版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
WebApplicationBruteForcing101–“EnemyoftheState(Mechanism)”
DavidEndlerMichaelSutton
iDEFENSEThePowerofIntelligence®SMOutlineWhatareSessionIDs?SecurityProblemswithSessionIDsAnEmergingThreat-BruteForcingWebSessionID’sNotableNewsItemsFunExploitationExamples6CommonProblemsGeneralProtectionMeasuresUsersVendorsDevelopersResourcesWebApplicationsLoginsTraditionalBruteForceguestAdmin123123PasswordEtc.SessionIDOverviewHTTPisstatelessprotocolRatherthanmakeauserauthenticateuponeachclickinawebapplication,asenseof“state”iscreatedInordertomaintainstate,asharedstring,token,orsecretbetweenHTTPclientandserverisusuallyusedbydevelopersEssentially,authenticationdata(username/password)exchangedfor“SessionID”WebStateAttacksSessionReplayAtraditionalreplayattackinthecryptographysenseisanattackinwhichavaliddatatransmissionismaliciouslyorfraudulentlyrepeated,eitherbytheoriginatororbyanadversarywhointerceptsthedataandretransmitsit.SessionHijackingSeizingcontrolofalegitimateuser'swebapplicationsessionwhilethatuseris“loggedin”totheapplication
SessionIDSessionIDshouldINTHEORYbejustassecureasusername/passwordSessionIDOverviewWhileitisgenerallyclearthatusername/passwordpairsareindeedauthenticationdataandthereforesensitive,itisnotgenerallyunderstoodthatsessionIDsarealsojustassensitivebecauseoftheirfrequentuseforauthentication.SeeRFC2964(UseofHTTPStateManagement).SessionIDOverviewSessionIDsarecommonlystoredincookiesand/orURLs,andhiddenfieldsofwebpages(orsomecombination)SessionIDgeneratedbyWEBSERVER(IIS,etc.)whentheuserfirsthitsthesiteorbyWEBAPPLICATION(ATGdynamo,ApacheTomcat,BEAWebsphere,.jsp,.asp,perl,etc.)whentheuserlogsinCookieRefresherSometimesthecookiesaresettoexpire(i.e.,bedeleted)uponclosingthebrowser;thesearetypicallycalled“sessioncookies”or“non-persistent”cookiesPersistentcookieslastbeyondauser’ssession(i.e.“RememberMe”option)Persistentcookiesareusuallystoredontheuser’sharddriveinalocationaccordingtotheparticularoperatingsystemandbrowser(e.g.,C:\Programfiles\netscape\users\username\cookies.txtforNetscapeandC:\DocumentsandSettings\username\CookiesforIEonWin2K).CookieRefresherCookieRefresher(RFC2965)1.)domain:Thewebsitedomainthatcreatedandthatcanreadthevariable.2.)flag:ATRUE/FALSEvalueindicatingwhetherallmachineswithinagivendomaincanaccessthevariable.3.)path:PathnameoftheURL(s)capableofaccessingthecookiefromthedomain.4.)secure:ATRUE/FALSEvalueindicatingifanSSLconnectionwiththedomainisneededtoaccessthevariable.5.)expiration:TheUnixtimethatthevariablewillexpireon.Unixtimeisdefinedasthenumberofsecondssince00:00:00GMTonJan1,1970.Omittingtheexpirationdatesignalstothebrowsertostorethecookieonlyinmemory;itwillbeerasedwhenthebrowserisclosed.(expiresJuly27,2006)6.)name:ThenameoftheSessionIDvariable(inthiscaseApache).7.)value:ThevalueoftheSessionIDvariable(inthiscase51.16018996349247480).
FALSE/FALSE1154029490Apache51.160189963492474801234567CookieStoredSessionIDExamples.TRUE/rcFALSE1293768100sauidpp0010000000006DCC10255298230000591992.003F75FEF2.TRUE/FALSE1271361612B3qpaarsu48dai&b=2.FALSE/FALSE1026115299session-id103-1456769-7895034.TRUE/FALSE1183296824lucky8694036.TRUE/FALSE1341753778Wookie-Cookie13fe8fff4799f27dcf19c959dafa8437.TRUE/FALSE1154029490Iir=9p&in=4aweec66&i1=AFABCl.TRUE/FALSE1154029490PUt=1URLStoredSessionID/view/7AD30725122120803/r?iid=KVIJBUFDLPVMIVLXYUKB
/greet/view?FXA96K95JAEJS/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122/exec/obidos/subst/home/home.html/102-4524380-3923344SessionIDsinHTMLHiddenFields<FORMMETHOD=POSTACTION="/cgi-bin/bankonline.cgi"><inputtype="hidden"name="sessionID"value=”abcde1234”><inputtype="hidden"name="useraccount"value=”673-12745”><inputtype="submit"name="AccessMyBankInformation"></form>
SessionIDSecurityOverviewSessionIDsecurityisamicrocosmofWebApplicationSecurity.WebApplicationSecuritycutsthroughmanydifferentaspectsofanorganization’sinformationsecurityinfrastructure
AnExample:BruteForcingSessionID’sinURLSDearDavidEndler,
AnAnonymousAdmirerhassentyouagreetingcardfrom123G,aFREEservicecommittedtokeeppeopleintouch.
Toseeyourgreetingcard,choosefromanyofthefollowingoptionswhichworksbestforyou.
Method1
JustclickonthefollowingInternetaddress(ifthatdoesn'tworkforyou,copy&pastetheaddressontoyourbrowser'saddressbox.)
/card/08/01/05/20/BG20801052002282.htmlAnExample:BruteForcingSessionID’sinURLS/view/AD30725122116211/view/AD30725122118909/view/AD30725122120803/view/AD30725122122507/view/AD30725122124100AswestarttoassociatethatthedatewesenttheseelectroniccardsonwasJuly25at12:21PST,wecanstarttoeliminatesomemoreentropyoutofthissessionID(07251221).Noticethenthatwe’releftwithfiveincrementing“random”digitsattheendoftheURL.
/view/AD30725122116211
/view/AD30725122118909
/view/AD30725122120803
/view/AD30725122122507
/view/AD30725122124100AnExample:BruteForcingSessionID’sinURLSAUTOMATEDDEMO!WhyBruteForcingWebSessionID’sisBadCanresultinanonlineuser’swebapplicationaccountbeinghijackedorlossofprivacyEasytoexploitUnliketypicalloginscenario,nofailedloginlockoutPrevalentdisclosureamongsecuritymailinglistsTypicalsecuritysolutions(firewalls,IDS,etc.)donothingtodetectattacksLogdataisusuallynotthatdetailedIDSisnotwelldevelopedforWebApplicationattacksSSL(Serverside)doesnothingtoprotectagainsttheseattacksIntheNews“PrivacyholefoundinVerizonWirelessWebsite“Computerworld,Sept6,2001.
/securitytopics/security/privacy/story/0,10801,63587,00.html
/archive/1/211520/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION
URLExample:BruteForcingR
Thankyouforusing'sDomainManager.
Tochangeorre-enteryourpassword,pleasecopyandpastetheURLbelowintothe"Location"or"Address"fieldofyourwebbrowserandhitthe'Enter'keyonyourkeyboard.
Note:Ifyoure-mailprogramsupportsHTML,youmaybeabletoclickonthelinkbelow.
/change_password.cgi?155218782787
Note:Abovelinkwillbeexpirewithinthreedays
Example2:BruteForcingWebSessionID’s/change_password.cgi?486218782865/change_password.cgi?440218782891/change_password.cgi?685218782917/change_password.cgi?505218782956/change_password.cgi?435218782969/change_password.cgi?486218782865/change_password.cgi?440218782891
/change_password.cgi?685218782917
/change_password.cgi?505218782956
/change_password.cgi?435218782969URLExample–BruteForcingDOriginalMessageFrom:test@[mailto:test@]Sent:Monday,July01,20021:38PMTo:dendler@Subject:D.FILMDigitalMovieforDaveDavecreatedadigitalmovieforyou!YoucanviewitatthefollowingURL:/mm2s/mm_route.php?id=110532Cheers, DaveandDFILM. BesuretocheckoutthewebsiteatURLExample–BruteForcingDNoprivacyofotheruser’screations:/mm2s/mm_route.php?id=110532/mm2s/mm_route.php?id=110531/mm2s/mm_route.php?id=110530/mm2s/mm_route.php?id=110529/mm2s/mm_route.php?id=110528/mm2s/mm_route.php?id=110527/mm2s/mm_route.php?id=110526/mm2s/mm_route.php?id=…URLExample–S/servlets/servlets/mysendo?uId=76330URLExample–SViewotherpeople’sevents.Crashaparty,editanevent,cancelandevent,etc./servlets/servlets/mysendo?uId=76330/servlets/servlets/mysendo?uId=76331/servlets/servlets/mysendo?uId=76332/servlets/servlets/mysendo?uId=76333/servlets/servlets/mysendo?uId=76334/servlets/servlets/mysendo?uId=76335/servlets/servlets/mysendo?uId=76336/servlets/servlets/mysendo?uId=…CookieExample–FCookieExample–FLOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;Base64decodethestring:/tools/base64.asp:1231234username:passwordNext,automateitwithaperlexploitbyfeedingencodedstringsintothecookieCookieExample–F%perlfreeservershack.pltryingtesttryingtest123trying123123trying1231234
Crackedit!Thepasswordtois1231234
GET/cgi-bin/util/my_member_areaUser-Agent:Mozilla/4.75[en](WindowsNT5.0;U)Cookie:LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2:$Version=1
%CookieExample–FOramuchlongerway:usethebruteforceroneverysinglecookiecharactercombinationCookie/URLExample–ASomesitesusetheURLANDCookieforauthentication:6CommonProblemsWeakAlgorithm–ManyofthemostpopularwebsitestodayarecurrentlyusinglinearalgorithmsbasedoneasilypredictablevariablessuchastimeorIPaddress.NoFormofAccountLockout–WithregardtoSessionIDbruteforceattacks,anattackercanprobablytryhundredsorthousandsofSessionIDsembeddedinalegitimateURLwithoutasinglecomplaintfromthewebserver.
ShortKeySpace–EventhemostcryptographicallystrongalgorithmstillallowsanactiveSessionIDtobeeasilydeterminedifthesizeofthestring’skeyspaceisnotsufficientlylarge.
6CommonProblems–ContinuedIndefiniteExpirationonServer–SessionIDsthatdonotexpireonthewebservercanallowanattackerunlimitedtimetoguessavalidSessionID.
TransmittedintheClear–AssumingSSLisnotbeingusedwhiletheSessionIDcookieistransmittedtoandfromthebrowser,theSessionIDcouldbesniffedacrossaflatnetworktakingtheguess-workawayforamiscreant.Thisisstillaproblemwithproxyservers.InsecureRetrieval–Bytrickingtheuser’sbrowserintovisitinganothersite,anattackercanretrievestoredSessionIDinformationandquicklyexploitthisinformationbeforetheuser’ssessionsexpire.Thiscanbedoneanumberofways:DNSpoisoning,Cross-siteScripting,etc.ToolsSessionsAuditor
/idtools/Session_Auditor.zipVisualTesting–WebSleuth
/dzzie/sleuthWebProxy-/research/tools/index.htmlHTTPush-Achilles-/downloads.htmlMiniBrowser-
/download.htmWhatCanIDoAsaUser?LogoutofallsessionswhendoneDonotselectthe“Rememberme”OptionProtectyourcookies!DesktopSecurityEnsureyouuseSSL–whengivenchoiceofstandard/secureloginPatchyourbrowsertobesafefromsomenastyCross-siteScriptingattacksTreatemailswithSessionIDinfoinURL’sjustassecurelyasusername/passwordsWhatcanIdoasaSoftwareVendor?BuildandrequireSSL(orotherencryption)intothewebapplicationsothattheauthenticationtokencannotbeeasilysniffedintransitbetweenbrowserandserver;Ensurethatallcookiesenablethe"secure"fieldProvidealogoutfunctionthatexpiresallcookiesandotherauthenticationtokensRe-authenticatetheuserbeforecriticalactionsareperformed(i.e.apurchase,moneytransfer,etc.)WhatcanIdoasaSoftwareVendor?RegeneratetheSessionIDaftercertainintervals(30,15min.,etc.)Create“booby-trapped”SessionIDstodetectbruteforcingattemptsWhenpractical,limitsuccessfulsessionstospecificIPaddresses.Onlyworksinintranetsettingwhererangesarepredictableandfinite.Auto-expiresessionsafter15minutesofinactivityEnforcea“nonce”onpreviouspagesWhatcanIdoasaSoftwareVendor?–ANDMOSTIMPORTANT!!Ensurethroughagoodalgorithm(MD5,SH
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 茶叶产业经营方案
- 茶农收入问题研究报告
- 苍耳草应用经验研究报告
- 策划项目设计方案
- 重庆财经学院《成本管理》2022-2023学年第一学期期末试卷
- 璧山钢丝吊桥施工方案
- 仲恺农业工程学院《现代电源技术》2023-2024学年期末试卷
- 炒股客服技巧培训课程设计
- 三年级数学计算题专项练习汇编及答案集锦
- 三年级数学(上)计算题专项练习附答案
- 2023江苏“小高考”(化学)(2023江苏省普通高中学业水平测试-化学)
- 混凝土结构设计原理课程设计报告报告
- 财经应用文写作教案
- 发动机的构造知识课件
- 干细胞治疗讲稿
- 孤独症精品课件
- DB13T 1349-2010 超贫磁铁矿勘查技术规范
- 新教材教科版六年级上册科学全册单元测试卷(含期中期末试卷)
- 上外研究生期末论文封面
- CMG软件组分模型操作手册
- 直流电机微课
评论
0/150
提交评论