EECS 354 Network Security - Network Penetration and Security
EECS 354 Network Security - Network Penetration and Security
EECS 354 Network Security - Network Penetration and Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Friday, October 22, 2010<br />
<strong>EECS</strong> <strong>354</strong><br />
<strong>Network</strong> <strong>Security</strong><br />
Advanced Web Attacks
Friday, October 22, 2010<br />
Encoding <strong>Security</strong><br />
• probably doesn’t work<br />
• ';alert(String.fromCharCode(88,83,83))//\';alert<br />
(String.fromCharCode(88,83,83))//";alert(String.fromCharCode<br />
(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))<br />
• Probably does<br />
• ';alert(S<br />
;tring.fro<br />
mCharCode<br />
;(88,83,8<br />
3;))//\';a<br />
C;ert(Stri<br />
E;g.fromCh&#x<br />
61;rCode(8 ....<br />
• Look ye, mere mortal, <strong>and</strong> despair
Friday, October 22, 2010<br />
R<strong>and</strong>om Numbers<br />
• “R<strong>and</strong>om”<br />
• PRNG<br />
• /dev/ur<strong>and</strong>om<br />
• RNG<br />
• /dev/r<strong>and</strong>om<br />
• CSRNG<br />
• Know what you need<br />
• UUID (GUID)
Friday, October 22, 2010<br />
Session Hijacking<br />
• R<strong>and</strong>om number failure<br />
• Session information should be as r<strong>and</strong>om as possible<br />
• Hijacking one account isn’t as interesting as<br />
hijacking 100 accounts<br />
• Don’t expose in URL<br />
• Session Fixation<br />
• Don’t accept user-defined session-ids<br />
• Use TLS for all session communication<br />
• Maybe same IP<br />
• What if there are two people behind the same router?<br />
• Regenerate SID on every request
Friday, October 22, 2010<br />
Cross-site Cooking<br />
• Cookies can usually only be set or read by the<br />
domain they were created by<br />
• Sometimes browsers have bugs<br />
• Don’t rely solely on this
Friday, October 22, 2010<br />
Direct Object References<br />
• Read file:<br />
f = get_from_user()<br />
$txt = open(“/var/ww/” . f)<br />
• Modify file path<br />
f\$f = “../../../../../../etc/passwd”<br />
• Check authentication for EVERYTHING<br />
Text
Friday, October 22, 2010<br />
Cookie <strong>Security</strong> - Encryption<br />
• Simple cookie security is hard<br />
• More complex is exponentially harder<br />
• What if we want two separate servers to share a<br />
cookie?
public static string Encrypt(string toEncrypt, string key, bool<br />
useHashing)<br />
{<br />
byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);<br />
byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);<br />
if (useHashing)<br />
keyArray = new MD5CryptoServiceProvider().ComputeHash(keyArray);<br />
var tdes = new TripleDESCryptoServiceProvider()<br />
{ Key = keyArray, Mode = CipherMode.ECB, Padding =<br />
PaddingMode.PKCS7 };<br />
}<br />
Friday, October 22, 2010<br />
ICryptoTransform cTransform = tdes.CreateEncryptor();<br />
byte[] resultArray = cTransform.TransformFinalBlock(<br />
toEncryptArray, 0, toEncryptArray.Length);<br />
return Convert.ToBase64String(resultArray, 0, resultArray.Length);
Friday, October 22, 2010<br />
You Aren’t Smart Enough to<br />
Do Cryptography<br />
• DO NOT DO YOUR OWN<br />
CRYPTOGRAPHY<br />
• Use a library<br />
• Even that won’t save you<br />
• Google Keyczar<br />
• return self.Sign(msg) == sig_bytes<br />
• HMAC verification<br />
• Timing attack<br />
• SSL, Secure Mode cookies, correct certificate auth
Friday, October 22, 2010<br />
Null Byte Injection<br />
• Uses a NULL terminator to alter/rewrite the<br />
query string<br />
String fn = request.getParameter<br />
("fn");<br />
if (fn.endsWith(".db"))<br />
{<br />
File f = new File(fn);<br />
//read the contents of “f” file<br />
…<br />
}<br />
• Normal:<br />
http://www.example.host/mypage.jsp?fn=report.db<br />
• Attacking:<br />
http://www.example.host/mypage.jsp?fn=serverlogs.txt%00.db
Friday, October 22, 2010<br />
Fail to Restrict URLs<br />
• Main app: http://example.com/myapp.php<br />
• Helper script: http://example.com/helper.php<br />
• Maybe a backup script http://example.com/backup.php<br />
• Prints diffs for backup purposes, logging, etc.<br />
• Navigate to helper.php<br />
• (?????)<br />
• Profit
Friday, October 22, 2010<br />
New Stuff<br />
• ‘Evercookie’<br />
• HTML5 cookie that hides in all of the little cracks in<br />
HTML5 <strong>and</strong> is practically impossible to remove<br />
• Java SOP is dumb<br />
• Doesn’t check domain name if IP addresses resolve the<br />
same<br />
• DNS authentication issues (~1 year old)<br />
• Root recently signed with DNSSEC<br />
• 7 security researchers given keys to “restart the internet”<br />
• “Fellowship of the Ring”<br />
• Android (Marketplace) really, really sucks<br />
• Wallpaper app steals your data <strong>and</strong> sends it to China<br />
• Millions of downloads