(system) integrity attacks - people.unica.it · • (system) integrity attacks – legitimate...
TRANSCRIPT
Pattern Recognition and Applications Lab
Universityof Cagliari, Italy
Department ofElectrical and Electronic
Engineering
(System) Integrity attacksSystem Abuse, Malicious File upload, SQL Injection
Igino Coronaigino.corona (at) diee.unica.it
1
Computer Security April 9, 2018
http://pralab.diee.unica.it 2
Practical session - setup
• Target Configuration
Browser Zed Attack Proxy Internet
http://pralab.diee.unica.it 3
Practical session - setup
• In your host machine1. Install Zed Attack Proxy (ZAP)
https://github.com/zaproxy/zaproxy/wiki/Downloads2. Make sure that ZAP listens @ 127.0.0.1:8080
http://pralab.diee.unica.it 4
Practical session - setup
• In your host machine1. Go to Settings->Dynamic SSL certificates2. Save the ZAP root CA within a folder of your choice
owasp_zap_root_ca.cer
http://pralab.diee.unica.it 5
Practical session - setup
• From your host machine1. Open your browser (Firefox)
Preferences->Security&Privacy->Certificates->Authorities2. Open owasp_zap_root_ca.cer3. Trust the ZAP CA for web sites
http://pralab.diee.unica.it 6
Practical session - setup
• From your host machine1. Install Firefox - Web Browser
https://www.mozilla.org/it/firefox/new/2. Open your browser (Firefox)3. Settings->General>Proxy server->Settings
http://pralab.diee.unica.it 7
Practical session - setup
• From your host machine1. Open your browser (Firefox)2. Settings->Advanced->Network->Settings
http://pralab.diee.unica.it 8
Practical session - setup
• From your host machine1. Open your browser (Firefox)2. Go to a HTTPS enabled site (e.g. Google)
http://pralab.diee.unica.it
Main Security Goals
– Confidentiality• ensure that (sensitive) information is disclosed to authorized parties
only
– Integrity• prevent unauthorized modification of data (data integrity), including
system code and (ab)use of system functionalities (system integrity)
– Availability• guarantee that data and services can be accessed (in a reasonable
time) by authorized parties when requested
9
Information System Security
NOTE: Violations in one category may enable violations in any other category! Examples:• Password theft (confidentiality violation) may allow attackers to perform unhauthorized
modifications of user data (data integrity violation)• A buffer overflow attack (system integrity violation) may allow attackers to gather private data
(confidentiality violation)
key aspects: • authentication• access control
http://pralab.diee.unica.it 10
Integrity Attacks - Pratical session
• (System) Integrity Attacks– Legitimate inputs, malicious goals
• Application-specific: not covered by TOP 10 OWASP– There are at least four TOP 10 threats that exploit
DataàCode vulnerabilities• A1:2017 - Injection• A4:2017 - XML External Entities (XXE)• A7:2017 - Cross-Site Scripting (XSS)• A8:2017 - Insecure Deserialization
• In this lesson we will focus on– Real-world abuse of web services with legitimate
inputs– A1:2017 Injection
http://pralab.diee.unica.it 11
Legitimate inputs, Malicious goals
https://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwi3nrfSrvjZAhXMOBQKHacfAFIQFggnMAA&url=http%3A%2F%2Fpralab.diee.unica.it%2F&usg=AOvVaw0lfLJwt5lit4axL3uWkXHq
REAL-WOLD PHISHING EMAIL AGAINST APPLE USERS!
http://pralab.diee.unica.it 12
Legitimate inputs, Malicious goals
• Google Redirect Service– Google business: track users who click on search
results– Cybercriminal business: evade spam filters, by
masquerading a (google-indexed) malicious/compromised URL• https://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=w
eb&cd=1&cad=rja&uact=8&ved=0ahUKEwi3nrfSrvjZAhXMOBQKHacfAFIQFggnMAA&url=http%3A%2F%2Fpralab.diee.unica.it%2F&usg=AOvVaw0lfLJwt5lit4axL3uWkXHq
http://pralab.diee.unica.it 13
Legitimate inputs, Malicious goals
To protect against such attacks Google might addthe following security requirements
– check the Referer header (it should be a valid Google search result URL) • Legitimate inputs must provide a valid Referer
– malicious URLs might be de-indexed/blacklisted• Legitimate inputs must not involve a blacklisted URL
http://pralab.diee.unica.it 14
Legitimate inputs, Malicious goals
https://www.httpdebugger.com/tools/ViewHttpHeaders.aspx
Legitimate business: HTTP debugger
Malicious business: unconventional web proxy
http://pralab.diee.unica.it 15
Legitimate inputs, Malicious goals
http://www.rexswain.com/httpview.html
http://pralab.diee.unica.it 16
Legitimate inputs, Malicious goals
Take away: the same technical function can be used for different business goals
– Legitimate (Service Provider)– Malicious (Cybercriminals)
– App-specific: Not covered by OWASP TOP 10!
– Once abuse is detected, attack protection is typicallyachieved by service providers adding security checks to better describe how legitimate inputsare
– Take away: think about how the intendedfunctionalities of your web applications can be abused, even if inputs are legitimate!
http://pralab.diee.unica.it
OWASP Broken Web Applications Project
1. Install Virtualbox https://www.virtualbox.org/2. Download the OVA archive
https://sourceforge.net/projects/owaspbwa/files/1.2/3. Import the OVA archive into VirtualBox
17
Pratical session with OWASP BWA
http://pralab.diee.unica.it 18
Practical session
• Vulnerable services setup– Setup NAT (port forwarding) rule. Make sure that
Guest IP is correct, it should be displayed in the OWASP BWA shell at startup
http://pralab.diee.unica.it 19
Practical session
• From your host machine1. Open your browser (Firefox)2. Go to http://127.0.0.1:8888
http://pralab.diee.unica.it
• Very useful training application by OWASP
20
OWASP WebGoat
http://pralab.diee.unica.it 21
– It should appear an authentication request
– On ZAP you can see a request such as
Confidentiality
http://pralab.diee.unica.it 22
GET http://127.0.0.1:8888/WebGoat/attack HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 17.1; WOW64; rv:132.0) Gecko/20100105 Firefox/60.2Accept: text/html,application/xhtml+xml […]Accept-Language: it,en;q=0.8,it-IT;q=0.5,en-US;q=0.3Referer: http://127.0.0.1:8888/Cookie: sid=Fe26.2**2df5243289 […]Upgrade-Insecure-Requests: 1Authorization: Basic cm9vdDpvd2FzcGJ3YQ==Connection: keep-aliveHost: 127.0.0.1:8888
The following is a successful (authorized) request on the web server.
What about its confidentiality?It is not handled! The underlying protocol is HTTP and all data istransferred in clear text through TCP.
What about its authentication?It is handled through the Authorization header (Basic Authentication).
Confidentiality
http://pralab.diee.unica.it 23
Confidentiality
Authorization: Basic cm9vdDpvd2FzcGJ3YQ==
Exercise: what are the credentials associated to the previous header?
Basic authentication transfers username and passwords in clear text!The Authorization field is constructed as follows:• The username and password are combined with a single colon. (:)• The resulting string is encoded into an octet sequence• The resulting string is encoded using a variant of Base64The authorization method and a space is then prepended to the encodedstring, separated with a space (e.g. "Basic ").
$ python>>> import base64>>> base64.b64decode("cm9vdDpvd2FzcGJ3YQ==")
Let’s execute some code. Open a shell, and launch the python interpreter
http://pralab.diee.unica.it 24
Confidentiality
$ python>>> import base64>>> base64.b64decode("cm9vdDpvd2FzcGJ3YQ==")'root:owaspbwa'
OK we now have the credentials to access WebGoat!
http://pralab.diee.unica.it
• Data should be exchanged using:– HTTPS with strong ciphers and additional headers
for security https://cipherli.st– SSL certificate with trusted Certificate Authorities
• No excuses! You can get them for free usinghttps://letsencrypt.org
– HTTPS must be enforced
• However, preserving data confidentiality is notjust matter of data transport– How it is stored and how it can be accessed (including
backups)?– Authentication and access control
25
How do I protect against Confidentialityviolations?
http://pralab.diee.unica.it
• From the left menu– Malicious Execution->Malicious File Execution– The page allows one to upload/display (read) an
image
26
OWASP WebGoat
http://pralab.diee.unica.it
• Let’s check out request and responses in ZAP– To understand what is the backend web application
interpreter
27
OWASP WebGoat
Our first guess is that there is aJavaServer Pages (JSP) interpreter
http://pralab.diee.unica.it
• In JSP (like PHP), programs are written withinfiles that are read and interpreted at runtime– Any file with a name which ends with a specific
extension (e.g., .jsp) is executed by the interpreter– Key security question:
• does the application checks the extension and content of the uploaded files?
• Let’s try to upload a file browser program written in JSP…
• http://www.vonloesch.de/files/browser.zip
28
OWASP WebGoat
http://pralab.diee.unica.it
• Oh… we were able to upload the JSP file... – Let’s execute it (right click, view image)
29
OWASP WebGoat
http://pralab.diee.unica.it
• Oh... The JSP file is actually executed and give us a full-featured file browser – with read/write permissions on the filesystem!
30
OWASP WebGoat
http://pralab.diee.unica.it
Targets: file (up)load routine of the web applicationInterpreter: web application server (typically)An insecure handling of external/uploaded files, allows the attacker to convert input data into (arbitrary) application code
31
A6:2010 Malicious File Execution
HTTP(S) serverHTTP(S) Client
HTML Application DatabaseCSSImages
JavaScript
Flash Silverlight PDF ReaderExternal file
(up)load routine
http://pralab.diee.unica.it
• Let’s play with Wordpress
32
Wordpress
http://pralab.diee.unica.it
• OK, it appears that we are in front of WP 2.0– Plugin Spreadsheet v0.6 as well as MyGallery 1.2.1
installed
33
Wordpress
http://pralab.diee.unica.it
• Let’s find a suitable exploit
34
Wordpress
http://pralab.diee.unica.it
• OWASP TOP A1-2013– Found SQL Injection exploit for plugin spreadsheet
v.0.6• https://www.exploit-db.com/exploits/5486/
35
Wordpress
http://pralab.diee.unica.it
• You may launch the exploit using your browser– http://localhost:8888/wordpress/wp-
content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain
36
Wordpress
password hash NOTE: no errors on the DB side. Why?
Because we injected the SQL query so that it generates one more row,- containing exactly the expected number of columns (4 in this case)- putting in the string field (n. 2) the char-separated (0x3a) concatenation of desired
info (user_login, user_pass, user_email)
http://pralab.diee.unica.it
• Let’s find out the password through bruteforce– We can use an online webservice https://crackstation.net– In a more realistic case, attackers may use “offline” tools such a
John The Ripper http://www.openwall.com/john/
37
Wordpress
http://pralab.diee.unica.it
• Now that we have both username and password– The login URL for wordpress is at /wp-login.php
38
Wordpress
http://pralab.diee.unica.it
• We are in (with administrative privileges)– The website is now 0wned by us (the end)
39
Wordpress
http://pralab.diee.unica.it
Targets: insecure API between web application and databaseInterpreter: DataBase backendAn insecure API between Application and Database allows the attacker to convert input data into (arbitrary) DB Queries
40
A1 2013 - SQL Injection
HTTP(S) serverHTTP(S) Client
HTML Application
Database
CSSImages
JavaScript
Flash Silverlight PDF Reader
DB accessAPI