Encoded Attacks And Countermeasures
Download as PPT, PDF5 likes8,078 views
The document discusses input validation vulnerabilities and attack vectors. It covers causes of input validation vulnerabilities, examples of attacks, and definitions of attack vectors. It also discusses engineering attack vectors, encoding techniques, and examples of encoded exploits. The document provides an overview of how to find input validation vulnerabilities through security assessments and threat modeling. It also discusses strategies for protecting against attack vectors, such as input validation, encoding, and integrity checks.
![OWASP 16
Attack Vectors And Filter Evasion: XSS
The application server side validation filters:
http://[server]/[path]/[file].asp?id=70-305zzz
<script>alert();</script>
Attacker Encodes Javascript with addition of a
new STYLE attribute on the element which can
contain a Dynamic Property
Attacker deliver attack vector that Internet
Explorer will execute:
http://[server]/[path]/[file].asp?id=70-
305zzz+"+style="background-position-
x:expression0028006500760061006C00280061
006C00650072007400280027pwn3d00270029
00290029
From XSS-Focused Attack Surface Reduction http://blogs.msdn.com/dross/archive/2008/03/10/xss-focused-attack-surface-reduction.aspx](https://image.slidesharecdn.com/encodedattacksthreatscountermeasures93008-1227479676866927-9/85/Encoded-Attacks-And-Countermeasures-16-320.jpg)
![OWASP 27
Accept known good
This strategy is also known as "whitelist" or "positive"
validation. The idea is that you should check that the
data is one of a set of tightly constrained known good
values. Any data that doesn't match should be rejected.
Data should be:
Strongly typed at all times
Length checked and fields length minimized
Range checked if a numeric
Unsigned unless required to be signed
Syntax or grammar should be checked prior to first use or
inspection
If you expect a postcode, validate for a postcode (type, length
and syntax):
Example: Regex(“^[A-za-z0-9]{16}$”)](https://image.slidesharecdn.com/encodedattacksthreatscountermeasures93008-1227479676866927-9/85/Encoded-Attacks-And-Countermeasures-27-320.jpg)
![OWASP 29
Sanitize
Eliminate or translate characters (such as to
HTML entities or to remove quotes) in an effort
to make the input "safe". Like blacklists, this
approach requires maintenance and is usually
incomplete.
Example:
Remove special characters:
' " ` ; * % _ =&|*?~<>^()[]{}$nr
public String quoteApostrophe(String
input) { if (input != null) return
input.replaceAll("[']", "’");
else return null; }](https://image.slidesharecdn.com/encodedattacksthreatscountermeasures93008-1227479676866927-9/85/Encoded-Attacks-And-Countermeasures-29-320.jpg)
Encoded Attacks And Countermeasures
- 1. Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana & Scott Nusbaum Cincinnati Chapter
- 2. OWASP 2 Agenda 1. Input Validation Attacks: Cause, Exploits, Threats 2. Attack Vectors: Definitions, Elements, Types (traditional old and new Web 2.0) 3. Engineering Attack Vectors: Canonical Representation, Encoding, Double Encoding and Filter Evasions 4. Cheat Sheets: XSS, SQL Injection 5. Input Validation Attacks: Encoded Exploit Examples 6. How to find IV vulnerabilities: Web application security Assessments 7. How to protect from IV attack vectors 8. Input Validation Attack Defenses In Practice: Structs Validators, Encoding Rules 9. Input Validation Attack Vectors: Mitigation Strategies 10. Q&A
- 3. OWASP 3 Input Validation Attacks: Cause, Exploits, Threats Cause: Failure to properly validate data at the entry and exit points of the application Exploit: Injection of malicious input such as scripts, commands, code that can be interpreted by different targets: Browser: XSS, XFS, HTML-Splitting Data repositories: SQL Injection, LDAP injection Server side file processing: XML, XPATH Application/Server/O.S. :File uploads, Buffer Overflow Threats: Phishing, Information Disclosure (e.g. PII), Data Alteration/Destruction, Denial/Degradation Of service, Financial Loss/Fraud, Reputation Loss
- 4. OWASP 4 Code Injection Attack Example From: www.technicalinfo.net/papers/Phishing.html
- 5. OWASP 5 SQL Injection Attack Example 3 Attacker Enters Malicious Inputs such as: http://www.bank.com/index.php?id= 1 UNION ALL SELECT creditCardNumber,1,1, FROM CreditCardTable Attacker enters SQL fragments into a web page that uses input in a query 1 Attacker obtain other customers credit card numbers Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Database 2 Application sends modified query to database such as SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber 1,1 FROM CreditCardTable, which executes it From OWASP Testing Guide 2.0 UNION QUERY SQL Injection: http://www.owasp.org/index.php/Testing_for_SQL_Injection
- 6. OWASP 6 Malicious File Upload Vulnerability Example 1) Malicious user passes the following information in the cmd parameter: cmd=%3B+mkdir+hackerDirectory 2) The parameter from the request is used for command line process String fromRequest = request.getParameter("cmd"); Process process = runtime.exec("cmd.exe /C" + fromRequest); 3) Final command executed is: cmd.exe /C “dir; mkdir hackerDirectory”
- 7. OWASP 7 Client Side Validation Flaws Example http://www.coolcart.com/jewelrystore.html The price charged for the “Two Stone Feather Ring” is now 99 cents
- 8. OWASP 8 Attack Vectors Definitions An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome Attack vectors are routes or methods used to get into computer systems, usually for nefarious purposes. They take advantage of known weak spots to gain entry. Many attack vectors take advantage of the human element in the system, because that's often the weakest link. From SecuritySearch.com Definitions :http://searchsecurity.techtarget.com/dictionary/definition/1005812/attack-vector.html
- 9. OWASP 9 Understanding Attack Vectors Don't confuse attack vectors with payload Attack vectors: malicious email, attachments, worms, web pages, downloads, deception (aka social engineering), hackers Payloads: viruses, spyware, trojans, malicious scripting/executables Example: The attack vector with a payload consisting in a script to capture sensitive information (e.g. cookie stored on the browser) in an alert http://server/cgi- bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SC RIPT>
- 10. OWASP 10 Traditional Vector Based Attack Types Buffer overflows attacks Code injection attack: also known as "code poisoning attack“ examples: Cookie poisoning attack HTML injection, such as HTML injection in IE7 via infected DLL Include file injection attack Server side PHP, ASP injection attacks Schema poisoning attack Script injection (e.g., cross-site scripting) attack Shell injection attack SQL injection attack (also known as SQL code poisoning) XML poisoning attack From: ITtoolbox Wiki http://it.toolbox.com/wiki/index.php/Attack_vector
- 11. OWASP 11 New Web 2.0 Attack Vectors Cross-site scripting in AJAX XML Poisoning Malicious AJAX code execution RSS Atom Injection WSDL scanning and enumeration Client validation in AJAX routines Web service routing issues Parameter manipulation with SOAP XPATH injection in SOAP message RIA thick client binary vector FromTop 10 Web 2.0 Attack Vectors http://www.net-security.org/article.php?id=949&p=4
- 12. OWASP 12 The Engineering Of Attack Vectors Discovery: Identify first order injection user input entry points and second-order injection( attack resources directly), fingerprint application server/technology Probe for Common Vulnerabilities: Scanning tools, manual attack vectors (e.g. to reflect script, force exception) Conduct the attacks by exploit vulnerabilities to deliver attack vectors Trial and error analysis to break input validation defenses: Input=>Output==XSS Input=>Query (SQL, LDAP) ==(SQL, LDAP) injection Input=>Malicious Code== Code injection Input=>XML doc == XML injection Input=>OS command==OS command injection Input=> Fixed buffer or format string== overflow
- 13. OWASP 13 Canonicalization and Encoding Fact: filtering out bad input is not easy as it sounds (i.e. more than just ASCII characters) Canonicalization (c14n): ensuring that all data is represented in a standard common form (i.e. all ways to encode data) URL Encoding Attack Examples: <and> %3c and %3e (used in XSS) : %3a (used in XSS with javascript: ) ‘ %27, -- %2D%2D, ; %3B (used in SQL injections) ../ %2E%2E%2F (used in directory transversal, file upload) ` %60 (used in command injections) /0 (null) %00 (used in NULL strings) URL Encoding Tool: Napkin: http://www.0x90.org/releases/napkin/
- 14. OWASP 14 HTML Encoding And XSS Browsers and servers encoding is carried out automatically Via browser settings (View Menu Encoding you can set UTF-8, UNICODE UTF-7, User defined) Via HTML web pages meta tags you can declare the encoding to be used: <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> ...</head> By enforcing encoding on web pages you make sure the browser interprets any special characters as data and markup and non script to be executed for XSS for example: < becomes < > becomes > & becomes & " becomes "
- 15. OWASP 15 Double Encoding And Filter Evasion Problem: Attacker can try three potential encodings for back-slash character “” 0x5C( ASCII) %5c (UTF-8), %c0%af(UNICODE UTF-7) Attack vector: http://www.example.com/app ..%c0%af..%c0af../winnt/system32/cmd.exe?/c+dir to perform a dir command Solution: patch to filter all encodings (e.g. MS IIS4 and IIS5) Attacker filter evasion: double encoding (1) hex encode the “” => %5C (2) encode the “%” portion = %25 Yields double encoded as %255c
- 16. OWASP 16 Attack Vectors And Filter Evasion: XSS The application server side validation filters: http://[server]/[path]/[file].asp?id=70-305zzz <script>alert();</script> Attacker Encodes Javascript with addition of a new STYLE attribute on the element which can contain a Dynamic Property Attacker deliver attack vector that Internet Explorer will execute: http://[server]/[path]/[file].asp?id=70- 305zzz+"+style="background-position- x:expression0028006500760061006C00280061 006C00650072007400280027pwn3d00270029 00290029 From XSS-Focused Attack Surface Reduction http://blogs.msdn.com/dross/archive/2008/03/10/xss-focused-attack-surface-reduction.aspx
- 17. OWASP 17 Attack Vectors Cheat Sheets: OWASP Cal9000 http://www.digilantesecurity.com/CAL9000/index.html based on Rober Hansen (Rsnake) http://ha.ckers.org/xss.html http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project file:///C:/Citi/OWASP/Encoding/CAL9000/CAL9000/CAL9000.html#top
- 18. OWASP 18 SQL Injection Cheat Sheet http://ha.ckers.org/sqlinjection/
- 19. OWASP 19 Input Validation Vulnerabilities: Encoded Attack Vector Exploit Examples
- 20. OWASP 20 How to Find IV Vulnerabilities: Web Application Security Assessments Automated Vulnerability Scanning Automated Static Code Analysis Manual Penetration Testing Manual Code Review
- 21. OWASP 21 How to Find Input Validation Flaws: Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
- 22. OWASP 22 How to Find Input Validation Flaws: Secure Architecture Reviews Validation must be performed on every tier and when crossing trust boundaries
- 23. OWASP 23 How to protect web applications from IV attack vectors Web Server Mitigations: Apache Web Server Modules (e.g. mod rewrite, mod security), SunONE’s NSAPI, Microsoft’s ISAPI Source code validators that use regular expressions for input validation/sanitization and output (HTML, URL) encoding J2EE world the struts framework commons validators http://www.owasp.org/index.php/Struts http://www.owasp.org/index.php/Data_Validation_(Code_Review .NET framework validations implementations for XSS: http://msdn.microsoft.com/en-us/library/ms998274.aspx .NET framework validation strategies for SQL: http://msdn.microsoft.com/en-us/library/ms998271.aspx Secure APIs Validators/Encoders .NET Anti XSS Libraries http://msdn.microsoft.com/en-us/security/aa973814.aspx OWASP ESAPI, AntiSamy Encoding Libraries http://www.owasp.org/index.php/ESAPI http://www.owasp.org/index.php/AntiSamy http://www.owasp.org/index.php/Category:OWASP_Encoding_Project
- 24. OWASP 24 Input Validation Attack Defenses Example In Practice: Structs Validators, Encoding Rules
- 25. OWASP 25 Where to Validate? http://www.secologic.org/downloads/web/070509_secologic-short-guide-to-input-validation.pdf
- 26. OWASP 26 How to validate Source: Design Guidelines for Secure Web Applications http://msdn.microsoft.com/en-us/library/aa302420.aspx
- 27. OWASP 27 Accept known good This strategy is also known as "whitelist" or "positive" validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn't match should be rejected. Data should be: Strongly typed at all times Length checked and fields length minimized Range checked if a numeric Unsigned unless required to be signed Syntax or grammar should be checked prior to first use or inspection If you expect a postcode, validate for a postcode (type, length and syntax): Example: Regex(“^[A-za-z0-9]{16}$”)
- 28. OWASP 28 Reject Known Bad This strategy, also known as "negative" or "blacklist" validation that is if you don't expect to see characters such as %3f or JavaScript or similar, reject strings containing them. Example: public String removeJavascript(String input) { Pattern p = Pattern.compile("javascript", CASE_INSENSITIVE); p.matcher(input); return (!p.matches()) ? input : ''; } Problem Maintenance ( up to 90 regular expressions, see the CSS Cheat Sheet in the Development Guide 2.0) Subjectible to Filter evasion
- 29. OWASP 29 Sanitize Eliminate or translate characters (such as to HTML entities or to remove quotes) in an effort to make the input "safe". Like blacklists, this approach requires maintenance and is usually incomplete. Example: Remove special characters: ' " ` ; * % _ =&|*?~<>^()[]{}$nr public String quoteApostrophe(String input) { if (input != null) return input.replaceAll("[']", "’"); else return null; }
- 30. OWASP 30 Include Integrity Checks (Server Side Business Validations) What: Ensure that the data has not been tampered with (e.g. client-server) and is the same as before Where: Integrity checks must be included wherever data passes from a trusted to a less trusted boundary What: The type of integrity control (checksum, HMAC, encryption, digital signature) should be directly related to the risk of the data transiting the trust boundary. Example: The account select option parameter ("payee_id") is read by the code, and compared to an already-known list. if (account.hasPayee( session.getParameter("payee_id") )) { backend.performTransfer( session.getParameter("payee_id") ); }
- 31. OWASP 31 Q U E S T I O N S A N S W E R S
- 32. OWASP 32 Book References References and Further Reading OWASP Guide 2.0: A guide to building secure web applications and web services OWASP Testing Guide v2 OWASP Code Review vs1.0 Mike Andrews, J. A Whittaker: How to break Web Software Mike Shema, Hack Notes; Web Security Tom Gallagher et al, Microsoft Press, Hunting Security Bugs David LeBlanc, Microsoft Press, Writing Secure Code 2nd ed)