Identifying Attack Vectors Professor Larry Heimann Web Application - - PowerPoint PPT Presentation

Identifying Attack Vectors

Professor Larry Heimann Web Application Security Information Systems

Nothing is in isolation

Attack surface

• An “attack surface” is the total number of possible attack vectors
• Think of a house, with the doors and windows as attack vectors for

intruders

• Minimize the surface area by securing each door and window

Content discovery -- brute force

• Common directory names
• https:/target/admin/
• https:/target/account/
• https:/target/accounts/
• https:/target/agent/
• https:/target/utils/
• Common filenames for application pages
• https:/target/admin/admin.php
• https:/target/admin/manage.php
• https:/target/admin/home.php
• https:/target/admin/accounts.php

Content discovery -- inference from visible content

• Review HTML / JS source for comments, etc.
• Look for information about framework and/or webmaster
• Decompile thick clients
• Feed back results and work recursively

ViewDocument.jsp EditDocument.jsp AnnualReport2009.pdf AnnualReport2010.pdf

Hidden content

• Often times hidden content exists that is not directly linked
• Examples include:
• Backup copies of live files
• New/old/test functionality not currently linked to main content
• Configuration / include files
• Source files for dynamic content
• Logs
• Look at the source code itself for comments, javascript vulnerabilities

Comics of the Day...

Content discovery -- use public sources

• knows!
• site:www.target.com
• site:www.target.com login
• link:www.target.com
• related:www.target.com
• view the cached content
• Forum posts by developers/administrators
• archives at web.archive.org (‘the wayback machine’)

Application pages vs. Functional pages

Some apps don’t use URLs to individuate content and functions:

POST /bank.jsp HTTP/1.1 Host: wahh-bank.com Content-Length: 106 servlet=TransferFunds&method=confirmTransfer &fromAccount=10372918&toAccount=3910852&amou nt=291.23&Submit=Ok

Identifying entry points for user input

• URLs
• Query string
• POST parameters
• Cookies
• Look for unusual data encapsulation, for example:

/dir/file=bar/file /dir/file?param=foo:bar /dir/file?data=%3cfoo%3ebar%3c%2ffoo2%3ebar2%3c%2c

• Look for REST parameters within the URL file path
• See if application responds differently to unexpected new parameter names

Dissecting requests

• A typical search function:
• What do we know from this?
• jsp: Java
• isExpired: controls which content is returned?
• OrderBy: clause of a SQL query?
• Name, startDate, endDate, isExpired: SQL query parameters?

http://target/workflow/calendar.jsp?name=new %20applicants&isExpired=0&startDate=22%2F09%2F2006 &endDate=22%2F03%2F2007&OrderBy=name

Dissecting requests

• A content management system:
• What do we know from this?
• aspx: ASP

.Net

• template: file name
• .tpl: custom file extension
• loc: directory name?
• edit=false: controls whether files can be edited?

http://target/workbench/register.aspx? template=NewBranch.tpl&loc=/ default&ver=5.32&edit=false

Web spidering

• Request start page
• Parse for links to other content
• Continue recursively until no new content is discovered
• Feed results into other mapping exercises

Demonstration

Mapping the attack surface

Vector Attack Method Database interaction SQL injection File upload/download path traversal vulnerability Display of user-supplied data cross-site scripting Dynamic redirects header injection attacks Login username enumeration, weak passwords, ability to use brute force Error messages information leakage Email interaction command injection Native code components buffer overflows Third-party application components known vulnerabilities