offensive technologies fall 2016 - unitrento...owasp top 10 (2013) a3: cross-site scripting (xss)...
TRANSCRIPT
![Page 1: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/1.jpg)
OffensivetechnologiesFall2016
Lecture1- GeneralIntroductiontoVulnerabilitiesinWebApplications
StanislavDashevskyi
https://securitylab.disi.unitn.it/doku.php?id=course_on_offensive_technologies
1
![Page 2: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/2.jpg)
Aboutthislecture
• Thewholecourseisdedicatedtotheidentification,testingandmitigationofvariousformsofsecurityvulnerabilities
• Thepurposeofthislectureistobriefly introducethebackgroundneededforrecognizingsomeofthevulnerabilitiesinthesourcecode
• WewilltestthisabilityusingapracticalexerciseonWednesday:itisimportantforthelatterpartofthecourse
2
![Page 3: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/3.jpg)
Outline
• Vulnerabilitiesinwebapplications• Injectionvulnerabilities• InformationDisclosurevulnerabilities• SessionFixationvulnerabilities• DenialofServicevulnerabilities
3
![Page 4: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/4.jpg)
Vulnerabilitiesinwebapplications
• ManysecurityholesincorporateITarenotduetowormsorviruses,butduetovulnerabilitiesinthesourcecodeofapplications– Thesevulnerabilitiesareoftenexploitedbyattackersforboth funandprofit
• Differencesbetweenwebandclient-serverapplicationsopenenterprisestosignificantrisk– JavaScripthasdiffusedboundaries betweenclientandserver– Easiertodeploy,hardertomaintainsecurely
• Webapplicationsecurityiscriticalforbusinesses• Findingandfixingwebapplicationvulnerabilitiesismostlyaboutlookingatthesourcecode
4
![Page 5: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/5.jpg)
PracticalApproachesinVulnerabilityDiscovery
• Softwaresecurityisaproblemthatisveryhardtodefine
• ”Asystemissecureifandonlyifitstartsinasecurestateandcannotenteraninsecurestate”– theBell-LaPadula model– Evenifwecoulddefineit,it’simpossible toformalize:
• ”Idonotwantmyemail tobereadbyothers”– Thereisnowaytodefineadesiredbehavior foraconsiderablycomplex
system• Differentstakeholdersactaccordingtothe“tragedyofcommons"dilemma
– Itisnearlyimpossible toanalyzesoftwarebehaviorconclusively• A.Turing’shaltingproblem• H.G.Rice’s theorem
• Fornow,securityislargelyanon-algorithmicproblem– Eventually,securityfield specialistsfallbacktosetofempiricalrecipes
5
![Page 6: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/6.jpg)
PracticalApproachesinVulnerabilityDiscovery(continued)
• Plantohaveeverythingcompromised– Everythingisvulnerable
• RelyontoolstodetectandcorrectSPECIFICproblemsbutnotreplaceeverythingbytools– Toolscanhelpfindingcertainvulnerabilitiesbuttheyarenothingwithoutknowledge
• Learnfrom(preferably)other’smistakes–WecanuseOpenSourceSoftwaretolearn
6
![Page 7: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/7.jpg)
Whylookingatopensourcesoftware?
• Thereislittledifferencewithcommercialsoftware
• Thesourcecodeanddevelopmenthistoriesareavailable
• Often,opensourcemaintainersaredoingagoodjobindocumentingvulnerabilities,soitispossibletoreverse-engineerthem
• Manycommercialsystemsareusingopensourcecomponents,thusthelearningeffortwillbeuseful
7
![Page 8: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/8.jpg)
Aquicklookatvulnerabilitiestaxonomy
• Therearedifferentcategories,classificationsanddatabases– OpenWebApplicationSecurityProject(OWASP)Top10list– CommonWeaknessEnumeration(CWE)– CommonWeaknessScoringSystem(CWSS)– TheNationalVulnerabilityDatabase(NVD)– Open-sourcedVulnerabilityDatabase(OSVDB)– IARPASecurelyTakingOnNewExecutableSoftwareofUncertain
Provenance(STONESOUP)
• Almostallthesevulnerabilitiesarerelatedtoproblemsinthesourcecode– Designerrors– Implementationerrors– ManyofthemareLanguage/Frameworkindependent
8
![Page 9: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/9.jpg)
OWASPTop10(2013)A3:Cross-siteScripting(XSS)A1:Injection
A2:BrokenAuth.andSessionManagement
A4:InsecureDirectObjectReferences
A5:SecurityMisconfiguration
A6:SensitiveDataExposure
A7:MissingFunctionLevelAccessControl
A8:Cross-siteRequestForgery
(CSRF)
A9:UsingComponentWithKnownVulns.
A10:UnvalidatedRedirectsandForwards
9
![Page 10: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/10.jpg)
CommonWeaknessEnumeration(CWE)
• https://cwe.mitre.org/• Aformaldictionaryofcommonsoftwarebugs/flawsthatoccurinsoftwarearchitecture,design,andimplementationthatcanleadtoexploitablesecurityvulnerabilities(>800entries)
• Acommonlanguagefordescribingandastandardformeasuringsuchbugs/flaws
• Informationaboutidentification/mitigation/preventionefforts
10
![Page 11: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/11.jpg)
CommonWeaknessEnumeration(CWE)
11
![Page 12: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/12.jpg)
CommonWeaknessEnumeration(CWE)
12
![Page 13: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/13.jpg)
TheNationalVulnerabilityDatabase(NVD)
• https://nvd.nist.gov/• TheUSGovernmentrepositoryofvulnerabilitydata• Enablesautomationofvulnerabilitymanagement,securitymeasurementandcompliance
• Includesdatabasesofsecurity-relatedsoftwareflaws/bugs,productnames,andimpactmetrics
• SupportstheCommonVulnerabilityScoringSystem(CVSS)scores– Quantifiescharacteristicsofeachvulnerabilitysothattheycanbecompared
13
![Page 14: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/14.jpg)
TheNationalVulnerabilityDatabase(NVD)
14
![Page 15: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/15.jpg)
Outline
• Vulnerabilitiesinwebapplications• Injectionvulnerabilities• InformationDisclosurevulnerabilities• SessionFixationvulnerabilities• DenialofServicevulnerabilities
15
![Page 16: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/16.jpg)
Injectionvulnerabilities
• Assumeanapplicationiswritteninmultiplelanguages:Java,JavaScript,HTML,SQL…
• Anapplicationacceptsanyuserinputwithoutsanitization– Problem:someinputthatlookslikeaString inJavacanbe
acceptedasapieceofexecutablecodebySQL,JavaScript,orHTMLinterpreters
– Thesearealsocalled”polyglot”vulnerabilities• Consequences?
– Websitedefacement– …– Completecontroloverthemachinethathoststhevulnerable
application
16
![Page 17: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/17.jpg)
SQL/NoSQLinjection
• Description:– Duetoinsufficientinputfiltering(oroutputescaping)attacker-controlledinputmaybeinterpretedascodebyadatabaseinterpreterandexecuted[1].Eventualoutcomeiscodeexecution.
• RelatedThreats:InformationDisclosure,DataModification/Deletion,ElevationofPrivileges.
• TechnicalImpact:Severe.17
![Page 18: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/18.jpg)
SQLinjection:exampleUserData data = getDataFromUser();String userId = data.getUserId();String passwd = data.getPasswd();SomeDB.executeQuery("SELECT * FROM users WHERE users.userId = ’
+ userId + ”’ AND users.passwd ='” + passwd + “'");
query <- "SELECT * FROM users WHERE users.userId = ’Batman’ OR ’1’ == ’1’; DROP TABLE users; --’ AND users.passwd= ’’"
userId <- “Batman’ OR ’1’ == ’1’; DROP TABLE users; --”passwd <- “”
userid <- ”John Doe”passwd <- ”qweJk@#4kw”query <- "SELECT * FROM users WHERE users.userId = ’John Doe’ AND user.passwd = ’qweJk@#4kw’”
18
![Page 19: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/19.jpg)
NoSQLinjection:example
*Theimageistakenfromhttp://www.busanhlf4.org/19
![Page 20: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/20.jpg)
NoSQLinjection:example
*Theimageistakenfromhttp://www.busanhlf4.org/20
![Page 21: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/21.jpg)
SQL/NoSQLinjection:howtofindit?
• Youshouldbesuspiciousifanapplication– Getsuserinput– Doesnotcheck/sanitizetheinput– Usesthisinputtoconstructaquerytoadatabase– Usesstringoperations(e.g.,concatenation,replacement)tobuildaquery
Language KeywordsJava (+JDBC) sql, java.sql
Python pymssql,
C# Sql, SqlClient, OracleClient, SqlDataAdapter
PHP mysql_connect
Node.js require("mysql”), require(”mssql"), require("mongodb") 21
![Page 22: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/22.jpg)
Cross-SiteScripting(XSS)
• Description:– "InsufficientinputvalidationoroutputescapingcanallowanattackertoplanthisownHTMLorscriptsonavulnerablesite.Theinjectedscriptswillhaveaccesstotheentiretyofthetargetedwebapplication…"[2].
– Thereflectedvarianttakestheadvantagewhentheinputisincorrectlyechoedbacktothebrowser;thepersistentvariantgoesabitfurther:italsotakestheadvantageonthelackofsanitizationofthedatathatgoestoaDB.
• RelatedThreats:– InformationDisclosure,ElevationofPrivileges.
• TechnicalImpact:– Moderate/Severe
22
![Page 23: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/23.jpg)
Cross-SiteScripting(XSS):reflected
…<% String userId = request.GetParameter(”userId") %>…
<html>...<h1>
Hello, <%= userId %>!</h1>...
</html>
http://homepage.jsp?userId=John
23
![Page 24: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/24.jpg)
Cross-SiteScripting(XSS):reflected
…<% String userId = request.GetParameter(”userId") %>…
<html>...<h1>
Hello, <%= userId %>!</h1>...
</html>
http://homepage.jsp?userId=<script>alert(’XSS');</script>
24
![Page 25: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/25.jpg)
Cross-SiteScripting(XSS):stored
Database
*Thediagramisadaptedfrom[3].
Step0->developerwritesvulnerablepages:1st onestoresinvalidatedinput;2nd onereadsitfromadatabaseandwithnovalidation.
Step1->Attackersendsmalformedinput(code)toavulnerablewebpage.
Step2->Userbrowsesthesite.Step3->Websitereadsuncheckeddataandsendsitalongwithattacker’scodetotheuser’sbrowser.
Step4->User’sbrowserrendersthewebpageandrunstheattacker’scode(everytimethepageisrequested!)
25
![Page 26: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/26.jpg)
Cross-SiteScripting(XSS):someexamples(reflected)
public class XSS extends HttpServlet {protected void doGet(HttpServletRequest request,
HttpServletResponse response) {
/* ... */response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + request.getParameter("page") +"\" was not found.");
}}
http://homepage.jsp?page=123
26
![Page 27: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/27.jpg)
Cross-SiteScripting(XSS):someexamples(reflected)
public class XSS extends HttpServlet {protected void doGet(HttpServletRequest request,
HttpServletResponse response) {
/* ... */response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + request.getParameter("page") +"\" was not found.");
}}
http://homepage.jsp?page=<script>alert(’XSS')</script>
27
![Page 28: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/28.jpg)
Cross-SiteScripting(XSS):someexamples(stored)
<%...String eid = request.GetParameter(”eid”);Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery(”select *
from emp where id='” + eid + ”'”);if (rs != null) {
rs.next();}String bio = rs.getString(”bio”);
Employee biography: <%= bio %>…%>
http://show-employee.jsp?eid=123
28
![Page 29: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/29.jpg)
Cross-SiteScripting(XSS):someexamples(stored)
<%...String eid = request.GetParameter(”eid”);Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery(”select *
from emp where id='” + eid + ”'”);if (rs != null) {
rs.next();}String bio = rs.getString(”bio”);
Employee biography: <%= bio %>…%>
http://show-employee.jsp?eid=qwe‘or’1’==’1’;insertintoemp (bio)values('<script>alert(\"XSS\")</script>’)select*fromemp;--
29
![Page 30: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/30.jpg)
Cross-SiteScripting(XSS):howtofindit?
• Youshouldbesuspiciousifanapplication– GetsaninputfromanHTTPentitysuchasquerystring,headerorform,orrequestobject
– Doesnotchecktheinputforvalidity– Echoesitbacktothebrowser(eitherHTMLorHTTPheaders),savingittoorretrievingfromadatabaseunchecked
30
![Page 31: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/31.jpg)
Cross-SiteScripting(XSS):howtofindit?
Language Keywords
Java (JSP) addCookie,getRequest,request.getParameterfollowedby<jsp:setProperty or<%= orresponse.sendRedirect
Python form.getvalue, SimpleCookie whenthedataisnotvalidatedcorrectly.
C# Request.*, Response.*,and<%=whenthedataisnotvalidatedcorrectly.
PHP Accessing$_REQUEST,$_GET,$_POST,or$_SERVER followedbyecho,print,header,orprintf.
Node.js request,response, …
31
![Page 32: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/32.jpg)
Outline
• Vulnerabilitiesinwebapplications• Injectionvulnerabilities• InformationDisclosurevulnerabilities• SessionFixationvulnerabilities• DenialofServicevulnerabilities
32
![Page 33: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/33.jpg)
InformationDisclosurevulnerabilities
• Description:– Attackerisabletogetdatathatleadstoabreachinsecurityor
privacypolicy.Thedataitselfcouldbethegoal,orthedatacanprovideinformationthatleadstheattackertothegoal.
– Intentional:thedesignteamhasamismatchwiththeenduserastowhetherdatashouldbeprotected(privacyissues).
– Accidental:thedatacouldleakduetoanerrorinthecode,oranonobviouschannel.
– Mistake:verbose[error]messagesthatdevelopersthinkaresafe,butattackersfindthemhelpful,e.g.,thenameortheipaddressofaserver
– Threemaincategories:hardcodedcredentials,commentsinthesourcecode, andverboseerrormessages.
• Technicalimpact:couldbeanything
33
![Page 34: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/34.jpg)
InformationDisclosure:example0
try {/* ... */
}catch (Exception e) {
System.out.println(e);e.printStackTrace();
}
34
![Page 35: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/35.jpg)
InformationDisclosure:example1
35
![Page 36: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/36.jpg)
InformationDisclosure:example2
public boolean authenticate(Request req, Response res) {/* ... */if (config.getRealmName() == null) {
authenticateCC.append(request.getServerName()); authenticateCC.append(':'); authenticateCC.append(Integer.toString(
request.getServerPort())); } else {
authenticateCC.append(config.getRealmName()); } return (false);
}
36
![Page 37: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/37.jpg)
InformationDisclosure:example2
public boolean authenticate(Request req, Response res) {/* ... */if (config.getRealmName() == null) {
authenticateCC.append(request.getServerName()); authenticateCC.append(':'); authenticateCC.append(Integer.toString(
request.getServerPort())); } else {
authenticateCC.append(config.getRealmName()); } return (false);
}
37
![Page 38: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/38.jpg)
InformationDisclosure:example2
public boolean authenticate(Request req, Response res) {/* ... */if (config.getRealmName() == null) {
authenticateCC.append(request.getServerName()); authenticateCC.append(':'); authenticateCC.append(Integer.toString(
request.getServerPort())); } else {
authenticateCC.append(config.getRealmName()); } return (false);
}
38
![Page 39: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/39.jpg)
InformationDisclosure:example3
Loginsuccessful:"authenticate"methodreturns”true”
39
![Page 40: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/40.jpg)
InformationDisclosure:example3(continued)
password=null;
Maythrownullreferenceexception
40
![Page 41: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/41.jpg)
InformationDisclosure:howtofindit?
• Applicationreturns”default ” informationsuchasservertype/configuration/ipaddress/hostname.
• Toomanydetailsinerrormessages,unhandledexceptions,stacktraces;differenterrormessageswhenhandlinguserlogin.
• Lookfor”password”,”credentials”,“login”andsimilarkeywords,youmightfindsomethingquiteinteresting.
41
![Page 42: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/42.jpg)
PathTraversal
• Description:– Anapplicationcanbetrickedintoreadingorwritingfilesatarbitrarylocations(oftenbypassingapplication-levelrestrictions).Thisoftenhappensduetoimproperrecognitionof”../”segmentsinunuser-suppliedparameters.Unconstrainedfilewritingbugsareoftenexploitedfordeployingattacker-controlledcode[2].
• Relatedthreats:Informationdisclosure,codeinjection,denialofservice
• Technicalimpact:Moderate/Severe
42
![Page 43: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/43.jpg)
PathTraversal:someexamples
String path = getInputPath();if (path.startsWith("/safe_dir/")) {
File f = new File(path);f.delete();
} Thecodeattemptstovalidatetheinput
bywhitelisting.
Ifthefileiswithinthe”/safe_dir/”
folder,thefilegetsdeleted.
Anattackercouldprovideaninputsuch
as:/safe_dir/../data.db
Database
43
![Page 44: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/44.jpg)
PathTraversal:someexamples(continued)
public void sendUserFile(Socket sock, String user) {BufferedReader filenameReader = new BufferedReader(
new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();BufferedReader fileReader =
new BufferedReader(new FileReader("/home/" + user + "/" + filename));
String fileLine = fileReader.readLine();while(fileLine != null) {sock.getOutputStream().write(fileLine.getBytes());fileLine = fileReader.readLine();
}}
44
![Page 45: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/45.jpg)
PathTraversal:someexamples(continued)
public void sendUserFile(Socket sock, String user) {BufferedReader filenameReader = new BufferedReader(
new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();BufferedReader fileReader =
new BufferedReader(new FileReader("/home/" + user + "/" + filename));
String fileLine = fileReader.readLine();while(fileLine != null) {sock.getOutputStream().write(fileLine.getBytes());fileLine = fileReader.readLine();
}}
45
![Page 46: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/46.jpg)
PathTraversal:howtofindit?
• Youshouldbesuspiciousifanapplication– Getsaninputfromuser– Theinputisusedtoconstructapathforanypurpose(downloading/uploadingfiles,redirects,etc.)
– Eveniftheinputlookslikeitissanitized,sanitizationfunctionsoftencontainerrors,soyoupaycloseattentiontosanitizers
– Sometimestherearenopathconstraintsatall
46
![Page 47: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/47.jpg)
Outline
• Vulnerabilitiesinwebapplications• Injectionvulnerabilities• InformationDisclosurevulnerabilities• SessionFixationvulnerabilities• DenialofServicevulnerabilities
47
![Page 48: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/48.jpg)
SessionFixationvulnerabilities
• Description:– Anattackthatallowstohijackavalidusersession.Whenauthenticatingauser,anappdoesn’tassignanewsessionID,makingitpossibletouseanexistentsessionID.TheattackerhastoprovidealegitimateWebapplicationsessionIDandtrytomakethevictim'sbrowseruseit. [5]
• Technicalimpact:Severe
48
![Page 49: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/49.jpg)
SessionFixation:example*
*Thisexampleistakenfrom[4]. 49
![Page 50: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/50.jpg)
SessionFixation:example
1. Theattackerestablishesalegitimateconnectionwithawebserver;
2. ThewebserverissuesasessionID;3. TheattackerhastosendalinkwiththeestablishedsessionIDto
thevictim;shehastoclickonthelink,accessingthesite;4. Thewebserver”sees”thatthesessionhasbeenalready
established(bytheattacker),soitdoesn’tcreateanewone;5. Thevictimprovideshercredentialstothewebserver;theattacker
canaccessheraccountknowingthesessionID.
(sessionIDcanbealsosentviaacookieorahiddenfieldintheDOMcontainer)
50
![Page 51: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/51.jpg)
SessionFixation:example(continued)
protected boolean parseRequest(Request req, Response res) {if (isURLRewritingDisabled(req)) {
clearRequestedSessionURL(req);}
/* ... */
String sessionID = req.getPathParameter(Globals.SESSION_PARAMETER_NAME);
if (sessionID != null) {req.setRequestedSessionId(sessionID);req.setRequestedSessionURL(true);
}
/* ... */} 51
![Page 52: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/52.jpg)
SessionFixation:example(continued)
protected boolean parseRequest(Request req, Response res) {if (isURLRewritingDisabled(req)) {
clearRequestedSessionURL(req);}
/* ... */
String sessionID = req.getPathParameter(Globals.SESSION_PARAMETER_NAME);
if (sessionID != null) {req.setRequestedSessionId(sessionID);req.setRequestedSessionURL(true);
}
/* ... */} 52
![Page 53: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/53.jpg)
SessionFixation:example(continued)
protected boolean parseRequest(Request req, Response res) {if (isURLRewritingDisabled(req)) {
clearRequestedSessionURL(req);}
/* ... */
String sessionID = req.getPathParameter(Globals.SESSION_PARAMETER_NAME);
if (sessionID != null) {req.setRequestedSessionId(sessionID);req.setRequestedSessionURL(true);
}
/* ... */} 53
![Page 54: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/54.jpg)
SessionFixation:example(continued)
protected boolean parseRequest(Request req, Response res) {if (isURLRewritingDisabled(req)) {
clearRequestedSessionURL(req);}
/* ... */
String sessionID = req.getPathParameter(Globals.SESSION_PARAMETER_NAME);
if (sessionID != null && !isURLRewritingDisabled(req)) {req.setRequestedSessionId(sessionID);req.setRequestedSessionURL(true);
}
/* ... */} 54
![Page 55: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/55.jpg)
SessionFixation:howtofindit?[5]
• Youshouldbesuspiciousiftheusualflowisbroken[6]– Userenterscorrectcredentials– Theapplicationauthenticatestheusersuccessfully– Sessioninformation(temporarydata)isstoredinatemporarylocation
– Sessionisinvalidated(session.invalidate())– Anytemporarydataisrestoredtonewsession(newsessionID)
– UsergoestosuccessfulloginlandingpageusingnewsessionID
55
![Page 56: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/56.jpg)
SessionFixation:howtofindit?(continued)[5]
• CheckforsessionfixationifausertriestologinusingasessionIDthathasbeenspecificallyinvalidated(requiresmaintainingthislistinsometypeofURLcache)
• CheckforsessionfixationifausertriestouseanexistingsessionIDalreadyinusefromanotherIPaddress(requiresmaintainingthisdatainsometypeofmap)
• Someserverapplications(e.g.,JBOSS,Tomcat)haveasettingfordisablingURLrewriting->thismitigatestheattackwhensessionIDisexposedviaGETparameterofaURL(aswellasbeingstoredinbrowserhistory,proxyservers,etc)
56
![Page 57: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/57.jpg)
Outline
• Vulnerabilitiesinwebapplications• Injectionvulnerabilities• InformationDisclosurevulnerabilities• SessionFixationvulnerabilities• DenialofServicevulnerabilities
57
![Page 58: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/58.jpg)
DenialofServicevulnerabilities
• Description:– TheDenialofService(DoS)attackisfocusedonmakingaresource(site,application,server)unavailableforthepurposeitwasdesigned.Ifaservicereceivesaverylargenumberofrequests,itmayceasetobeavailabletolegitimateusers.Inthesameway,aservicemaystopifaprogrammingvulnerabilityisexploited,orthewaytheservicehandlesresourcesituses.
• Technicalimpact:Severe
58
![Page 59: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/59.jpg)
DenialofService:example1
Wemay"kill”theserverbyfillingallof
itsmemory
59
![Page 60: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/60.jpg)
DenialofService:example2
Theuserhascontrolovertheloopcounter:wemaydecreaseserver’s
performanceorevenkillit.60
![Page 61: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/61.jpg)
DenialofService:example3
BothConnectionandCallableStatement objectsshouldbeclosedinthe
“finally”block61
![Page 62: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/62.jpg)
DenialofService:howtofindit?
• Youshouldbesuspiciousif– User-controlledvaluesdefinethesizeofallocatedmemory,arraysorbuffers;
– User-controlledvaluesinfluenceloopconditions;– ”Heavy”resourcesareneverreleased(filelocks/descriptors,databaseconnections,datastreams,etc.)
– Thereisan"infinite"amountofresourcesthatasingleusercanallocate(e.g.,thenumberofworkingprocessesorserversockets);
62
![Page 63: Offensive technologies Fall 2016 - UniTrento...OWASP Top 10 (2013) A3: Cross-site Scripting (XSS) A1: Injection A2: Broken Auth. and Session Management A4: Insecure Direct Object References](https://reader034.vdocument.in/reader034/viewer/2022050219/5f650185076345537c45943e/html5/thumbnails/63.jpg)
References• [1]WebApplicationVulnerabilitiesandAvoidingApplicationExposure
https://f5.com/resources/white-papers/web-application-vulnerabilities-and-avoiding-application-exposure
• [2]Zalewski,Michal. ThetangledWeb:Aguidetosecuringmodernwebapplications.NoStarchPress,2012.
• [3]MichaelHoward,DavidLeBlanc,andJohnViega. 24deadlysinsofsoftwaresecurity: programmingflawsandhowtofixthem.McGraw-Hill, Inc.,2009.
• [4]OWASP:thefreeandopensoftwaresecurity communityhttps://www.owasp.org/index.php/Main_Page
• [5]TheWhiteHatSecurity blogonSessionFixationprevention:https://www.whitehatsec.com/blog/session-fixation-prevention-in-java/
• [6]TheOWASPEnterpriseSecurity APIsessionhandlingexample:https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
• [7]SecureCodingGuidelines forJavaSEhttp://www.oracle.com/technetwork/java/seccodeguide-139067.html
63