类系列产品,其品质优良,酿造工艺独

WebApplicationBruteForcing101–“EnemyoftheState(Mechanism)”

DavidEndlerMichaelSutton

iDEFENSEThePowerofIntelligence®SMOutlineWhatareSessionIDs?SecurityProblemswithSessionIDsAnEmergingThreat-BruteForcingWebSessionID’sNotableNewsItemsFunExploitationExamples6CommonProblemsGeneralProtectionMeasuresUsersVendorsDevelopersResourcesWebApplicationsLoginsTraditionalBruteForceguestAdmin123123PasswordEtc.SessionIDOverviewHTTPisstatelessprotocolRatherthanmakeauserauthenticateuponeachclickinawebapplication,asenseof“state”iscreatedInordertomaintainstate,asharedstring,token,orsecretbetweenHTTPclientandserverisusuallyusedbydevelopersEssentially,authenticationdata(username/password)exchangedfor“SessionID”WebStateAttacksSessionReplayAtraditionalreplayattackinthecryptographysenseisanattackinwhichavaliddatatransmissionismaliciouslyorfraudulentlyrepeated,eitherbytheoriginatororbyanadversarywhointerceptsthedataandretransmitsit.SessionHijackingSeizingcontrolofalegitimateuser'swebapplicationsessionwhilethatuseris“loggedin”totheapplication

SessionIDSessionIDshouldINTHEORYbejustassecureasusername/passwordSessionIDOverviewWhileitisgenerallyclearthatusername/passwordpairsareindeedauthenticationdataandthereforesensitive,itisnotgenerallyunderstoodthatsessionIDsarealsojustassensitivebecauseoftheirfrequentuseforauthentication.SeeRFC2964(UseofHTTPStateManagement).SessionIDOverviewSessionIDsarecommonlystoredincookiesand/orURLs,andhiddenfieldsofwebpages(orsomecombination)SessionIDgeneratedbyWEBSERVER(IIS,etc.)whentheuserfirsthitsthesiteorbyWEBAPPLICATION(ATGdynamo,ApacheTomcat,BEAWebsphere,.jsp,.asp,perl,etc.)whentheuserlogsinCookieRefresherSometimesthecookiesaresettoexpire(i.e.,bedeleted)uponclosingthebrowser;thesearetypicallycalled“sessioncookies”or“non-persistent”cookiesPersistentcookieslastbeyondauser’ssession(i.e.“RememberMe”option)Persistentcookiesareusuallystoredontheuser’sharddriveinalocationaccordingtotheparticularoperatingsystemandbrowser(e.g.,C:\Programfiles\netscape\users\username\cookies.txtforNetscapeandC:\DocumentsandSettings\username\CookiesforIEonWin2K).CookieRefresherCookieRefresher(RFC2965)1.)domain:Thewebsitedomainthatcreatedandthatcanreadthevariable.2.)flag:ATRUE/FALSEvalueindicatingwhetherallmachineswithinagivendomaincanaccessthevariable.3.)path:PathnameoftheURL(s)capableofaccessingthecookiefromthedomain.4.)secure:ATRUE/FALSEvalueindicatingifanSSLconnectionwiththedomainisneededtoaccessthevariable.5.)expiration:TheUnixtimethatthevariablewillexpireon.Unixtimeisdefinedasthenumberofsecondssince00:00:00GMTonJan1,1970.Omittingtheexpirationdatesignalstothebrowsertostorethecookieonlyinmemory;itwillbeerasedwhenthebrowserisclosed.(expiresJuly27,2006)6.)name:ThenameoftheSessionIDvariable(inthiscaseApache).7.)value:ThevalueoftheSessionIDvariable(inthiscase51.16018996349247480).

FALSE/FALSE1154029490Apache51.160189963492474801234567CookieStoredSessionIDExamples.TRUE/rcFALSE1293768100sauidpp0010000000006DCC10255298230000591992.003F75FEF2.TRUE/FALSE1271361612B3qpaarsu48dai&b=2.FALSE/FALSE1026115299session-id103-1456769-7895034.TRUE/FALSE1183296824lucky8694036.TRUE/FALSE1341753778Wookie-Cookie13fe8fff4799f27dcf19c959dafa8437.TRUE/FALSE1154029490Iir=9p&in=4aweec66&i1=AFABCl.TRUE/FALSE1154029490PUt=1URLStoredSessionID/view/7AD30725122120803/r?iid=KVIJBUFDLPVMIVLXYUKB

/greet/view?FXA96K95JAEJS/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122/exec/obidos/subst/home/home.html/102-4524380-3923344SessionIDsinHTMLHiddenFields<FORMMETHOD=POSTACTION="/cgi-bin/bankonline.cgi"><inputtype="hidden"name="sessionID"value=”abcde1234”><inputtype="hidden"name="useraccount"value=”673-12745”><inputtype="submit"name="AccessMyBankInformation"></form>

SessionIDSecurityOverviewSessionIDsecurityisamicrocosmofWebApplicationSecurity.WebApplicationSecuritycutsthroughmanydifferentaspectsofanorganization’sinformationsecurityinfrastructure

AnExample:BruteForcingSessionID’sinURLSDearDavidEndler,

AnAnonymousAdmirerhassentyouagreetingcardfrom123G,aFREEservicecommittedtokeeppeopleintouch.

Toseeyourgreetingcard,choosefromanyofthefollowingoptionswhichworksbestforyou.

Method1

JustclickonthefollowingInternetaddress(ifthatdoesn'tworkforyou,copy&pastetheaddressontoyourbrowser'saddressbox.)

/card/08/01/05/20/BG20801052002282.htmlAnExample:BruteForcingSessionID’sinURLS/view/AD30725122116211/view/AD30725122118909/view/AD30725122120803/view/AD30725122122507/view/AD30725122124100AswestarttoassociatethatthedatewesenttheseelectroniccardsonwasJuly25at12:21PST,wecanstarttoeliminatesomemoreentropyoutofthissessionID(07251221).Noticethenthatwe’releftwithfiveincrementing“random”digitsattheendoftheURL.

/view/AD30725122116211

/view/AD30725122118909

/view/AD30725122120803

/view/AD30725122122507

/view/AD30725122124100AnExample:BruteForcingSessionID’sinURLSAUTOMATEDDEMO!WhyBruteForcingWebSessionID’sisBadCanresultinanonlineuser’swebapplicationaccountbeinghijackedorlossofprivacyEasytoexploitUnliketypicalloginscenario,nofailedloginlockoutPrevalentdisclosureamongsecuritymailinglistsTypicalsecuritysolutions(firewalls,IDS,etc.)donothingtodetectattacksLogdataisusuallynotthatdetailedIDSisnotwelldevelopedforWebApplicationattacksSSL(Serverside)doesnothingtoprotectagainsttheseattacksIntheNews“PrivacyholefoundinVerizonWirelessWebsite“Computerworld,Sept6,2001.

/securitytopics/security/privacy/story/0,10801,63587,00.html

/archive/1/211520/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION

URLExample:BruteForcingR

Thankyouforusing'sDomainManager.

Tochangeorre-enteryourpassword,pleasecopyandpastetheURLbelowintothe"Location"or"Address"fieldofyourwebbrowserandhitthe'Enter'keyonyourkeyboard.

Note:Ifyoure-mailprogramsupportsHTML,youmaybeabletoclickonthelinkbelow.

/change_password.cgi?155218782787

Note:Abovelinkwillbeexpirewithinthreedays

Example2:BruteForcingWebSessionID’s/change_password.cgi?486218782865/change_password.cgi?440218782891/change_password.cgi?685218782917/change_password.cgi?505218782956/change_password.cgi?435218782969/change_password.cgi?486218782865/change_password.cgi?440218782891

/change_password.cgi?685218782917

/change_password.cgi?505218782956

/change_password.cgi?435218782969URLExample–BruteForcingDOriginalMessageFrom:test@[mailto:test@]Sent:Monday,July01,20021:38PMTo:dendler@Subject:D.FILMDigitalMovieforDaveDavecreatedadigitalmovieforyou!YoucanviewitatthefollowingURL:/mm2s/mm_route.php?id=110532Cheers, DaveandDFILM. BesuretocheckoutthewebsiteatURLExample–BruteForcingDNoprivacyofotheruser’screations:/mm2s/mm_route.php?id=110532/mm2s/mm_route.php?id=110531/mm2s/mm_route.php?id=110530/mm2s/mm_route.php?id=110529/mm2s/mm_route.php?id=110528/mm2s/mm_route.php?id=110527/mm2s/mm_route.php?id=110526/mm2s/mm_route.php?id=…URLExample–S/servlets/servlets/mysendo?uId=76330URLExample–SViewotherpeople’sevents.Crashaparty,editanevent,cancelandevent,etc./servlets/servlets/mysendo?uId=76330/servlets/servlets/mysendo?uId=76331/servlets/servlets/mysendo?uId=76332/servlets/servlets/mysendo?uId=76333/servlets/servlets/mysendo?uId=76334/servlets/servlets/mysendo?uId=76335/servlets/servlets/mysendo?uId=76336/servlets/servlets/mysendo?uId=…CookieExample–FCookieExample–FLOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;Base64decodethestring:/tools/base64.asp:1231234username:passwordNext,automateitwithaperlexploitbyfeedingencodedstringsintothecookieCookieExample–F%perlfreeservershack.pltryingtesttryingtest123trying123123trying1231234

Crackedit!Thepasswordtois1231234

GET/cgi-bin/util/my_member_areaUser-Agent:Mozilla/4.75[en](WindowsNT5.0;U)Cookie:LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2:$Version=1

%CookieExample–FOramuchlongerway:usethebruteforceroneverysinglecookiecharactercombinationCookie/URLExample–ASomesitesusetheURLANDCookieforauthentication:6CommonProblemsWeakAlgorithm–ManyofthemostpopularwebsitestodayarecurrentlyusinglinearalgorithmsbasedoneasilypredictablevariablessuchastimeorIPaddress.NoFormofAccountLockout–WithregardtoSessionIDbruteforceattacks,anattackercanprobablytryhundredsorthousandsofSessionIDsembeddedinalegitimateURLwithoutasinglecomplaintfromthewebserver.

ShortKeySpace–EventhemostcryptographicallystrongalgorithmstillallowsanactiveSessionIDtobeeasilydeterminedifthesizeofthestring’skeyspaceisnotsufficientlylarge.

6CommonProblems–ContinuedIndefiniteExpirationonServer–SessionIDsthatdonotexpireonthewebservercanallowanattackerunlimitedtimetoguessavalidSessionID.

TransmittedintheClear–AssumingSSLisnotbeingusedwhiletheSessionIDcookieistransmittedtoandfromthebrowser,theSessionIDcouldbesniffedacrossaflatnetworktakingtheguess-workawayforamiscreant.Thisisstillaproblemwithproxyservers.InsecureRetrieval–Bytrickingtheuser’sbrowserintovisitinganothersite,anattackercanretrievestoredSessionIDinformationandquicklyexploitthisinformationbeforetheuser’ssessionsexpire.Thiscanbedoneanumberofways:DNSpoisoning,Cross-siteScripting,etc.ToolsSessionsAuditor

/idtools/Session_Auditor.zipVisualTesting–WebSleuth

/dzzie/sleuthWebProxy-/research/tools/index.htmlHTTPush-Achilles-/downloads.htmlMiniBrowser-

/download.htmWhatCanIDoAsaUser?LogoutofallsessionswhendoneDonotselectthe“Rememberme”OptionProtectyourcookies!DesktopSecurityEnsureyouuseSSL–whengivenchoiceofstandard/secureloginPatchyourbrowsertobesafefromsomenastyCross-siteScriptingattacksTreatemailswithSessionIDinfoinURL’sjustassecurelyasusername/passwordsWhatcanIdoasaSoftwareVendor?BuildandrequireSSL(orotherencryption)intothewebapplicationsothattheauthenticationtokencannotbeeasilysniffedintransitbetweenbrowserandserver;Ensurethatallcookiesenablethe"secure"fieldProvidealogoutfunctionthatexpiresallcookiesandotherauthenticationtokensRe-authenticatetheuserbeforecriticalactionsareperformed(i.e.apurchase,moneytransfer,etc.)WhatcanIdoasaSoftwareVendor?RegeneratetheSessionIDaftercertainintervals(30,15min.,etc.)Create“booby-trapped”SessionIDstodetectbruteforcingattemptsWhenpractical,limitsuccessfulsessionstospecificIPaddresses.Onlyworksinintranetsettingwhererangesarepredictableandfinite.Auto-expiresessionsafter15minutesofinactivityEnforcea“nonce”onpreviouspagesWhatcanIdoasaSoftwareVendor?–ANDMOSTIMPORTANT!!Ensurethroughagoodalgorithm(MD5,SH