hacking web sites insecure direct object reference
play

Hacking Web Sites Insecure Direct Object Reference Emmanuel - PowerPoint PPT Presentation

May 03, 2023 •533 likes •890 views

Hacking Web Sites Insecure Direct Object Reference Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Introduction

  1. Hacking Web Sites Insecure Direct Object Reference Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1

  2. Table of Contents Introduction � Principles � Tampering HTTP parameters Vulnerability Examples of Attacks Protection � Conclusion � Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 2

  3. Introduction Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3

  4. Insecure Direct Object Reference Occurs when developer uses HTTP parameter to refer to internal object For instance http://mysite.com/program.php?lang=fr And in the program: require_once($_REQUEST[’lang’]."lang.php"); Can also access to identifiers For instance http://mysite.com/program.php?page=124 It may be possible to change the page ID. The rights to see the page have to be tested. Which objects are subject to attacks? Files: for upload and/or for reading, or accessing Identifiers : for showing them, or changing them Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 4

  5. Which parameters can be tainted? HTTP GET parameters Directly inside the URL Example: http://www.mysite.com/index.php?viewaccount=23456 Change the URL : http://www.mysite.com/index.php?viewaccount=1234 Gives access to the account 1234 HTTP POST parameters In the body of the POST request, Often URL encoded (other encoding are possible). Other HTTP headers The cookies (are included in each HTTP header) Languages (in the header: Accept-Language) User-Agent (to determine which browser is reading the page) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5

  6. Internal objects? Data Base objects Reference to records in a table Primary key used to refere to a page www.vicitim.com/page?pageId=345 to access page with Id 345 File (or directory) Reference to a file is done in the parameter The file may be loaded include($_GET[’language’].’.php’); Or it may be moved, copied, etc. Keys a key may be shown as a parameter (or cookie). Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 6

  7. Principles Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7

  8. Presentation of the Vulnerability Insecure Direct Object Reference Developer exposes a reference to an internal implementation object, as URL or form parameter A file Directory Database record Key The attacker manipulates one of the parameter and access internal resources. He uses a lack in access control check Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 8

  9. Example View the account of a client Suppose we have the following html in the menu of a client The client can see each of his or her accounts <div class="menu"> <div class="menu-item"><a href="/index.php? ց → account=23456}">account 23456</a></div> <div class="menu-item"><a href="/index.php? ց → account=23332}">account 23332</a></div> <div class="menu-item"><a href="/index.php? ց → account=12231}">account 12231</a></div> </div> When the client clicks on the link: GET https: //www.mybank.com/index.php?account ց → =23456 HTTP/1.1 Host: www.mybank.com ... Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9

  10. Example (Cont.) What appends if he replaces 23456 with 121212 ? It may display the required account: If authorization is not checked. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 10

  11. Another Example Access secret content Suppose you have a JavaScript application with the following request for a JSON object GET /resource?item=12345 HTTP/1.1 Host: www.mysite.com Cookie: SESSIONID=239e98d32c98b23a .... The application will respond with the following kind of answer: { id: 12345, name: ’benoist’, firstname: ’emmanuel’, accountnumber: ’1234543245900’, balance: ’2090’, currency: ’CHF’} Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11

  12. Another Example (Cont.) What if we send the following? GET /resource?item=11111 HTTP/1.1 Host: www.mysite.com Cookie: SESSIONID=239e98d32c98b23a .... It may not be protected maybe the application just verifies that the user is loged in. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 12

  13. Example: Upload form Suppose we found the following upload form <form action="upload.php" method="post" enctype= ց → "multipart/form-data"> Select image to upload: <input type="file" name="fileToUpload" id=" ց → fileToUpload"> <input type="submit" value="Upload�Image" ց → name="submit"> <input type="hidden" name="homedir" value=" ց → uploaded/"> </form> File to upload is copied into the directory uploaded Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13

  14. Example: Upload form (Cont.) We may upload a file anywhere Replace uploaded with : otherDirectory (just to test) /var/www/htdocs/ if you have a Ubuntu server /var/www/htdocs/anysubdirectory/with777 Because user can write in this directory Limitation for upload Only where the user has the right to write. Very interesting in the directory accessible throw the web server. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 14

  15. Tampering HTTP parameters Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15

  16. Tampering without browser HTTP is an open protocol Requests can be generated manually Parameters can be set arbitrary GET Request Insert parameters in the Query string Parameters need to be URL encoded GET /program.php?param=fake&param2=new+text%00 HTTP/1.1 Host: www.vicitim.org POST Request Parameters are in the body of the request POST /program.php HTTP/1.1 Host: www.victim.org Content-Length: 52 Content-Type: application/x-www-form-urlencoded username=bie1&email=bie1@bfh.org&submit=Submit+me%21 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 16

  17. Tampering inside a browser Some web applications generate complicated requests Cookies, Url referer, AJAX requests JSON requests Not so easy to generate manually Use tools to manipulate Requests generated by the browser ZAP Zed Attack Proxy OWASP tool Proxy of the browser, intercepts requests that can be manipulated (and much more) Tamper Data Firefox plugin Modify the requests inside the browser Browser - Web Developper mode Allows to manipulate GET and POST requests. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17

  18. Vulnerability Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 18

  19. Vulnerability? Applications expose their internal object references to users Attacker use parameter tampering to change references they can violate security policy if it is unenforced Example If the application uses a parameter which contains a filename or a path It can be changed to access other resources viewpage.php?document=mydoc displays the content of the file /home/bie1/myfiles/mydoc.pdf the input could be manipulated into accessing another file viewpage.php?document=../../frc1/otherDocument will show the file /home /frc1/otherDocument.pdf Also known as : Path Traversal Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19

  20. Examples of Attacks Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 20

  21. Access tax declaration Account number is often the primary key Tempting to use the key direct in the web interface Developers have used paramtrized SQL to prevent Injection If no other check is done, Attacker could access all accounts Replacing his account with the one of the victim This attack was conducted in Australian Taxation Office’s GST Start Up Assistance In 2000 Attacker visited the details of 17’000 companies And sent an email to each of them. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 21

  22. Modify internal keys Modify Database Key If the attacker receives a URL: http://www.attacked.com/resource.php?messageID=123 It is tempting to try if the next user exists: http://www.attacked.com/resource.php?messageID=124 Need to know some internal IDs Can be brute forced Can be found in other pages : View source Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A4: Insecure Direct Object References A4 Insecure Direct Object References General

A4: Insecure Direct Object References A4 Insecure Direct Object References General

A4: Insecure Direct Object References A4 Insecure Direct Object References General problem: Unrestricted Access A4: Data not properly protected A7: Functions not properly protected Examples Presentation-layer access control

506 views • 27 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is as old as the trade of hacking Common Characteristics: Physical access (at least within transmission range of EM/Accoustic signals). Seemingly

252 views • 22 slides
Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM

Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM

Insecure.Org Insecure.Org Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM http://insecure.org/presentations/CSW09/ Insecure.Org Insecure.Org Ncat http://nmap.org/ncat/ Insecure.Org Insecure.Org Modern Networking Features

689 views • 21 slides
Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken Authentication Brute Force Session Spotting Emmanuel Benoist Session Fixation Attack Session Hijacking Fall Term 2020/2021 Session Expiration

638 views • 10 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Stored XSS Reflected

792 views • 50 slides
Ajax Reading &amp; Reference Reference XMLHttpRequest object

Ajax Reading &amp; Reference Reference XMLHttpRequest object

Internet Programming Session 11 Ajax/Servlets Session 11 Ajax Reading &amp; Reference Reference XMLHttpRequest object en.wikipedia.org/wiki/Xmlhttprequest Specification developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest

478 views • 14 slides
Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Web Security: Overview of other security risks OWASP Top 10

1.25k views • 64 slides
Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs &amp; Gordon Fyodor

Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs &amp; Gordon Fyodor

Insecure.Org Insecure.Org Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs &amp; Gordon Fyodor Lyon Sharkfest 2010 June 16, 1:15 PM http://insecure.org/presentations/Sharkfest10/ Insecure.Org Insecure.Org Nmap

278 views • 16 slides
Taking OpenEMR, a GPL EMR to ARRA Meaningful Use Certification and Beyond Reference sites:

Taking OpenEMR, a GPL EMR to ARRA Meaningful Use Certification and Beyond Reference sites:

Taking OpenEMR, a GPL EMR to ARRA Meaningful Use Certification and Beyond Reference sites: www.oemr.org - our official web home page openmedsoftare.org - our project wiki, access to online demo and all lots more

190 views • 7 slides
Session 1: What we could know with current observation techniques Potential reference sites for

Session 1: What we could know with current observation techniques Potential reference sites for

Session 1: What we could know with current observation techniques Potential reference sites for the calibration of remote sensing analysis in Japan and Asia-Pacific region Long-term plot &gt;1ha Ishii AP-BON Book Session 1: What we could

77 views • 7 slides
MI DIAGNOSIS FROM REFERENCE TO CARDIAC MRI Sites and Sizes of First-Time Reperfused

MI DIAGNOSIS FROM REFERENCE TO CARDIAC MRI Sites and Sizes of First-Time Reperfused

MI DIAGNOSIS FROM REFERENCE TO CARDIAC MRI Sites and Sizes of First-Time Reperfused Myocardial Infarction Assessed by Cardiac Magnetic Resonance can be Estimated by 12-lead ECG Engblom et al Lund VVRED 2- The Virtual Visual

312 views • 13 slides
An incremental approach RCGC Defined Each object has associated count of references to it

An incremental approach RCGC Defined Each object has associated count of references to it

An incremental approach RCGC Defined Each object has associated count of references to it Objects reference count When reference to object created Pointer copied from one place to another assignment RC of pointee is

313 views • 19 slides
Copying Objects: Reference Copy Copies: Reference vs. Shallow vs. Deep Reference Copy c1 := c2

Copying Objects: Reference Copy Copies: Reference vs. Shallow vs. Deep Reference Copy c1 := c2

Copying Objects: Reference Copy Copies: Reference vs. Shallow vs. Deep Reference Copy c1 := c2 Copy the address stored in variable c2 and store it in c1 . Writing Complete Postconditions Both c1 and c2 point to the same object.

115 views • 10 slides
DRINKING WATER REFERENCE MATERIAL AND WEBSITES Web Resources Here are a few sites around

DRINKING WATER REFERENCE MATERIAL AND WEBSITES Web Resources Here are a few sites around

DRINKING WATER REFERENCE MATERIAL AND WEBSITES Web Resources Here are a few sites around the web that is recommended: American Water Works Association (AWWA) Water Environment Federation Water Wiser - The Water Efficiency

579 views • 34 slides
A71CH Plug &amp; trust for IoT Session 1: A71CH product introduction JORDI JOFRE 24/04/2018

A71CH Plug &amp; trust for IoT Session 1: A71CH product introduction JORDI JOFRE 24/04/2018

A71CH Plug &amp; trust for IoT Session 1: A71CH product introduction JORDI JOFRE 24/04/2018 PUBLIC A71CH Plug &amp; trust for IoT Session 1: A71CH product introduction Get familiar with A71CH key security features, key benefits, use

559 views • 40 slides
CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall

CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall

CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Network Attacker Threat Model Network Attacker: Controls infrastructure: Routers, DNS

1.36k views • 67 slides
Making Distributed Systems Secure with Program Analysis and Transformation Andrew Myers Cornell

Making Distributed Systems Secure with Program Analysis and Transformation Andrew Myers Cornell

Making Distributed Systems Secure with Program Analysis and Transformation Andrew Myers Cornell University Joint work with Stephen Chong, Nate Nystrom, Steve Zdancewic, Lantian Zheng Information security Amazon.com Privacy Notice: We

516 views • 36 slides
r trt srt

r trt srt

r trt srt r r r r

955 views • 52 slides
/ AVL trees and rotations This week, you should be able to perform rotations on height

/ AVL trees and rotations This week, you should be able to perform rotations on height

/ AVL trees and rotations This week, you should be able to perform rotations on height -balanced trees, on paper and in code write a rotate() method search for the kth item in-order using rank Tests back later Mini-test next

231 views • 19 slides
AVL trees and rotations Part of written assignment 5 Examine the Code of Ethics of the ACM

AVL trees and rotations Part of written assignment 5 Examine the Code of Ethics of the ACM

AVL trees and rotations Part of written assignment 5 Examine the Code of Ethics of the ACM Focus on property rights Write a short reaction (up to 1 page single-spaced) Details are in the assignment Operations (insert, delete,

454 views • 16 slides
Via Pillar-aware Detailed Placement Yong Zhong, Tao-Chun Yu, Kai-Chuan Yang, and Shao-Yun Fang

Via Pillar-aware Detailed Placement Yong Zhong, Tao-Chun Yu, Kai-Chuan Yang, and Shao-Yun Fang

Via Pillar-aware Detailed Placement Yong Zhong, Tao-Chun Yu, Kai-Chuan Yang, and Shao-Yun Fang The Electronic Design Automation Laboratory Department of Electrical Engineering National Taiwan University of Science and Technology 1 Outline

997 views • 43 slides
Redundant Via Insertion Redundant Via Insertion with Wire Bending with Wire Bending Kuang-

Redundant Via Insertion Redundant Via Insertion with Wire Bending with Wire Bending Kuang-

Redundant Via Insertion Redundant Via Insertion with Wire Bending with Wire Bending Kuang- -Yao Lee, Yao Lee, Shing Shing- -Tung Lin and Ting Tung Lin and Ting- -Chi Wang Chi Wang Kuang Department of Computer Science Department of

604 views • 27 slides

More recommend