tracing (XST)� Proxy detection
� Application architecture� Input / output flowsInput / output flows� Offline website mirror
� Nikto
New Features
� X509 Certificate Authority
� Reverse Proxy
� Advanced Response ComparisonAdvanced Response Comparison
� AMF
� GUI Changes
Integrated X509 Certificate Authority
� CA / root cert generated on first start of proxy� Persisted until deleted or requested to regenerate
� On client CONNECT request, a new X509 certificate is generated for hostname (signed by CA key)
� Server certificates kept in memory only (not persisted on close)
� Minimal performance impact
Towards “valid” MITM certificates: Wildcard?
"There is always an easy solution to every complex problem—neat, plausible, and wrong.”--H. L. Mencken
� Tried a static root cert and server cert for “*”
�Firefox accepts this, Internet Explorer not so much
Variations on this theme:� Variations on this theme:
�“*.” accepted in FireFox for https://victim.com.� Still not acceptable in IE
� Nothing in RFC suggests IE's implementation, but it is more secure in practice.
� Other browsers not tested (area for further research)
Reverse Proxy
� Uses integrated certificate authority
� Maps a single local port to a single remote port
� Future versions will support more intelligent routingFuture versions will support more intelligent routing
� No rewriting currently supported (local and remote ports must be the same number)
Response Comparison
� Logical file-not-found detection
� SQL tautologies
� Directory traversalDirectory traversal
� Logged-out detection
Grendel’s Comparison Techniques
� Tracks actual score & maximum possible score� HTTP response code� MIME type� Set-Cookie name – 100� Skewed Levenshtein distance of HTTP location headers - 100� Levenshtein distance of normalized HTML text nodes - 50Levenshtein distance of normalized HTML text nodes - 50� HTML tag count ratios (min count / max count)
� APPLET - 50� OBJECT - 50� EMBED - 50� TABLE - 30� TR - 15� A - 10� LINK - 10� IMG - 10
Fuzzing
AMF Overview
� Action Message Format� ActionScript / JavaScript� Flash pile: Flex, Air, Shockwave, etc
� AMF0 released in 2001 with Flash Player 6� AMF0 released in 2001 with Flash Player 6
� AMF3 released with Flash Player 9
� In theory, an open standard
� Loosely based on SOAP; rides on HTTP, but binary format
AMF Overview
� Data transfer� Primitive data (numbers, Boolean, etc.)� Collections (Arrays & maps)� Serialized objects
� Remote procedure call
� Pass data by reference, only within the same request
� Stateless; no built-in session handling
BlazeDS
� Java-based Remoting/Messaging server
� Supports communication via AMF rather than traditional XML/SOAP methods\
� Messaging component allows for publisher/subscribe communication
� Remoting component allows Flex applications to invoke methods on server-side objects
� OpenSource / GPL!
AMF 0 Constants
int kNumberType = 0;int kBooleanType = 1;int kStringType = 2;int kObjectType = 3;int kMovieClipType = 4;
int kLongStringType = 12;int kUnsupportedType = 13;int kRecordsetType = 14;int kXMLObjectType = 15;int kTypedObjectType = 16;int kMovieClipType = 4;
int kNullType = 5;int kUndefinedType = 6;int kReferenceType = 7;int kECMAArrayType = 8;int kObjectEndType = 9;int kStrictArrayType = 10;int kDateType = 11;
int kTypedObjectType = 16;int kAvmPlusObjectType = 17;
AMF 3 Constants
int a3UndefinedType = 0;int a3NullType = 1;int a3FalseType = 2;int a3TrueType = 3;int a3IntegerType = 4;int a3DoubleType = 5;int a3DoubleType = 5;int a3StringType = 6;int a3XMLType = 7;int a3DateType = 8;int a3ArrayType = 9;int a3ObjectType = 10;int a3AvmPlusXmlType = 11;int a3ByteArrayType = 12;
AMF Example
Rants
� “What Works in Penetration Testing?”
� Not automated scanners… er… at least they don’t work well
� Discuss testing plan with clientDiscuss testing plan with client
Ever-changing Threats
� Everyone knows about SQL Injection, XSS, etc � OWASP Top Ten was never intended as a complete list� Simple vulnerabilities are easy to exploit, easy to find, and
easy to fix� Absence of simple vulnerabilities is not sufficient protection� Criminals can improve their skills too
What Automated Solutions Miss
� Theoretical� Logic flaws (business and application)� Design flaws� The Stupid
� PracticalDifficulty interacting with Rich Internet Applications (RIA)� Difficulty interacting with Rich Internet Applications (RIA)
� Complex variants of common attacks (SQL Injection, XSS, etc)
� Cross-Site Request Forgery (CSRF)� Uncommon or custom infrastructure� Authorization enforcement � Abstract information leakage
Real World Automation Results
The Stupid: Defense In-Depth
'2007-11-27 If single quote is at the start of the 'search string, replace it with an empty string'refer to scanner reportIf uQuery.IndexOf ("'") = 0 ThenIf uQuery.IndexOf ("'") = 0 Then
uQuery = uQuery.Substring(1, uQuery.Length -1)End If
The Very Stupid: Awesome Exploit
POST https://secure.example.com:443/Coupon.aspx HTT P/1.1Host: secure.example.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US;Accept: text/xml,application/xml,application/xhtml+xml,text /html;q=0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipAccept - Charset : ISO - 8859 - 1,utf - 8;q= 0. 7,*;q= 0. 7Accept - Charset : ISO - 8859 - 1,utf - 8;q= 0. 7,*;q= 0. 7Keep-Alive: 300Connection: keep-aliveReferer: https://secure.example.com/CartSummary.asp xCookie: FDCX=RVLAXGDGJSQX634; email=dbyrne@trustwav e.comContent-Type: application/x-www-form-urlencodedContent-length: 69
FreePurchase=yes&Command=use-coupon&CouponNumber=11111111111111111111
FreePurchase=yes
Misc
� Web recon
� Future of Grendel� Selfish� XML web servicesXML web services
www.grendel-scan.comDavid [email protected]
Eric [email protected]