Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems
Nothing is in isolation
Attack surface • An “attack surface” is the total number of possible attack vectors • Think of a house, with the doors and windows as attack vectors for intruders • Minimize the surface area by securing each door and window
Content discovery -- brute force • Common directory names • https:/target/admin/ • https:/target/account/ • https:/target/accounts/ • https:/target/agent/ • https:/target/utils/ • Common filenames for application pages • https:/target/admin/admin.php • https:/target/admin/manage.php • https:/target/admin/home.php • https:/target/admin/accounts.php
Content discovery -- inference from visible content ViewDocument.jsp EditDocument.jsp AnnualReport2009.pdf AnnualReport2010.pdf • Review HTML / JS source for comments, etc. • Look for information about framework and/or webmaster • Decompile thick clients • Feed back results and work recursively
Hidden content • Often times hidden content exists that is not directly linked • Examples include: • Backup copies of live files • New/old/test functionality not currently linked to main content • Configuration / include files • Source files for dynamic content • Logs • Look at the source code itself for comments, javascript vulnerabilities
Comics of the Day...
Content discovery -- use public sources • knows! • site:www.target.com • site:www.target.com login • link:www.target.com • related:www.target.com • view the cached content • Forum posts by developers/administrators • archives at web.archive.org (‘the wayback machine’)
Application pages vs. Functional pages Some apps don’t use URLs to individuate content and functions: POST /bank.jsp HTTP/1.1 Host: wahh-bank.com Content-Length: 106 servlet=TransferFunds&method=confirmTransfer &fromAccount=10372918&toAccount=3910852&amou nt=291.23&Submit=Ok
Identifying entry points for user input • URLs • Query string • POST parameters • Cookies • Look for unusual data encapsulation, for example: /dir/file=bar/file /dir/file?param=foo:bar /dir/file?data=%3cfoo%3ebar%3c%2ffoo2%3ebar2%3c%2c • Look for REST parameters within the URL file path • See if application responds di ff erently to unexpected new parameter names
Dissecting requests • A typical search function: http://target/workflow/calendar.jsp?name=new %20applicants&isExpired=0&startDate=22%2F09%2F2006 &endDate=22%2F03%2F2007&OrderBy=name • What do we know from this? • jsp: Java • isExpired: controls which content is returned? • OrderBy: clause of a SQL query? • Name, startDate, endDate, isExpired: SQL query parameters?
Dissecting requests • A content management system: http://target/workbench/register.aspx? template=NewBranch.tpl&loc=/ default&ver=5.32&edit=false • What do we know from this? • aspx: ASP .Net • template: file name • .tpl: custom file extension • loc: directory name? • edit=false: controls whether files can be edited?
Web spidering • Request start page • Parse for links to other content • Continue recursively until no new content is discovered • Feed results into other mapping exercises
Demonstration
Mapping the attack surface Vector Attack Method Database interaction SQL injection File upload/download path traversal vulnerability Display of user-supplied data cross-site scripting Dynamic redirects header injection attacks username enumeration, weak passwords, Login ability to use brute force Error messages information leakage Email interaction command injection Native code components buffer overflows Third-party application components known vulnerabilities
Recommend
More recommend
