$30 off During Our Annual Pro Sale. View Details »

Stop Exposing Yourself: Exploits, Attacks and Defenses

Stop Exposing Yourself: Exploits, Attacks and Defenses

A talk about security issues and exploits in the web with a focus on PHP. We will cover common exploits and how to defense yourself from them.

Geoffrey Tran

July 03, 2012
Tweet

More Decks by Geoffrey Tran

Other Decks in Programming

Transcript

  1. Stop Exposing Yourself
    Exploits, Attacks and Defenses
    Geoffrey Tran
    Creative Technology, RAPP

    View Slide

  2. About Me
    •  Creative Technologist at RAPP
    •  Fun with PHP since 2005
    •  Contributor to Zend Framework and
    Symfony2
    Download Examples: http://rapp.io/1y
    2

    View Slide

  3. Why even bother?
    “Information leakage is one of
    the biggest issues that
    organizations are facing”
    Download Examples: http://rapp.io/1y
    3

    View Slide

  4. Why even bother?
    “93% of organizations have been
    hacked at least once in the past
    two years through insecure Web
    applications”
    State of Web Application Security, Ponemon Institute
    Download Examples: http://rapp.io/1y
    4

    View Slide

  5. Why even bother?
    “74% of respondents believe Web
    applications security is either more
    critical or equally critical to other
    security issues faced by their
    organizations”
    Download Examples: http://rapp.io/1y
    State of Web Application Security, Ponemon Institute
    5

    View Slide

  6. Why even bother?
    “12% strongly agree that they
    have ample resources to detect
    and remediate insecure Web
    apps”
    State of Web Application Security, Ponemon Institute
    Download Examples: http://rapp.io/1y
    6

    View Slide

  7. Why even bother?
    “64% do not agree that their
    organization is able to fix Web
    application vulnerabilities
    quickly”
    State of Web Application Security, Ponemon Institute
    Download Examples: http://rapp.io/1y
    7

    View Slide

  8. Why even bother?
    “88% of respondents say their
    Web application security budget
    is less than the organization’s
    coffee budget”
    State of Web Application Security, Ponemon Institute
    Download Examples: http://bit.ly/NcGSod
    8

    View Slide

  9. OWASP Top 10 Application Security Risks - 2010
    1.  Injection Attacks
    2.  Cross Site Scripting (XSS)
    3.  Authentication and Session Management
    4.  Unauthorized access/Privilege escalation
    5.  Cross Site Request Forgery (CSRF)
    6.  Misconfiguration
    7.  Insecure Storage
    8.  Failure to restrict URL access
    9.  Insufficient transport layer protection
    10. Un-validated redirects and forwards
    https://www.owasp.org/index.php/Top_10_2010-Main
    9

    View Slide

  10. Overview
    •  Cross-site scripting (XSS)
    •  Cross-site request forgery (CSRF)
    •  SQL Injection
    •  Command Injection
    •  Remote Code Execution
    •  Denial of Service
    •  Unnecessary Information Disclosure
    10

    View Slide

  11. Cross-site scripting (XSS)
    •  Occurs when
    – Data enters an application through an
    untrusted source, most frequently a web
    request
    – The data is included in dynamic content
    that is sent to a web user without being
    validated for malicious code
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
    11

    View Slide

  12. Cross-site scripting (XSS)
    •  Types of XSS Attacks
    – Stored XSS Attacks (Persistent)
    •  When injected code is stored and unknowingly
    retrieved by victims
    – Reflected XSS Attacks (Non-Persistent)
    •  When injected code is reflected off the
    application via an un-escaped field
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
    12

    View Slide

  13. Cross-site scripting (XSS)
    •  What can an attacker do with an XSS
    vulnerability?
    – Launch a phishing attack
    – Steal session and cookie data to log in as
    the victim
    – Perform unwanted actions as the victim
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
    13

    View Slide

  14. CROSS-SITE SCRIPTING (XSS)
    Reflected XSS Example
    Example: lonestar12/XSS/reflected.php
    14

    View Slide

  15. Cross-site scripting (XSS)
    •  Imagine you have a search results page
    •  You display the query a user inputs in
    the search field
    – “You searched for: dogs”
    Example: lonestar12/XSS/reflected.php




    You searched for: ""
    15

    View Slide

  16. Cross-site scripting (XSS)
    •  But what happens if a user enters the
    following as a query?
    Example: lonestar12/XSS/reflected.php
    alert('Hi')




    You searched for: ""
    16

    View Slide

  17. Cross-site scripting (XSS)
    Example: lonestar12/XSS/reflected.php
    alert('Hi')
    17

    View Slide

  18. Cross-site scripting (XSS)
    We end up with the following output:
    Example: lonestar12/XSS/reflected.php




    Showing results for: "alert('hi')"




    You searched for: ""
    18

    View Slide

  19. Cross-site scripting (XSS)
    Example: lonestar12/XSS/reflected.php 19

    View Slide

  20. CROSS-SITE SCRIPTING (XSS)
    MySpace “Samy is my hero” Example
    http://namb.la/popular/
    http://www.slideshare.net/simon/when-ajax-attacks-web-application-security-fundamentals-presentation 20

    View Slide

  21. Cross-site scripting (XSS)

    View Slide

  22. Cross-site scripting (XSS)
    October 4th, 2005
    12:34 pm: You have 73 friends.
    I decided to release my little popularity program. I'm going to be
    famous...among my friends.
    1:30 am: You have 73 friends and 1 friend request.
    One of my friends' girlfriend looks at my profile. She's obviously
    checking me out. I approve her inadvertent friend request and go to
    bed grinning.
    8:35 am: You have 74 friends and 221 friend requests.
    Woah. I did not expect this much. I'm surprised it even worked.. 200
    people have been infected in 8 hours. That means I'll have 600 new
    friends added every day. Woah.
    9:30 am: You have 74 friends and 480 friend requests.
    Oh wait, it's exponential, isn't it. Shit.
    22

    View Slide

  23. Cross-site scripting (XSS)
    In 20 hours,
    “Samy is my hero” spread to
    1,005,831 people
    ...1/35th of all MySpace users
    23

    View Slide

  24. Cross-site scripting (XSS)
    24

    View Slide

  25. Preventing Cross-site scripting (XSS)
    •  $_GET
    •  $_POST
    •  $_COOKIE
    •  $_REQUEST
    •  $_FILES
    •  $_ENV
    •  $_SERVER
    25
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
    These all can be manipulated by the user
    Don’t trust anyone
    …Not even little girls

    View Slide

  26. Preventing Cross-site scripting (XSS)
    •  Always user validate input
    – filter_var
    •  Escape or filter all outputs
    – htmlspecialchars()
    – htmlentities()
    – strip_tags()
    •  Beware with tag allowances as attributes are
    not validated
    26

    View Slide

  27. Cross-site Request Forgery (CSRF)
    •  Occurs when victims load a page that
    contains a malicious request
    •  Malicious because the request inherits
    the identity and privileges of the victim
    forcing an undesired action on the
    victim’s behalf.
    – Posting a tweet
    – Purchasing a product
    http://en.wikipedia.org/wiki/Cross-site_request_forgery
    27

    View Slide

  28. CROSS-SITE REQUEST FORGERY (CSRF)
    CSRF Example
    Example: lonestar12/CSRF/img.html
    28

    View Slide

  29. Cross-site Request Forgery (CSRF)
    •  An attacker creates a seemingly harmless
    looking webpage
    •  A visitor lands on the page while logged in
    to their bank's website, which has a CSRF
    vulnerability
    •  The malicious page creates a request on
    behalf of the visitor to transfer funds
    without permission
    src="http://bank.com/transferFunds?amount=5000&to=Geoff's
    Bank Account" width="0" height="0" />
    Example: lonestar12/CSRF/img.html 29

    View Slide

  30. CROSS-SITE REQUEST FORGERY (CSRF)
    Google Gmail Email Snooping (2007)
    http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
    30

    View Slide

  31. Cross-site Request Forgery (CSRF)
    31

    View Slide

  32. Cross-site Request Forgery (CSRF)
    32

    View Slide

  33. Cross-site Request Forgery (CSRF)
    action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"
    enctype="multipart/form-data">

    value="[email protected]"/>











    <br/>document.forms[0].submit();<br/>
    33

    View Slide

  34. Cross-site Request Forgery (CSRF)
    34

    View Slide

  35. Preventing CSRF
    •  Require POST for actions that modify
    data
    •  Require a token or “crumb” for all
    sensitive forms
    35

    View Slide

  36. Preventing CSRF
    36
    if (!isset($_SESSION['csrfToken'])) {
    $_SESSION['csrfToken'] = md5(uniqid("", true));
    }
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    if ($_POST['csrf_token'] == $_SESSION['csrfToken']) {
    // SUCCESS
    } else {
    // FAILURE
    header('HTTP/1.0 403 Forbidden');
    exit;
    }
    }
    ?>






    View Slide

  37. Preventing CSRF (crossdomain.xml)
    •  Do not use the following as your
    crossdomain.xml
    •  Putting this at example.com/crossdomain.xml
    allows Flash applets on other sites make
    requests to your site on behalf of the user
    37



    View Slide

  38. SQL Injection
    •  Occurs when attackers inject un-
    escaped SQL commands into a
    predefined SQL query
    http://xkcd.com/327/
    38

    View Slide

  39. SQL INJECTION
    SQL Injection Example
    Example: lonestar12/SQL Injection/img.html
    39

    View Slide

  40. SQL Injection
    •  Beware of un-escaped user input
    •  Use prepared statements or proper
    quoting instead
    40
    $pdo->exec('INSERT INTO `comments` (`body`) VALUES ("' . $_POST['body'] . '")');
    $stmt = $pdo->prepare('INSERT INTO `comments` (`body`) VALUES (:body)');
    $stmt->bindParam(':body', $_POST['body']);
    $stmt->execute();

    View Slide

  41. SQL INJECTION
    MySQL.com Website Falls Victim to SQL Injection Attack
    http://www.pcworld.com/businesscenter/article/223457/mysql_website_falls_victim_to_sql_injection_attack.html
    41
    http://pastebin.com/BayvYdcP

    View Slide

  42. Command Injection
    •  Occurs when an attacker is able to
    inject system commands
    •  Command injection attacks are possible
    in most cases because of lack of correct
    input data validation
    42

    View Slide

  43. COMMAND INJECTION
    Command Injection Example
    Example: lonestar12/Command Injection/example.php
    43

    View Slide

  44. Command Injection
    44
    •  A simple nslookup page
    $host = 'google';
    if (isset($_GET['host'])) {
    $host = $_GET['host'];
    }
    system("nslookup " . $host);
    ?>


    google
    yahoo



    View Slide

  45. Command Injection
    45
    •  What if $_GET[‘host’] contained
    – google.com && ls /
    Example: lonestar12/Command Injection/example.php
    $host = 'google';
    if (isset($_GET['host'])) {
    $host = $_GET['host'];
    }
    system("nslookup " . $host);
    ?>


    google
    yahoo


    View Slide

  46. Command Injection
    46
    Example: lonestar12/Command Injection/example.php
    example.php?host=google.com %26%26 ls -a /

    View Slide

  47. Preventing Command Injection
    47
    •  Escape shell commands
    – escapeshellarg()
    – escapeshellcmd()
    // We allow arbitrary number of arguments intentionally here.
    $command = './configure '.$_POST['configure_options'];
    $command = escapeshellcmd($command);
    system($command);
    system('ls '.escapeshellarg($dir));

    View Slide

  48. Denial of Service (DoS)
    •  A DoS attack focuses on making a
    service unavailable or degraded to
    users
    52

    View Slide

  49. Methods of DoS Attacks
    •  ICMP flood
    •  SYN flood
    •  Teardrop attacks
    •  Low-rate attacks
    •  Peer-to-peer attacks
    •  Asymmetry of
    resource utilization
    in starvation
    •  Permanent DoS
    attacks
    •  Application-level
    floods
    •  Nuke
    •  R-U-Dead-Yet?
    •  Distributed attacks
    •  Reflected / Spoofed
    attacks
    •  Degradation-of-
    service attacks
    •  Unintentional DoS
    53

    View Slide

  50. DENIAL OF SERVICE (DOS)
    Slowloris Denial of Service Example
    Example: lonestar12/Denial of Service/slowloris.php
    54

    View Slide

  51. Slowloris Denial of Service (DoS)
    •  Slowloris Attack
    –  Tries to keep many connections to the target web
    server open and hold them open as long as
    possible.
    –  It accomplishes this by opening connections to the
    target web server and sending a partial request.
    –  Periodically, it will send subsequent HTTP
    headers, adding to—but never completing—the
    request.
    –  Affected servers will keep these connections open,
    filling their maximum concurrent connection
    pool, eventually denying additional connection
    attempts from clients
    55
    Example: lonestar12/Denial of Service/slowloris.php

    View Slide

  52. Denial of Service (DoS)
    •  Slowloris affects the following
    webservers
    –  Apache 1.x, Apache 2.x, dhttpd, and the
    GoAhead WebServer
    56
    Example: lonestar12/Denial of Service/slowloris.php
    # php slowloris.php get 100000 jakefolio.com

    View Slide

  53. Preventing Denial of Service (DoS) Attacks
    •  Apache
    – mod_security, mod_evasive, mod_qos,
    mod_antiloris
    •  Look into proper firewalls and
    intrusion detection systems
    57
    Example: lonestar12/Denial of Service/slowloris.php

    View Slide

  54. Unnecessary Information Disclosure
    – Reduce your attack surface
    •  PHP displaying errors/exceptions
    •  Exposing php information
    •  Exposing Apache information
    •  Exposing Server information
    59

    View Slide

  55. Unnecessary Information Disclosure
    Reduce your attackable surfaces
    60
    Hide displaying of errors and exceptions
    ; php.ini
    display_errors = Off
    OR
    ini_set(‘display_errors’, false);

    View Slide

  56. Unnecessary Information Disclosure
    Reduce your attackable surfaces
    61
    Hide exposure of PHP
    ; php.ini
    expose_php = Off
    HTTP/1.1 200 OK
    Date: Fri, 29 Jun 2012 17:02:54 GMT
    Server: Apache/2.2.16 (Ubuntu)
    X-Powered-By: PHP/5.3.3-1ubuntu9.6
    Vary: Accept-Encoding
    Content-Type: text/html

    View Slide

  57. Unnecessary Information Disclosure
    Reduce your attackable surfaces
    62
    Hide exposure of Apache
    # Debian
    # /etc/apache2/apache2.conf
    ServerTokens prod
    HTTP/1.1 200 OK
    Date: Fri, 29 Jun 2012 17:02:54 GMT
    Server: Apache/2.2.16 (Ubuntu)
    Vary: Accept-Encoding
    Content-Type: text/html

    View Slide

  58. Unnecessary Information Disclosure
    Reduce your attackable surfaces
    63
    Don’t expose your database,
    search server, memcache, mail
    server, etc...
    Configure your firewall

    View Slide

  59. Stop Exposing Yourself
    Exploits, Attacks and Defenses
    64
    @geoffreytran
    http://www.linkedin.com/in/geoffreytran
    [email protected]

    View Slide