Notes from Troy Hunt's Hack Yourself First Workshop
Join the DZone community and get the full member experience.
Join For FreeTroy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.
Highlights – resources
Personal security and privacy
- https://www.entropay.com/ – a Prepaid Virtual Visa Card
- mailinator.com – tmp email
- f-secure VPN
- https://www.netsparker.com/ – scan a site for issues (insecure cookies, framework disclosure, SQL injection, …) (lot of $k)
Site security
- https://report-uri.io/ – get reports when CSP rules violated; also displays CSP headers for a site in a human-friendly way
- https://securityheaders.io/ check quality of headers wrt security
- free SSL – http://www.startssl.com/, https://www.cloudflare.com/ (also provides web app firewall and other protections) ;
- SSL quality check: https://www.ssllabs.com/ssltest/
- https://letsencrypt.org/ – free, automated, open Certificate Authority (Linux Found., Mozilla)
Breaches etc.
- http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/
- https://twitter.com/jmgosney – one of ppl behind http://passwordscon.org . http://password-hashing.net experts panel. Team Hashcat.
- http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
To follow
- ! http://krebsonsecurity.com/
- ! http://www.troyhunt.com/
- ! https://www.schneier.com/
- ! https://twitter.com/mikko (of F-Secure) also great [TED] talks
- kevin mitnick (jailed for hacking; twitter, books)
Books
- http://www.amazon.com/We-Are-Anonymous-LulzSec-Insurgency/dp/0316213527 – easy read, hard to put down
- http://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/dp/1441793755 – about Mitnick’s hacking, social engineering, living on the run
- ? http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Deceivers/dp/0471782661/
- Mitnick: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ – social engineering
Other
- https://www.xssposed.org/
- See https://www.drupal.org/SA-CORE-2014-005
- https://www.youtube.com/watch?v=Qvhdz8yE_po – Havij example
- http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html, http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html, http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html,
- Googlee: find config files with SA access info: `inurl:ftp inurl:web.config filetype:config sa`
- https://scotthelme.co.uk/hardening-your-http-response-headers/ and https://securityheaders.io/
- https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning – prevent MITM
- wappalyzer chrome plugin displaying info about the server and client that can be detected (jQuery, NewRelic, IIS, win OS, …)
- http://www.troyhunt.com/2015/05/do-you-really-want-bank-grade-security.html
- http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
- tool: https://github.com/gentilkiwi/mimikatz extract plaintexts passwords, hash, PIN code and kerberos tickets from memory on Windows
Notes
- HackYourselfFirst.troyhunt.com – an example app with many vulnerabilities
- Note: maximizing your browser window will share info about your screen size, which might help to identify you
- haveibeenpwned.com – Troy’s online DB of hacked accounts
Tips
- check robots.txt to know what to access
Example Issues
- no https on login page
- insecure psw requirements
- cookies not secure flag => sent over http incl. AuthCookie)
- psw sent in clear text in confirm email
- user enumeration, f.eks. an issue with AdultFriendFinder – entry someone’s email to login to find out whether they’ve an account
- post illegal chars, get them displayed => injection
- no anti-automation (captcha)
- login confirm. email & autom. creating 1m accounts => sending 1m emails => pisses ppl off, likely increase one’s spam reputation (=> harder to send emails)
- brute-force protection?
### XSS
Reflected XSS: display unescaped user input
- Encoding context: HTML, JS, CSS … have diff. escape sequences for the same char (e.g. <) – look at where they’re mixed
- Check the encoding consistency – manual encoding, omitting some chars
- JS => load ext resources, access cookies, manipulate the DOM
Task: stal authCookie via search
### SQL injection
Error-based injection: when the DB helps us by telling us what is wrong -> use ti learn more and even show some data
Ex.: http://hackyourselffirst.troyhunt.com/Make/10?orderby=supercarid <—— supercarid is a column name
- orderby=(select * from userprofile) …
- learn about DB sructure, force an exception that shows the valueex.: (select top 1 cast(password) as int from userprofile) => “Conversion failed for the nvar value ‘passw0rd …’”
Tips
- think of SQL commands that disclose structure: sys.(tables,columns), system commands
- enumerate records: nest queries: select top X ows asc then top 1 rows from that desc
- write out how you think the query works / is being constructed internally
- cast things to invalid types to disclose values in err msgs (or implicit cast due to -1 ..)
#### Defenses
- whitelist input data types (id=123 => onlyallow ints)
- enumerable values – check against an appropr. whitelist
- if the value is stored – who uses it, how? making query/insertion safe
- permissions: give read-only permissions as much as possible; don’t use admin user from your webapp
### Mobile apps
- Look at HTTP req for sensitive data – creds, account, …
- Apps may ignore certificate validations
- In your app: param tampering, auth bypass, direct object refs
- Weak often: airlines, small scale shops, fast foods, …
Tips
- certificate pining – the app has the fingerprint of the server cert. hardcoded and doesn’t trust even “valid” MITM certificate (banks, dropbox, …)x
### CSRF Cross-Site Request Forgery
= make the user send a request => their auth cookie included
- async Ajax req to another site forbidden but that doesn’t apply to normal post
Protection
- anti-forgery tags
### Understanding fwrk disclosure
- http://www.shodanhq.com/ -> search for “drupal 7” -> pwn
- How disclosed:
- headers
- familiar signs – jsessionid cookie for java, …
- The default error and 404 responses may help to recognize the fwr
- HTML code (reactid), “.do” for Sttruts
- implicit: order of headers (Apache x IIS), paths (capitalized?), response to improper HTTP version/protocol,
- => likely still possible to figure out the stack but not possible to simple search for fwrk+version
### Session hijacking
Steal authentication cookie => use for illegal requests.
- Persistence over HTTP of auth., session: cookie, URL (but URL insecure – can be shared)
- Session/auth ID retrieval: insecure transport, referrer, stored in exceptions, XSS
- Factors limiting hijacking: short duration expiry, keyed to client device / IP (but IPs may rotate, esp, on mobile devices => be very cautious)
DAY 2
——–
### Cracking passwords
Password hashing:
- salt: so that 2 ppl choosing the same psw will have a different hash => cracking is # salts * # passwords inst. of just N
- has cracking tips:
- character space
- Dictionary: passw0rd, …
- Mutations: manipulation and subst. of characters
- character space
Tips:
- 1Password , LastPass, ….
- GPU ~ 100* faster than CPU
#### Ex: Crack with hashcat
common psw dict + md5-hashed passwords => crack
./hashcat-cli64.bin –hash-type=0 StratforHashes.txt hashkiller.com.dic # 23M psw dict -> Recovered.: 44 326/860 160 hashes [obs duplications] in 4 min (speed 135.35k plains)
Q: What dictionary we use? Do we apply any mutations to it?
### Account enumeration
- = Does XY have an account?
- Multiple vectors (psw reset, register a new user with the same e-mail, …)
- Anti-automation: is there any? It may be inconsistent across vectors
- Does it matter? (<> privacy needs)
- How to “ask” the site and how to identify + and – responses?
- Timing attacks: distinguish positive x negative response based on the latency differing between the two
### HTTPS
Confidentiality, Integrity, Authenticity
Traffic hijacking: [a href="https://www.wifipineapple.com/"]https://www.wifipineapple.com/ – wifi hotspot with evil capabilities
- monitor probe requests (the phone looks for networks it knows), present yourself as one of those, the phone connects autom. (if no encryption)
- Consider everything sent over HTTP to be compromised
- Look at HTTPS content embedded in untrusted pages (iframes, links) – e.g. payment page embedded in http
Links
- HSTS Preload – tell Chrome, FF that your site should only be ever loaded over HTTPS – https://hstspreload.appspot.com/
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security header
### Content Scurity Policy header
https://developer.chrome.com/extensions/contentSecurityPolicy See e.g. https://haveibeenpwned.com/ headers
w/o CSP
- anything can be added to the page via a reflected XSS risk
- Anyth, can be added to the DOM downstream (on a proxy)
With CSP the browser will only load resources you white-list; any violations can be reported
Use e.g. https://report-uri.io/home/generate to create it and the report to watch for violations to fine tune it.
### SQL injection cont’d
(Yesterday: Error-Based)
#### Union Based SQLi
Modify the query to union whatever other data and show them. More data faster than error-based inj.
Ex.: http://hackyourselffirst.troyhunt.com/CarsByCylinders?Cylinders=V12 : V12 -> `V12′ union select voteid, comments collate SQL_Latin1_General_CP1_CI_AS from vote– `
#### Blind Boolean (laborious)
Blind inj.: We can’t always rely on data being explicitly returned to the UI => ask a question, draw a conclusion about the data.
Ex:
http://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=PowerKw&asc=false ->
ordedby => case when (select count(*) from userprofile) > 1 then powerkw else topspeedkm end
Extract email: Is ascii of the lowercase char #1 < ascii of m ?
Automation: SqlMap
#### Time based blind injection
When no useful output returned but yes/no responses differ significantly in how much time they take. F.ex. ask the db to delay the OK response.
MS SQL: IF ‘b’ > ‘a’ WAITFOR DELAY ’00:00:05′
### Brute force attacks
- Are there any defences? Often not
- How are defences impl?
- block the req resources
- block the src IP
- rate limit (by src IP)
### Automation
- penetration testing apps and services such as Netsparker, WhiteHatSec
- targets identification: shodan, googledorks, randowm crawling
- think aout the actions that adhere to a pattern – sql injection, fuzzing (repeat a req. trying diff. values for fields – SQLi, …), directory enumeration
- automation can be used for good – test your site
- tip: have autom. penetration testing (and perhaps static code analysis) as a part fo your build pipeline
Task: Get DB schema using sqlmap (see python2.7 sqlmap.py –help)
### Protection
Intrusion Detection System (IDS) – e.g. Snort
Web Application Firewall (WAF) – e.g. CloudFare ($20/m)
Opinions expressed by DZone contributors are their own.
Comments