jakub holý

building the right thing, building it right, fast

Notes from Troy Hunt''s Hack Yourself First workshop

2015-06-17General

Troy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.



Highlights - resources



Personal security and privacy





Site security





Breaches etc.





To follow







Books





Other



Notes



  • HackYourselfFirst.troyhunt.com - an example app with many vulnerabilities
  • Note: maximizing your browser window will share info about your screen size, which might help to identify you
  • haveibeenpwned.com - Troy's online DB  of hacked accounts


Tips



  • check robots.txt to know what to access


Example Issues



  • no https on login page
  • insecure psw requirements
  • cookies not secure flag => sent over http incl. AuthCookie)
  • psw sent in clear text in confirm email
  • user enumeration, f.eks. an issue with AdultFriendFinder - entry someone’s email to login to find out whether they’ve an account
  • post illegal chars, get them displayed => injection
  • no anti-automation (captcha)
    • login confirm. email & autom. creating 1m accounts => sending 1m emails => pisses ppl off, likely increase one’s spam reputation (=> harder to send emails)
  • brute-force protection?




### XSS



Reflected XSS: display unescaped user input



  • Encoding context: HTML, JS, CSS … have diff. escape sequences for the same char (e.g. <) - look at where they’re mixed
  • Check the encoding consistency - manual encoding, omitting some chars
  • JS => load ext resources, access cookies, manipulate the DOM


Task: stal authCookie via search



### SQL injection



Error-based injection: when the DB helps us by telling us what is wrong -> use ti learn more and even show some data



Ex.: http://hackyourselffirst.troyhunt.com/Make/10?orderby=supercarid <—— supercarid is a column name



  • orderby=(select * from userprofile) …
  • learn about DB sructure, force an exception that shows the valueex.: (select top 1 cast(password) as int from userprofile) => “Conversion failed for the nvar value ‘passw0rd …’"


Tips



  • think of SQL commands that disclose structure: sys.(tables,columns), system commands
  • enumerate records: nest queries: select top X ows asc then top 1 rows from that desc
  • write out how you think the query works / is being constructed internally 
  • cast things to invalid types to disclose values in err msgs (or implicit cast due to -1 ..)


#### Defenses



  • whitelist input data types (id=123 => onlyallow ints)
  • enumerable values - check against an appropr. whitelist
  • if the value is stored - who uses it, how? making query/insertion safe
  • permissions: give read-only permissions as much as possible; don’t use admin user from your webapp


### Mobile apps



  • Look at HTTP req for sensitive data - creds, account, …
  • Apps may ignore certificate validations
  • In your app: param tampering, auth bypass, direct object refs
  • Weak  often: airlines, small scale shops, fast foods, …


Tips



  • certificate pining - the app has the fingerprint of the server cert. hardcoded and doesn’t trust even “valid” MITM certificate (banks, dropbox, …)x


### CSRF Cross-Site Request Forgery



= make the user send a request => their auth cookie included



  • async Ajax req to another site forbidden but that doesn’t apply to normal post


Protection



  • anti-forgery tags


### Understanding fwrk disclosure





  • How disclosed:


  • headers
  •  familiar signs - jsessionid cookie for java, …
  • The default error and 404 responses may help to recognize the fwr
  • HTML code (reactid), “.do” for Sttruts
  • implicit: order of headers (Apache x IIS), paths (capitalized?), response to improper HTTP version/protocol, 
    • => likely still possible to figure out the stack but not possible to simple search for fwrk+version


### Session hijacking



Steal authentication cookie => use for illegal requests.



  • Persistence over HTTP of auth., session: cookie, URL (but URL insecure - can be shared)
  • Session/auth ID retrieval: insecure transport, referrer, stored in exceptions, XSS
  • Factors limiting hijacking: short duration expiry, keyed to client device / IP (but IPs may rotate, esp, on mobile devices => be very cautious)


DAY 2



--------



### Cracking passwords



Password hashing: 



  • salt: so that 2 ppl choosing the same psw will have a different hash => cracking is # salts * # passwords inst. of just N
  • has cracking tips:
    • character space [a-zA-Z0-9]
    • Dictionary: passw0rd, …
    • Mutations: manipulation and subst. of characters


Tips:



  • 1Password , LastPass, ….
  • GPU ~ 100* faster than CPU


#### Ex: Crack with hashcat



common psw dict + md5-hashed passwords => crack



./hashcat-cli64.bin --hash-type=0 StratforHashes.txt hashkiller.com.dic # 23M psw dict -> Recovered.: 44 326/860 160 hashes [obs duplications] in 4 min (speed 135.35k plains)



Q: What dictionary we use? Do we apply any mutations to it?



### Account enumeration



  • = Does XY have an account?
  • Multiple vectors (psw reset, register a new user with the same e-mail, …)
  • Anti-automation: is there any? It may be inconsistent across vectors
  • Does it matter? (<> privacy needs)
  • How to “ask” the site and how to identify + and - responses?
  • Timing attacks: distinguish positive x negative response based on the latency differing between the two


### HTTPS



Confidentiality, Integrity, Authenticity



Traffic hijacking: https://www.wifipineapple.com/ - wifi hotspot with evil capabilities



    • monitor probe requests (the phone looks for networks it knows), present yourself as one of those, the phone connects autom. (if no encryption)


  • Consider everything sent over HTTP to be compromised
  • Look at HTTPS content embedded in untrusted pages (iframes, links) - e.g. payment page embedded in http


Links





### Content Scurity Policy header



https://developer.chrome.com/extensions/contentSecurityPolicy See e.g. https://haveibeenpwned.com/ headers



w/o CSP



  • anything can be added to the page via a reflected XSS risk
  • Anyth, can be added to the DOM downstream (on a proxy)


With CSP the browser will only load resources you white-list; any violations can be reported



Use e.g. https://report-uri.io/home/generate to create it and the report to watch for violations to fine tune it.



### SQL injection cont'd



(Yesterday: Error-Based)



#### Union Based SQLi



Modify the query to union whatever other data and show them. More data faster than error-based inj.



Ex.: http://hackyourselffirst.troyhunt.com/CarsByCylinders?Cylinders=V12 :  V12 -> `V12' union select voteid, comments collate SQL_Latin1_General_CP1_CI_AS from vote-- `



#### Blind Boolean (laborious)



Blind inj.: We can’t always rely on data being explicitly returned to the UI => ask a question, draw a conclusion about the data.



Ex: 



http://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=PowerKw&asc=false -> 



ordedby => case when (select count(*) from userprofile) > 1 then powerkw else topspeedkm end



 



Extract email: Is ascii of the lowercase char #1 < ascii of m ?



Automation: SqlMap



#### Time based blind injection



When no useful output returned but yes/no responses differ significantly in how much time they take. F.ex. ask the db to delay the OK response.



MS SQL: IF ‘b’ > ‘a’ WAITFOR DELAY ’00:00:05'



### Brute force attacks



  • Are there any defences? Often not
  • How are defences impl?
    • block the req resources
    • block the src IP
    • rate limit (by src IP)


### Automation



  • penetration testing apps and services such as Netsparker, WhiteHatSec
  • targets identification: shodan, googledorks, randowm crawling
  • think aout the actions that adhere to a pattern - sql injection, fuzzing (repeat a req. trying diff. values for fields - SQLi, …), directory enumeration
  • automation can be used for good - test your site
  • tip: have autom. penetration testing (and perhaps static code analysis) as a part fo your build pipeline


Task: Get DB schema using sqlmap (see python2.7 sqlmap.py --help)



### Protection



Intrusion Detection System (IDS) - e.g. Snort



Web Application Firewall (WAF) - e.g. CloudFare ($20/m)



### Various