Notes from Troy Hunt's Hack Yourself First workshop

June 17, 2015

Troy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.

Highlights - resources

Personal security and privacy

https://www.entropay.com/ - a Prepaid Virtual Visa Card
mailinator.com - tmp email
f-secure VPN
https://www.netsparker.com/ - scan a site for issues (insecure cookies, framework disclosure, SQL injection, …) (lot of $k)

Site security

https://report-uri.io/ - get reports when CSP rules violated; also displays CSP headers for a site in a human-friendly way
https://securityheaders.io/ check quality of headers wrt security
free SSL - http://www.startssl.com/, https://www.cloudflare.com/ (also provides web app firewall and other protections) ;
SSL quality check: https://www.ssllabs.com/ssltest/
https://letsencrypt.org/ - free, automated, open Certificate Authority (Linux Found., Mozilla)
HSTS Preload - tell Chrome, FF that your site should only be ever loaded over HTTPS - https://hstspreload.appspot.com/

Breaches etc.

http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/
https://twitter.com/jmgosney - one of ppl behind http://passwordscon.org . http://password-hashing.net experts panel. Team Hashcat.
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

To follow

! http://krebsonsecurity.com/
! http://www.troyhunt.com/
! https://www.schneier.com/
! https://twitter.com/mikko (of F-Secure) also great [TED] talks
kevin mitnick (jailed for hacking; twitter, books)

Books

http://www.amazon.com/We-Are-Anonymous-LulzSec-Insurgency/dp/0316213527 - easy read, hard to put down
http://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/dp/1441793755 - about Mitnick’s hacking, social engineering, living on the run
? http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Deceivers/dp/0471782661/
Mitnick: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ - social engineering

Other

https://www.xssposed.org/
See https://www.drupal.org/SA-CORE-2014-005
https://www.youtube.com/watch?v=Qvhdz8yE_po - Havij example
http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html, http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html, http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html,
Googlee: find config files with SA access info: `inurl:ftp inurl:web.config filetype:config sa`
https://scotthelme.co.uk/hardening-your-http-response-headers/ and https://securityheaders.io/
https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning - prevent MITM
wappalyzer chrome plugin displaying info about the server and client that can be detected (jQuery, NewRelic, IIS, win OS, …)
http://www.troyhunt.com/2015/05/do-you-really-want-bank-grade-security.html
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
tool: https://github.com/gentilkiwi/mimikatz extract plaintexts passwords, hash, PIN code and kerberos tickets from memory on Windows

Notes

HackYourselfFirst.troyhunt.com - an example app with many vulnerabilities
Note: maximizing your browser window will share info about your screen size, which might help to identify you
haveibeenpwned.com - Troy's online DB of hacked accounts

Tips

check robots.txt to know what to access

Example Issues

no https on login page
insecure psw requirements
cookies not secure flag => sent over http incl. AuthCookie)
psw sent in clear text in confirm email
user enumeration, f.eks. an issue with AdultFriendFinder - entry someone’s email to login to find out whether they’ve an account
post illegal chars, get them displayed => injection
no anti-automation (captcha)
- login confirm. email & autom. creating 1m accounts => sending 1m emails => pisses ppl off, likely increase one’s spam reputation (=> harder to send emails)
brute-force protection?

### XSS

Reflected XSS: display unescaped user input

Encoding context: HTML, JS, CSS … have diff. escape sequences for the same char (e.g. <) - look at where they’re mixed
Check the encoding consistency - manual encoding, omitting some chars
JS => load ext resources, access cookies, manipulate the DOM

Task: stal authCookie via search

### SQL injection

Error-based injection: when the DB helps us by telling us what is wrong -> use ti learn more and even show some data

Ex.: http://hackyourselffirst.troyhunt.com/Make/10?orderby=supercarid <—— supercarid is a column name

orderby=(select * from userprofile) …
learn about DB sructure, force an exception that shows the valueex.: (select top 1 cast(password) as int from userprofile) => “Conversion failed for the nvar value ‘passw0rd …’"

Tips

think of SQL commands that disclose structure: sys.(tables,columns), system commands
enumerate records: nest queries: select top X ows asc then top 1 rows from that desc
write out how you think the query works / is being constructed internally
cast things to invalid types to disclose values in err msgs (or implicit cast due to -1 ..)

#### Defenses

whitelist input data types (id=123 => onlyallow ints)
enumerable values - check against an appropr. whitelist
if the value is stored - who uses it, how? making query/insertion safe
permissions: give read-only permissions as much as possible; don’t use admin user from your webapp

### Mobile apps

Look at HTTP req for sensitive data - creds, account, …
Apps may ignore certificate validations
In your app: param tampering, auth bypass, direct object refs
Weak often: airlines, small scale shops, fast foods, …

Tips

certificate pining - the app has the fingerprint of the server cert. hardcoded and doesn’t trust even “valid” MITM certificate (banks, dropbox, …)x

### CSRF Cross-Site Request Forgery

= make the user send a request => their auth cookie included

async Ajax req to another site forbidden but that doesn’t apply to normal post

Protection

anti-forgery tags

### Understanding fwrk disclosure

http://www.shodanhq.com/ -> search for “drupal 7” -> pwn

How disclosed:

headers
familiar signs - jsessionid cookie for java, …
The default error and 404 responses may help to recognize the fwr
HTML code (reactid), “.do” for Sttruts
implicit: order of headers (Apache x IIS), paths (capitalized?), response to improper HTTP version/protocol,
- => likely still possible to figure out the stack but not possible to simple search for fwrk+version

### Session hijacking

Steal authentication cookie => use for illegal requests.

Persistence over HTTP of auth., session: cookie, URL (but URL insecure - can be shared)
Session/auth ID retrieval: insecure transport, referrer, stored in exceptions, XSS
Factors limiting hijacking: short duration expiry, keyed to client device / IP (but IPs may rotate, esp, on mobile devices => be very cautious)

DAY 2

--------

### Cracking passwords

Password hashing:

salt: so that 2 ppl choosing the same psw will have a different hash => cracking is # salts * # passwords inst. of just N
has cracking tips:
- character space [a-zA-Z0-9]
- Dictionary: passw0rd, …
- Mutations: manipulation and subst. of characters

Tips:

1Password , LastPass, ….
GPU ~ 100* faster than CPU

#### Ex: Crack with hashcat

common psw dict + md5-hashed passwords => crack

./hashcat-cli64.bin --hash-type=0 StratforHashes.txt hashkiller.com.dic # 23M psw dict -> Recovered.: 44 326/860 160 hashes [obs duplications] in 4 min (speed 135.35k plains)

Q: What dictionary we use? Do we apply any mutations to it?

### Account enumeration

= Does XY have an account?
Multiple vectors (psw reset, register a new user with the same e-mail, …)
Anti-automation: is there any? It may be inconsistent across vectors
Does it matter? (<> privacy needs)
How to “ask” the site and how to identify + and - responses?
Timing attacks: distinguish positive x negative response based on the latency differing between the two

### HTTPS

Confidentiality, Integrity, Authenticity

Traffic hijacking: https://www.wifipineapple.com/ - wifi hotspot with evil capabilities

monitor probe requests (the phone looks for networks it knows), present yourself as one of those, the phone connects autom. (if no encryption)

Consider everything sent over HTTP to be compromised
Look at HTTPS content embedded in untrusted pages (iframes, links) - e.g. payment page embedded in http

Links

HSTS Preload - tell Chrome, FF that your site should only be ever loaded over HTTPS - https://hstspreload.appspot.com/
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security header

### Content Scurity Policy header

https://developer.chrome.com/extensions/contentSecurityPolicy See e.g. https://haveibeenpwned.com/ headers

w/o CSP

anything can be added to the page via a reflected XSS risk
Anyth, can be added to the DOM downstream (on a proxy)

With CSP the browser will only load resources you white-list; any violations can be reported

Use e.g. https://report-uri.io/home/generate to create it and the report to watch for violations to fine tune it.

### SQL injection cont'd

(Yesterday: Error-Based)

#### Union Based SQLi

Modify the query to union whatever other data and show them. More data faster than error-based inj.

Ex.: http://hackyourselffirst.troyhunt.com/CarsByCylinders?Cylinders=V12 : V12 -> `V12' union select voteid, comments collate SQL_Latin1_General_CP1_CI_AS from vote-- `

#### Blind Boolean (laborious)

Blind inj.: We can’t always rely on data being explicitly returned to the UI => ask a question, draw a conclusion about the data.

Ex:

http://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=PowerKw&asc=false ->

ordedby => case when (select count(*) from userprofile) > 1 then powerkw else topspeedkm end

Extract email: Is ascii of the lowercase char #1 < ascii of m ?

Automation: SqlMap

#### Time based blind injection

When no useful output returned but yes/no responses differ significantly in how much time they take. F.ex. ask the db to delay the OK response.

MS SQL: IF ‘b’ > ‘a’ WAITFOR DELAY ’00:00:05'

### Brute force attacks

Are there any defences? Often not
How are defences impl?
- block the req resources
- block the src IP
- rate limit (by src IP)

### Automation

penetration testing apps and services such as Netsparker, WhiteHatSec
targets identification: shodan, googledorks, randowm crawling
think aout the actions that adhere to a pattern - sql injection, fuzzing (repeat a req. trying diff. values for fields - SQLi, …), directory enumeration
automation can be used for good - test your site
tip: have autom. penetration testing (and perhaps static code analysis) as a part fo your build pipeline

Task: Get DB schema using sqlmap (see python2.7 sqlmap.py --help)

### Protection

Intrusion Detection System (IDS) - e.g. Snort

Web Application Firewall (WAF) - e.g. CloudFare ($20/m)

### Various

Tags: security