Monday, October 31, 2011

Working with Web Vulnerabilities and Web Application Firewalls [Part 4 - Basic Exploitation]

[Note: this is part four of a multi-part series of posts detailing my experiences with securing web applications, creating test environments for practicing and installing and operating a web application firewall. Web security is an extremely important part of IT security since almost every major organization has a "web face." I will be exploring XSS, mySQL injection, and the use of web application firewalls to protect against these attacks.]

There are hundreds of ways to exploit a web application. Users can upload invalid file types to an app that doesn't check the file type, they can inject code into the pages, as well as retrieve data from a database that should not be retrieved. The focus of this series is mainly on using a web application firewall to prevent against attacks, so I will not be explaining every attack type with examples. However, I will be focusing on two injection attacks here that will demonstrate that the web application is vulnerable before I use a web application firewall to block those attacks. I will be giving basic examples of cross site scripting and mySQL injection.

Cross Site Scripting (XSS)
The first attack type I am going to attempt on our web application is cross site scripting. However, we must first understand what cross site scripting is and how it can be used against a web app. Remember in part one of this series, I mentioned that most web vulnerabilities come from users entering input that is not valid and that could contain malicious code. Cross site scripting takes advantage of the fact that a fair amount of web pages and applications fail to "sanitize" user input. Take a look at the following PHP code:

echo <pre>Hello $_GET['name']</pre>;

This code gets a variable called "name" and prints it out directly within the page as HTML code. The echo statement prints whatever follows it into the HTML code of the page. If we pass in the name "Robert," the following is reflected onto the page to the user:

Hello Robert

However, suppose we replace Robert with JavaScript code? We type the following into the name box:


Now, the code we just typed is reflected into the actual code of the page as it is displayed.

echo <pre>Hello <script>alert('Hello')</script></pre>

This will cause an alert box to pop up for the user.

This form of XSS is known as reflected or non-persistent XSS because it only occurs if the additional code parameters are passed in at run time. The web page itself is not changed permanently. However, this vulnerability can be exploited by sending someone a URL with the parameters as seen in the screenshot above. A lot of XSS can be done directly through the URL bar. The example given above is very basic. However, imagine the security issues that could occur if instead of displaying an alert, an attacker loaded code from an externally hosted script (the "cross-site" in cross site scripting).

The second form of XSS (persistent or stored) allows users to inject code directly into the page that will be repeatedly reflected to users who load it. The code is usually stored in a database and then continually reflected. The attack is carried out the same way, except instead of simply being reflected back to the user, the script is saved an executed every time the page is loaded. Think of an visitor log that web page visitors can sign and leave comments. The information they submit is saved in a database and loaded each time the visitor log is displayed. If someone were to inject malicious code, it would be shown each time to the user. This form of XSS is much more dangerous.

mySQL Injection
mySQL injection is well documented around the web with thousands of tutorials on YouTube covering it. mySQL injection can range from a very simple, short line of code to an extremely complex and carefully crafted string to destroy a database. What it all comes down to, however, is creating a string that will "confuse" the PHP code into executing more commands than should be executed. Let's look at the following PHP code:

$name = $_GET['name'];
$result = mysql_query("SELECT * FROM people WHERE first_name='$name'");
while($row = mysql_fetch_array($result))
     echo $row['first_name'] . " " . $row['last_name'];
     echo "<br />";

It's fairly straightforward as to what this code does (prints out names from the database given a first name). But look at the way in which the code is outputting the user-entered input: it's treating it like a single piece of text that is just inserted into the mySQL command. Suppose that the user doesn't enter a name, but instead enters mySQL commands? Let's look at the following code:

' or '1' = '1

This code is extremely common for testing mySQL injection vulnerabilities. When the PHP code prints out this string as the "name" in the code above, a very important tick-mark (') causes the code to read as:

WHERE first_name=' ' OR '1' = '1'

Essentially, we are crafting a string of code that fits nicely within the given mySQL code. The tick-marks line up and a complete statement is made. The statement "OR '1' = '1'" is used because it will always evaluate to true. What we are telling the database to do is "return all the rows where 1=1." In other words, return all of the rows. This is a great way to view data in the database that should not be viewed.

Progressing beyond a simple OR '1' = '1' statement, pretty much any SQL code can by inserted into the statement. This can be used to view other tables, return all the lists of users, grab additional columns, etc. Here is a great link to some SQL statements that may be helpful in exploitation.

Next in the Series
Now that we've discussed injection techniques and very common vulnerabilities, we are going to be using a web application firewall to prevent those attacks. There are many ways to protect against injection attacks (most notably the filtering and sanitation of user input) but we will be leaving the application vulnerable for the purpose of learning about the firewall.

Sunday, October 30, 2011

Working with Web Vulnerabilities and Web Application Firewalls [Part 3 - An Insecure Environment]

[Note: this is part three of a multi-part series of posts detailing my experiences with securing web applications, creating test environments for practicing and installing and operating a web application firewall. Web security is an extremely important part of IT security since almost every major organization has a "web face." I will be exploring XSS, mySQL injection, and the use of web application firewalls to protect against these attacks.]

Now that we have a basic database of information that we can use later on, we need a way of practicing our exploitation techniques (and eventually our protection techniques) on a web application. Luckily, there is a solution called "Damn Vulnerable Web App." DVWA is a PHP/mySQL environment that is designed with test pages and configuration that can make it purposefully vulnerable to a number of attack vectors. We will be installing it in order to eventually protect against the attacks, but also to attack (and learn).

Downloading DVWA
DVWA can be downloaded at the projects home page: From the Fedora machine, download and extract the ZIP file from the download page. Next, the files need to be moved into the web directory. (If you don't have an Apache/PHP/mySQL server configured, please return to part two).

Installing DVWA
I will be using root for this exercise. I want to make the application as vulnerable as possible and running as root will increase our chances for exploitation.

[root@localhost current_dir]# mv dvwa /var/www/html

Next, we need to issue the following command:

setsebool -P httpd_read_user_content 1

Now, in the web browser, navigate to your site's address / dvwa. You'll see the following error:
Click the link to setup your database. Click the "Create/Reset Database" button. If it was successful, you should see:

If you search in your mySQL database via command line or phpMyAdmin, you should now see a "dvwa" database.

Logging In
If you return to /dvwa in your browser, you'll be presented with a login screen. The default login is:
Username: admin
Password: password

Finishing Up
Now that DVWA is installed, we need to edit some configuration files so that it can be as insecure as possible. PHP version 5.2.6+ will prevent most mySQL injection attacks. So we need to change the configuration to allow them (most PHP websites are a version or so behind, so it is safe to assume that a majority of sites are still vulnerable, despite a newer version of PHP).

In the HTML directory of /var/www, type:

vim .htaccess

Then, type the following into the file:

magic_quotes_gpc = Off
allow_url_fopen = On
allow_url_include = On

Then save and exit.

Next in the Series
Next I will be using the DVWA setup to test some common vulnerabilities such as XSS and mySQL injection. Following that, I will be installing a web application firewall in front of the application to determine how such a configuration can help protect against exploitation.

Working with Web Vulnerabilities and Web Application Firewalls [Part 2 - Test Environment]

[Note: this is part two of a multi-part series of posts detailing my experiences with securing web applications, creating test environments for practicing and installing and operating a web application firewall. Web security is an extremely important part of IT security since almost every major organization has a "web face." I will be exploring XSS, mySQL injection, and the use of web application firewalls to protect against these attacks.]

In this post, I will be discussing the test environment I am using to learn more about web security. I will only be discussing the most basic layers here, as the more advanced programs and the firewall itself will be discussed in an upcoming post.

Operating Systems
I am going to be using two operating systems during this learning experience. The first will be the operating system that is running my environment, the second will be a system that I use to attack it, simulating a remote attack. Before we begin, I encourage you to learn more about virtualization if you haven't done so already. All of my testing will be occurring in VMWare Workstation, an excellent product that is perfect for these situations. Virtual Box will work well also.

For the host operating system, I will be using Fedora 15, a Linux distribution. The attacking system will be Backtrack 5, a Ubuntu-based penetration testing distribution that has a number of pre-installed scripts and frameworks perfect for exploitation. Setting these systems up and connecting them within a virtual environment are a bit beyond the scope of this series / tutorials. However, the web is full of step-by-step guides to installing these systems and connecting them via a virtual network.

The Services
One extremely common set of services used to host websites is called LAMP. It stands for Linux (the operating system), Apache (the web server technology), mySQL (the database) and PHP (the web language used to code the pages and interact with the database and web application).

Beginning with Apache, we need to install our services onto the Fedora box. Luckily, installing them is extremely simple in Linux via the command-line. In lieu of retyping every step here, I am going to link to an excellent tutorial:

Remember that this series is going to be focusing on web application security. Whenever you install a web server, database, or web environment on a box and place it onto the public network, there are many security precautions that need to be taken at the OS level. That is beyond our scope right now. However, I caution you to read more about secure Apache and database configurations before running any public-facing website.

The Data
It's no fun exploiting web applications if there's no data to search for in the exploit. In order to create an environment, I found a sample mySQL database known as Sakila. It is essentially several hundred rows in multiple tables of random, sample data. The sample uses a number of mySQL features and is perfect for establishing a test environment.

Sakila can be downloaded here. Download the TGZ next to "sakila database." Save and untar the download inside of your Fedora box.

Installing Sakila is very simple, and luckily, the webpage has a step-by-step guide.

At this point you should have your Fedora (or alternative) distribution installed, your LAMP stack configured, and you should be able to access the "It Works!" webpage by going to your machine's IP inside of a browser. The Sakila sample database should be installed.

Next in the series I will be walking through some basic vulnerabilities and some extremely simple web pages. In a few posts, I will be talking about the use of a much better framework called "Damn Vulnerable Web App" that is essentially a purposefully insecure web application for the sole use of vulnerability testing. Later, we will be installing a web application firewall in front of the application and observing how it protects against our attacks.

Saturday, October 29, 2011

Working with Web Vulnerabilities and Web Application Firewalls [Part 1 - Background]

[Note: this is part one of a multi-part series of posts detailing my experiences with securing web applications, creating test environments for practicing and installing and operating a web application firewall. Web security is an extremely important part of IT security since almost every major organization has a "web face." I will be exploring XSS, mySQL injection, and the use of web application firewalls to protect against these attacks.]

Web security is paramount to the security of an organization as a whole. Almost every organization, company, or network has a public-facing web site or portal for accessing content, possibly logging in to an account, or receiving data from its users. But as with any application that a company uses, web applications pose a critical risk to the infrastructure of the network. Look at almost any attack that has been launched against an organization within the last few years. Chances are that those attacks either originated, or occurred entirely through a web application used by that organization.

In this series of posts, I have decided to take on the project of understanding more about web security, especially the area of web security that focuses on the direct, public-facing application (as opposed to attacking from the infrastructure side such as an Apache server). There are hundreds of guides online that talk about various areas of protecting web applications, but I wanted to describe my experiences from the absolute beginning.

To begin testing the security of web applications, we first need to understand exactly what a web application is and how it behaves. A web application is simply a program that runs through a browser-based interface. Rather than the traditional method of downloading the files needed by a program to run, the web application interacts with the user through a series of web pages and interfaces contained within the browser window. Web applications commonly use technologies such as JavaScript, HTML (and more recently, HTML5), PHP, mySQL, and others to communicate between the server hosting the application and the user using it.

Web Applications have greatly increased the availability and ease-of-use of common tasks. Think of Google Docs - it has taken a commonly used feature of computing (word processing) and moved it to a browser-based interface complete with almost all of the same functions. However, it can be run from any computer with a browser and an internet connection. The same documents can be accessed from smartphones and tablets as well, making our data practically universally available.

Besides the obvious drawback of having to have an active internet connection (which some applications are alleviating with local storage), web applications pose a number of risks - most importantly in terms of security. Unlike typical applications, which install and run from a user's computer, web applications run on the servers of the hosting organization and transfer the required data back and forth over the internet connection. Because of this, a wide array of vulnerabilities are exposed that never occurred with traditional applications. One vulnerability that keeps appearing time and time again (which I will be focusing on in this series) is the exploitation of the remote web server due to the "holes" that are made in the system by allowing web connections through an interface that allows user input.

In typical applications, bad user input (in other words, input that was not expected) could cause a program to crash, possibly force a reboot of the local machine, or, in some cases, allow it to be exploited (although this is much rarer). Web applications are much different because they are hosted elsewhere. When a user enters bad input, that input is being run against a remote web server, not necessarily against the local machine (with the exception of some vulnerabilities, which will be discussed later). This is a critical security issue because it can potentially allow an attacker to gain access to a remote web server.

This Series
In the upcoming posts in this series, I will be walking through the study of web application security, specifically through the use of sanitation of user input and the use of a web application firewall (both of which I will talk about much more). I will be writing this with the expectation that the reader has familiarity with web technologies and web server experience, but perhaps not with the security of web applications themselves.  I will be walking through every step of the process that I am using to study this aspect of security because it is a major learning experience for me as well. One thing I find annoying in some tutorials is when the steps taken to arrive at a particular outcome are not explained. So more advanced readers, please bear with me as I attempt to bring everyone onto the same page.

Friday, October 28, 2011

Facebook (Appears to Have) Fixed the EXE Vulnerability

Just yesterday, security researchers at Security Pentest pointed out a vulnerability in Facebook's Message center, allowing users (with some POST-data editing) to attach EXE files to a message and send them to anyone capable of receiving messages on Facebook (almost everyone, even non-friends). EXEs have been sent via email for ages, but Facebook users are notorious for clicking links and attachments on the site, so having the extra layer of security to block EXEs is important. The full vulnerability post can be read here:

I decided to try out the vulnerability to see if it had been fixed (it's been about 24 hours since the issue was made public, but over a month since Facebook was notified). From what I've been able to tell, Facebook has now fixed the vulnerability.

Using Tamper Data (an add-on for Firefox), the POST data could be edited when submitting a file as an upload to a message. The string <filename="filename.exe"> could be changed to <filename="filename.exe "> (angle brackets added for readability). Notice the space after the file name. Apparently, Facebook was not trimming this data and the additional space was enough to allow an exe file to slip through.

However, now the vulnerability appears to have been fixed. Attempting the same exploit results in an error message: "Unfortunately, your attachment could not be uploaded at this time. Please try again later."

TamperData - Changing the file name in the POST header
Facebook Messaging Error