Web Security: Thinking like an Attacker
Christine IT Lincoln Laboratory October 2016
This work is sponsored by the Department of the Air Force under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government.
Copyright By PowCoder代写 加微信 powcoder
Web App Development
Software Development Process
“Just think like an attacker” -Every Manager
Traditional Requirements •Performance •Functionality •Usability
Web Security- 2 CMC 10/13/16
Thinking Like an Attacker – Where to Begin?
OWASP Top 10 for 2013
Attack Target
Broken Authentication & Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Invalidated Redirects and Forwards
• OWASPTopTen provides the most critical web application security flaws [11]
• SecurityExpertsBlogs:
– on Security
https://www.schneier.com /
– Krebs on Security
http://krebsonsecurity.co m
– FireEye blog
https://www.fireeye.com/ blog.html
Web Security- 3 CMC 10/13/16
• Server-Side Attack • Client-SideAttack
Web Security- 4 CMC 10/13/16
Simple Web Application Architecture
Web Security- 5 CMC 10/13/16
Heartbleed: Introduction
The Transport Layer
Security (TLS) option provides secure network communication
This server-side attack method is targeted at extracting data from the system component providing secure communication
Web Security- 6 CMC 10/13/16
Heartbleed: How does it work?
http://xkcd.com/1354
Web Security- 7 CMC 10/13/16
Heartbleed: Practice Execution
• Build your own web server vulnerable to the exploit
Clone the openssl repository
> git clone git://git.openssl.org/openssl.git > cd openssl
Checkout the latest version vulnerable to the Heartbleed exploit > git checkout tags/OpenSSL_1_0_1f
Configure and build the source
> ./config
The apps directory contains the resulting executable
Generate a private key
> ./openssl genrsa –out server.pem 1024
Append the self-signed certificate to the localhost
> ./openssl req –new –x509 –key server.pem –subj /CN=localhost >> server.pem
Start the server
> ./openssl s_server -www
Operating System Linux | Windows
HTTP Server Apache | IIS | nginx | GWS
Web Security- 8 CMC 10/13/16
Heartbleed: Practice Execution
Web Security- 9 CMC 10/13/16
Heartbleed: Practice Execution
• Source credit from various github projects:
– https://github.com/musalba s/heartbleed- masstest/blob/master/sslte st.py
– https://gist.github.com/sh1n 0b1/10100394
Web Security- 10 CMC 10/13/16
Heartbleed: Practice Execution
Execute the code
> Python ssltestv2.py
received heartbeat response with payload size 16384 localhost serving on port 4433 is vulnerable
Web Security- 11 CMC 10/13/16
Heartbleed: Discovery & Exploitation
Intended usage
Input manipulation
bar = “my string is too long !!!!! \x10\x10\xc0\x42”;
Buffer overflow success
Return Address = \x10\x10\xc0\x42
char c[28];
char *bar; memcpy(c, bar, strlen(bar));
Unpatched OpenSSL source
– Static analysis
Look for unprotected memory access reads and writes
Consider avenues that have not yet been explored or exploited
– Dynamic analysis
Compiler Tools
Static Analysis Tools
Web Security- 12 CMC 10/13/16
• Server-Side Attack • Client-SideAttack
Web Security- 13 CMC 10/13/16
Cross-Site Request Forgery (XSRF): Illustration
http://www.bankomit.com/transferfundsto.do?acct=1234567&amt=20000 Session ID=12345
Website trusts client’s browser, so executes request
http://www.bankomit.com/login?name= post contains malicious script
Session Store
Client Web Browser
Bankomit.com Web Server
Malicious Web Server
Web Security- 14 CMC 10/13/16
XSRF: How does it work?
• XSRF exploits the way that a client’s browser handles sessions
• The browser’s authenticated sessions are used to make requests as the user to the targeted site
– Bank-O-MIT allows account transfers with the following:
http://www.bankomit.com/transferfundsto.do?acct=1234567&amt=1
– User X is logged into Bank-O-MIT
– User X visits malicious site Y with html code:
CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com