类系列产品,其品质优良,酿造工艺独_第1页
类系列产品,其品质优良,酿造工艺独_第2页
类系列产品,其品质优良,酿造工艺独_第3页
类系列产品,其品质优良,酿造工艺独_第4页
类系列产品,其品质优良,酿造工艺独_第5页
已阅读5页,还剩38页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

WebApplicationBruteForcing101–“EnemyoftheState(Mechanism)”

DavidEndlerMichaelSutton

iDEFENSEThePowerofIntelligence®SMOutlineWhatareSessionIDs?SecurityProblemswithSessionIDsAnEmergingThreat-BruteForcingWebSessionID’sNotableNewsItemsFunExploitationExamples6CommonProblemsGeneralProtectionMeasuresUsersVendorsDevelopersResourcesWebApplicationsLoginsTraditionalBruteForceguestAdmin123123PasswordEtc.SessionIDOverviewHTTPisstatelessprotocolRatherthanmakeauserauthenticateuponeachclickinawebapplication,asenseof“state”iscreatedInordertomaintainstate,asharedstring,token,orsecretbetweenHTTPclientandserverisusuallyusedbydevelopersEssentially,authenticationdata(username/password)exchangedfor“SessionID”WebStateAttacksSessionReplayAtraditionalreplayattackinthecryptographysenseisanattackinwhichavaliddatatransmissionismaliciouslyorfraudulentlyrepeated,eitherbytheoriginatororbyanadversarywhointerceptsthedataandretransmitsit.SessionHijackingSeizingcontrolofalegitimateuser'swebapplicationsessionwhilethatuseris“loggedin”totheapplication

SessionIDSessionIDshouldINTHEORYbejustassecureasusername/passwordSessionIDOverviewWhileitisgenerallyclearthatusername/passwordpairsareindeedauthenticationdataandthereforesensitive,itisnotgenerallyunderstoodthatsessionIDsarealsojustassensitivebecauseoftheirfrequentuseforauthentication.SeeRFC2964(UseofHTTPStateManagement).SessionIDOverviewSessionIDsarecommonlystoredincookiesand/orURLs,andhiddenfieldsofwebpages(orsomecombination)SessionIDgeneratedbyWEBSERVER(IIS,etc.)whentheuserfirsthitsthesiteorbyWEBAPPLICATION(ATGdynamo,ApacheTomcat,BEAWebsphere,.jsp,.asp,perl,etc.)whentheuserlogsinCookieRefresherSometimesthecookiesaresettoexpire(i.e.,bedeleted)uponclosingthebrowser;thesearetypicallycalled“sessioncookies”or“non-persistent”cookiesPersistentcookieslastbeyondauser’ssession(i.e.“RememberMe”option)Persistentcookiesareusuallystoredontheuser’sharddriveinalocationaccordingtotheparticularoperatingsystemandbrowser(e.g.,C:\Programfiles\netscape\users\username\cookies.txtforNetscapeandC:\DocumentsandSettings\username\CookiesforIEonWin2K).CookieRefresherCookieRefresher(RFC2965)1.)domain:Thewebsitedomainthatcreatedandthatcanreadthevariable.2.)flag:ATRUE/FALSEvalueindicatingwhetherallmachineswithinagivendomaincanaccessthevariable.3.)path:PathnameoftheURL(s)capableofaccessingthecookiefromthedomain.4.)secure:ATRUE/FALSEvalueindicatingifanSSLconnectionwiththedomainisneededtoaccessthevariable.5.)expiration:TheUnixtimethatthevariablewillexpireon.Unixtimeisdefinedasthenumberofsecondssince00:00:00GMTonJan1,1970.Omittingtheexpirationdatesignalstothebrowsertostorethecookieonlyinmemory;itwillbeerasedwhenthebrowserisclosed.(expiresJuly27,2006)6.)name:ThenameoftheSessionIDvariable(inthiscaseApache).7.)value:ThevalueoftheSessionIDvariable(inthiscase51.16018996349247480).

FALSE/FALSE1154029490Apache51.160189963492474801234567CookieStoredSessionIDExamples.TRUE/rcFALSE1293768100sauidpp0010000000006DCC10255298230000591992.003F75FEF2.TRUE/FALSE1271361612B3qpaarsu48dai&b=2.FALSE/FALSE1026115299session-id103-1456769-7895034.TRUE/FALSE1183296824lucky8694036.TRUE/FALSE1341753778Wookie-Cookie13fe8fff4799f27dcf19c959dafa8437.TRUE/FALSE1154029490Iir=9p&in=4aweec66&i1=AFABCl.TRUE/FALSE1154029490PUt=1URLStoredSessionID/view/7AD30725122120803/r?iid=KVIJBUFDLPVMIVLXYUKB

/greet/view?FXA96K95JAEJS/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122/exec/obidos/subst/home/home.html/102-4524380-3923344SessionIDsinHTMLHiddenFields<FORMMETHOD=POSTACTION="/cgi-bin/bankonline.cgi"><inputtype="hidden"name="sessionID"value=”abcde1234”><inputtype="hidden"name="useraccount"value=”673-12745”><inputtype="submit"name="AccessMyBankInformation"></form>

SessionIDSecurityOverviewSessionIDsecurityisamicrocosmofWebApplicationSecurity.WebApplicationSecuritycutsthroughmanydifferentaspectsofanorganization’sinformationsecurityinfrastructure

AnExample:BruteForcingSessionID’sinURLSDearDavidEndler,

AnAnonymousAdmirerhassentyouagreetingcardfrom123G,aFREEservicecommittedtokeeppeopleintouch.

Toseeyourgreetingcard,choosefromanyofthefollowingoptionswhichworksbestforyou.

Method1

JustclickonthefollowingInternetaddress(ifthatdoesn'tworkforyou,copy&pastetheaddressontoyourbrowser'saddressbox.)

/card/08/01/05/20/BG20801052002282.htmlAnExample:BruteForcingSessionID’sinURLS/view/AD30725122116211/view/AD30725122118909/view/AD30725122120803/view/AD30725122122507/view/AD30725122124100AswestarttoassociatethatthedatewesenttheseelectroniccardsonwasJuly25at12:21PST,wecanstarttoeliminatesomemoreentropyoutofthissessionID(07251221).Noticethenthatwe’releftwithfiveincrementing“random”digitsattheendoftheURL.

/view/AD30725122116211

/view/AD30725122118909

/view/AD30725122120803

/view/AD30725122122507

/view/AD30725122124100AnExample:BruteForcingSessionID’sinURLSAUTOMATEDDEMO!WhyBruteForcingWebSessionID’sisBadCanresultinanonlineuser’swebapplicationaccountbeinghijackedorlossofprivacyEasytoexploitUnliketypicalloginscenario,nofailedloginlockoutPrevalentdisclosureamongsecuritymailinglistsTypicalsecuritysolutions(firewalls,IDS,etc.)donothingtodetectattacksLogdataisusuallynotthatdetailedIDSisnotwelldevelopedforWebApplicationattacksSSL(Serverside)doesnothingtoprotectagainsttheseattacksIntheNews“PrivacyholefoundinVerizonWirelessWebsite“Computerworld,Sept6,2001.

/securitytopics/security/privacy/story/0,10801,63587,00.html

/archive/1/211520/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION

URLExample:BruteForcingR

Thankyouforusing'sDomainManager.

Tochangeorre-enteryourpassword,pleasecopyandpastetheURLbelowintothe"Location"or"Address"fieldofyourwebbrowserandhitthe'Enter'keyonyourkeyboard.

Note:Ifyoure-mailprogramsupportsHTML,youmaybeabletoclickonthelinkbelow.

/change_password.cgi?155218782787

Note:Abovelinkwillbeexpirewithinthreedays

Example2:BruteForcingWebSessionID’s/change_password.cgi?486218782865/change_password.cgi?440218782891/change_password.cgi?685218782917/change_password.cgi?505218782956/change_password.cgi?435218782969/change_password.cgi?486218782865/change_password.cgi?440218782891

/change_password.cgi?685218782917

/change_password.cgi?505218782956

/change_password.cgi?435218782969URLExample–BruteForcingDOriginalMessageFrom:test@[mailto:test@]Sent:Monday,July01,20021:38PMTo:dendler@Subject:D.FILMDigitalMovieforDaveDavecreatedadigitalmovieforyou!YoucanviewitatthefollowingURL:/mm2s/mm_route.php?id=110532Cheers, DaveandDFILM. BesuretocheckoutthewebsiteatURLExample–BruteForcingDNoprivacyofotheruser’screations:/mm2s/mm_route.php?id=110532/mm2s/mm_route.php?id=110531/mm2s/mm_route.php?id=110530/mm2s/mm_route.php?id=110529/mm2s/mm_route.php?id=110528/mm2s/mm_route.php?id=110527/mm2s/mm_route.php?id=110526/mm2s/mm_route.php?id=…URLExample–S/servlets/servlets/mysendo?uId=76330URLExample–SViewotherpeople’sevents.Crashaparty,editanevent,cancelandevent,etc./servlets/servlets/mysendo?uId=76330/servlets/servlets/mysendo?uId=76331/servlets/servlets/mysendo?uId=76332/servlets/servlets/mysendo?uId=76333/servlets/servlets/mysendo?uId=76334/servlets/servlets/mysendo?uId=76335/servlets/servlets/mysendo?uId=76336/servlets/servlets/mysendo?uId=…CookieExample–FCookieExample–FLOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;Base64decodethestring:/tools/base64.asp:1231234username:passwordNext,automateitwithaperlexploitbyfeedingencodedstringsintothecookieCookieExample–F%perlfreeservershack.pltryingtesttryingtest123trying123123trying1231234

Crackedit!Thepasswordtois1231234

GET/cgi-bin/util/my_member_areaUser-Agent:Mozilla/4.75[en](WindowsNT5.0;U)Cookie:LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2:$Version=1

%CookieExample–FOramuchlongerway:usethebruteforceroneverysinglecookiecharactercombinationCookie/URLExample–ASomesitesusetheURLANDCookieforauthentication:6CommonProblemsWeakAlgorithm–ManyofthemostpopularwebsitestodayarecurrentlyusinglinearalgorithmsbasedoneasilypredictablevariablessuchastimeorIPaddress.NoFormofAccountLockout–WithregardtoSessionIDbruteforceattacks,anattackercanprobablytryhundredsorthousandsofSessionIDsembeddedinalegitimateURLwithoutasinglecomplaintfromthewebserver.

ShortKeySpace–EventhemostcryptographicallystrongalgorithmstillallowsanactiveSessionIDtobeeasilydeterminedifthesizeofthestring’skeyspaceisnotsufficientlylarge.

6CommonProblems–ContinuedIndefiniteExpirationonServer–SessionIDsthatdonotexpireonthewebservercanallowanattackerunlimitedtimetoguessavalidSessionID.

TransmittedintheClear–AssumingSSLisnotbeingusedwhiletheSessionIDcookieistransmittedtoandfromthebrowser,theSessionIDcouldbesniffedacrossaflatnetworktakingtheguess-workawayforamiscreant.Thisisstillaproblemwithproxyservers.InsecureRetrieval–Bytrickingtheuser’sbrowserintovisitinganothersite,anattackercanretrievestoredSessionIDinformationandquicklyexploitthisinformationbeforetheuser’ssessionsexpire.Thiscanbedoneanumberofways:DNSpoisoning,Cross-siteScripting,etc.ToolsSessionsAuditor

/idtools/Session_Auditor.zipVisualTesting–WebSleuth

/dzzie/sleuthWebProxy-/research/tools/index.htmlHTTPush-Achilles-/downloads.htmlMiniBrowser-

/download.htmWhatCanIDoAsaUser?LogoutofallsessionswhendoneDonotselectthe“Rememberme”OptionProtectyourcookies!DesktopSecurityEnsureyouuseSSL–whengivenchoiceofstandard/secureloginPatchyourbrowsertobesafefromsomenastyCross-siteScriptingattacksTreatemailswithSessionIDinfoinURL’sjustassecurelyasusername/passwordsWhatcanIdoasaSoftwareVendor?BuildandrequireSSL(orotherencryption)intothewebapplicationsothattheauthenticationtokencannotbeeasilysniffedintransitbetweenbrowserandserver;Ensurethatallcookiesenablethe"secure"fieldProvidealogoutfunctionthatexpiresallcookiesandotherauthenticationtokensRe-authenticatetheuserbeforecriticalactionsareperformed(i.e.apurchase,moneytransfer,etc.)WhatcanIdoasaSoftwareVendor?RegeneratetheSessionIDaftercertainintervals(30,15min.,etc.)Create“booby-trapped”SessionIDstodetectbruteforcingattemptsWhenpractical,limitsuccessfulsessionstospecificIPaddresses.Onlyworksinintranetsettingwhererangesarepredictableandfinite.Auto-expiresessionsafter15minutesofinactivityEnforcea“nonce”onpreviouspagesWhatcanIdoasaSoftwareVendor?–ANDMOSTIMPORTANT!!Ensurethroughagoodalgorithm(MD5,SH

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论