Stop Exposing Yourself Exploits, Attacks and Defenses Geoffrey Tran Creative Technology, RAPP 

About Me •  Creative Technologist at RAPP •  Fun with PHP since 2005 •  Contributor to Zend Framework and Symfony2 Download Examples: http://rapp.io/1y 2 

Why even bother? “Information leakage is one of the biggest issues that organizations are facing” Download Examples: http://rapp.io/1y 3 

Why even bother? “93% of organizations have been hacked at least once in the past two years through insecure Web applications” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 4 

Why even bother? “74% of respondents believe Web applications security is either more critical or equally critical to other security issues faced by their organizations” Download Examples: http://rapp.io/1y State of Web Application Security, Ponemon Institute 5 

Why even bother? “12% strongly agree that they have ample resources to detect and remediate insecure Web apps” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 6 

Why even bother? “64% do not agree that their organization is able to fix Web application vulnerabilities quickly” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 7 

Why even bother? “88% of respondents say their Web application security budget is less than the organization’s coffee budget” State of Web Application Security, Ponemon Institute Download Examples: http://bit.ly/NcGSod 8 

OWASP Top 10 Application Security Risks - 2010 1.  Injection Attacks 2.  Cross Site Scripting (XSS) 3.  Authentication and Session Management 4.  Unauthorized access/Privilege escalation 5.  Cross Site Request Forgery (CSRF) 6.  Misconfiguration 7.  Insecure Storage 8.  Failure to restrict URL access 9.  Insufficient transport layer protection 10. Un-validated redirects and forwards https://www.owasp.org/index.php/Top_10_2010-Main 9 

Overview •  Cross-site scripting (XSS) •  Cross-site request forgery (CSRF) •  SQL Injection •  Command Injection •  Remote Code Execution •  Denial of Service •  Unnecessary Information Disclosure 10 

Cross-site scripting (XSS) •  Occurs when – Data enters an application through an untrusted source, most frequently a web request – The data is included in dynamic content that is sent to a web user without being validated for malicious code https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 11 

Cross-site scripting (XSS) •  Types of XSS Attacks – Stored XSS Attacks (Persistent) •  When injected code is stored and unknowingly retrieved by victims – Reflected XSS Attacks (Non-Persistent) •  When injected code is reflected off the application via an un-escaped field https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 12 

Cross-site scripting (XSS) •  What can an attacker do with an XSS vulnerability? – Launch a phishing attack – Steal session and cookie data to log in as the victim – Perform unwanted actions as the victim https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 13 

CROSS-SITE SCRIPTING (XSS) Reflected XSS Example Example: lonestar12/XSS/reflected.php 14 

Cross-site scripting (XSS) •  Imagine you have a search results page •  You display the query a user inputs in the search field – “You searched for: dogs” Example: lonestar12/XSS/reflected.php

You searched for: ""

15 

Cross-site scripting (XSS) •  But what happens if a user enters the following as a query? Example: lonestar12/XSS/reflected.php alert('Hi')

You searched for: ""

16 

Cross-site scripting (XSS) Example: lonestar12/XSS/reflected.php alert('Hi') 17 

Cross-site scripting (XSS) We end up with the following output: Example: lonestar12/XSS/reflected.php

Showing results for: "alert('hi')"

You searched for: ""

18 

Cross-site scripting (XSS) Example: lonestar12/XSS/reflected.php 19 

CROSS-SITE SCRIPTING (XSS) MySpace “Samy is my hero” Example http://namb.la/popular/ http://www.slideshare.net/simon/when-ajax-attacks-web-application-security-fundamentals-presentation 20 

Cross-site scripting (XSS)

Cross-site scripting (XSS) October 4th, 2005 12:34 pm: You have 73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. 22 

Cross-site scripting (XSS) In 20 hours, “Samy is my hero” spread to 1,005,831 people ...1/35th of all MySpace users 23 

Cross-site scripting (XSS) 24 

Preventing Cross-site scripting (XSS) •  $_GET •  $_POST •  $_COOKIE •  $_REQUEST •  $_FILES •  $_ENV •  $_SERVER 25 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) These all can be manipulated by the user Don’t trust anyone …Not even little girls 

Preventing Cross-site scripting (XSS) •  Always user validate input – filter_var •  Escape or filter all outputs – htmlspecialchars() – htmlentities() – strip_tags() •  Beware with tag allowances as attributes are not validated 26 

Cross-site Request Forgery (CSRF) •  Occurs when victims load a page that contains a malicious request •  Malicious because the request inherits the identity and privileges of the victim forcing an undesired action on the victim’s behalf. – Posting a tweet – Purchasing a product http://en.wikipedia.org/wiki/Cross-site_request_forgery 27 

CROSS-SITE REQUEST FORGERY (CSRF) CSRF Example Example: lonestar12/CSRF/img.html 28 

Cross-site Request Forgery (CSRF) •  An attacker creates a seemingly harmless looking webpage •  A visitor lands on the page while logged in to their bank's website, which has a CSRF vulnerability •  The malicious page creates a request on behalf of the visitor to transfer funds without permission Example: lonestar12/CSRF/img.html 29 

CROSS-SITE REQUEST FORGERY (CSRF) Google Gmail Email Snooping (2007) http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/ 30 

Cross-site Request Forgery (CSRF) 31 

Cross-site Request Forgery (CSRF) 32 

Cross-site Request Forgery (CSRF) document.forms[0].submit(); 33 

Cross-site Request Forgery (CSRF) 34 

Preventing CSRF •  Require POST for actions that modify data •  Require a token or “crumb” for all sensitive forms 35 

Preventing CSRF 36 

Preventing CSRF (crossdomain.xml) •  Do not use the following as your crossdomain.xml •  Putting this at example.com/crossdomain.xml allows Flash applets on other sites make requests to your site on behalf of the user 37 

SQL Injection •  Occurs when attackers inject un- escaped SQL commands into a predefined SQL query http://xkcd.com/327/ 38 

SQL INJECTION SQL Injection Example Example: lonestar12/SQL Injection/img.html 39 

SQL Injection •  Beware of un-escaped user input •  Use prepared statements or proper quoting instead 40 $pdo->exec('INSERT INTO `comments` (`body`) VALUES ("' . $_POST['body'] . '")'); $stmt = $pdo->prepare('INSERT INTO `comments` (`body`) VALUES (:body)'); $stmt->bindParam(':body', $_POST['body']); $stmt->execute(); 

SQL INJECTION MySQL.com Website Falls Victim to SQL Injection Attack http://www.pcworld.com/businesscenter/article/223457/mysql_website_falls_victim_to_sql_injection_attack.html 41 http://pastebin.com/BayvYdcP 

Command Injection •  Occurs when an attacker is able to inject system commands •  Command injection attacks are possible in most cases because of lack of correct input data validation 42 

COMMAND INJECTION Command Injection Example Example: lonestar12/Command Injection/example.php 43 

Command Injection 44 •  A simple nslookup page google yahoo 

Command Injection 45 •  What if $_GET[‘host’] contained – google.com && ls / Example: lonestar12/Command Injection/example.php google yahoo 

Command Injection 46 Example: lonestar12/Command Injection/example.php example.php?host=google.com %26%26 ls -a / 

Preventing Command Injection 47 •  Escape shell commands – escapeshellarg() – escapeshellcmd()

Denial of Service (DoS) •  A DoS attack focuses on making a service unavailable or degraded to users 52 

Methods of DoS Attacks •  ICMP flood •  SYN flood •  Teardrop attacks •  Low-rate attacks •  Peer-to-peer attacks •  Asymmetry of resource utilization in starvation •  Permanent DoS attacks •  Application-level floods •  Nuke •  R-U-Dead-Yet? •  Distributed attacks •  Reflected / Spoofed attacks •  Degradation-of- service attacks •  Unintentional DoS 53 

DENIAL OF SERVICE (DOS) Slowloris Denial of Service Example Example: lonestar12/Denial of Service/slowloris.php 54 

Slowloris Denial of Service (DoS) •  Slowloris Attack –  Tries to keep many connections to the target web server open and hold them open as long as possible. –  It accomplishes this by opening connections to the target web server and sending a partial request. –  Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. –  Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients 55 Example: lonestar12/Denial of Service/slowloris.php 

Denial of Service (DoS) •  Slowloris affects the following webservers –  Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer 56 Example: lonestar12/Denial of Service/slowloris.php # php slowloris.php get 100000 jakefolio.com 

Preventing Denial of Service (DoS) Attacks •  Apache – mod_security, mod_evasive, mod_qos, mod_antiloris •  Look into proper firewalls and intrusion detection systems 57 Example: lonestar12/Denial of Service/slowloris.php 

Unnecessary Information Disclosure – Reduce your attack surface •  PHP displaying errors/exceptions •  Exposing php information •  Exposing Apache information •  Exposing Server information 59 

Unnecessary Information Disclosure Reduce your attackable surfaces 60 Hide displaying of errors and exceptions ; php.ini display_errors = Off OR ini_set(‘display_errors’, false); 

Unnecessary Information Disclosure Reduce your attackable surfaces 61 Hide exposure of PHP ; php.ini expose_php = Off HTTP/1.1 200 OK Date: Fri, 29 Jun 2012 17:02:54 GMT Server: Apache/2.2.16 (Ubuntu) X-Powered-By: PHP/5.3.3-1ubuntu9.6 Vary: Accept-Encoding Content-Type: text/html 

Unnecessary Information Disclosure Reduce your attackable surfaces 62 Hide exposure of Apache # Debian # /etc/apache2/apache2.conf ServerTokens prod HTTP/1.1 200 OK Date: Fri, 29 Jun 2012 17:02:54 GMT Server: Apache/2.2.16 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html 

Unnecessary Information Disclosure Reduce your attackable surfaces 63 Don’t expose your database, search server, memcache, mail server, etc... Configure your firewall 

Stop Exposing Yourself Exploits, Attacks and Defenses 64 @geoffreytran http://www.linkedin.com/in/geoffreytran [email protected]