Exams
Hi readers,
So I have been lax in my posts lately, but this has been because I have been preparing for exams(Which I am now writing).
But be assured that as soon as exams are done, the posts shall commence.
Thank you for understanding
Session riding
I decided to make this post about web application session riding, known more formally as cross site request forgery, following a presentation about javascript malware done at one of the ISG Durban meetings. There are many ways in which a web application can be designed insecure, and much more ways in which to exploit them.
Web application security has a lot of followers, and their respective communities. One such community is OWASP. OWASP is an open source application security project, and their website is perhaps the most beneficial to anyone looking for a source of information about web security.
Vulnerabilities like XSS or SQL injection are widely used by attackers and security professionals alike, and are the most popular methods of attack. Session riding however, although not as popular, is used just as frequently.
Why is it such a threat?
Web applications do not determine whether a logged in users action is authorised or not, instead it trusts the web users instructions and considers requests as legitimate. A valid session is all that is required by the web application to confirm the validity of an action.
So how does it work?
The web uses the HTTP protocol to deliver information to the user. Every HTTP request made to the web server from the same source is taken as unrelated to any previous or future requests. Neglecting keepalive connections, this is the way a browser interacts with the web server. It is required in some circumstances that the web server remembers the previous requests, for example, when shopping online. This activity needs to be kept track of, and kept seperate to the activities of other users. As a result, cookies were brought in by developers to do just that.
Cookies are bits of information sent by the application on the server, to the user via HTTP response headers. The browsers are designed to remember these cookies. These cookies are then sent to the web pages that have the same application.
Sessions of different users are maintained by random and unique cookie strings, known as session tokens(or session IDs). The randomness and unpredictability of the session token guarantees that the server side application knows who it is communicating with.
The trouble comes in, when a web application only evaluates the origin and validity of actions solely based on a valid session token. A clever attacker only needs a pre-made URL doing the same action as the target web application, and then produce it to the user in a recognisable form, and hope that the user is logged into the legitimate web application at the time. This URL could be sent to the user in a number of ways, including via email. The valid session token would then be obtained by the attacker, and they could get access to the web application.
Such an attack could even disable a network. Say for instance on a home ADSL router. All these devices utilise the HTTP protocol to access the device control panel. Hijacking the session token would allow the attacker access to the network infrastructure, and could lead to network failure if the attacker changes settings(or perhaps they could even change all the passwords).
As more and more devices are using such interfaces, more and more session riding becomes possible. The sky is the limit, as they say. What the attacker really needs to know, is a clever way to deliver the prepared html or javascript to their targets browser (email is but one method). Even standard html tags can be used. For example, in an <img> tag one could display an image, and link it through to the desired URL. Or the URL could be opened in an <iframe> tag. Even <script> tags may be used. Links such as these can easily be displayed in web applications such as facebook, where every visitor could potentially click on it.
But it doesnt stop there
To make things worse, when session riding, the attacks are always performed from the victims IP address. Thus, according to the web server logs, everything seems to have been done by the victim.
Enough with the doom and gloom
There are, however, some limitation with session riding. If the web application checks the referrer header, the attack will fail, because the origin of the request is usually not the same as the target. However, very few web applications perform this check, and could still be unreliable if a proxy, web filtering software or other such "man in the middle" is being used.
So what measures can be taken to prevent such an attack?
The most common advice to web application developers would be adding a random challenge string to each request. This random string is tied with the user session, and is different for every new login, which prevents the attacker from fetching a valid session token. It is also good practice to provide a lease on the lifetime of a session, such that it expires after a defined period of time.
These measures, however, require the developers to do additional work to the application. In the event that the application is already complete; the redesign costs are not favourable(and would use up too many human resources), and thus the applications remain vulnerable.
On the client side, a user should be very careful as to what links they open, especially if the link has been provided in an email. Browser plugins such as noscript for firefox will also go a long way toward detecting such attacks, especially where javascript malware is concerned.
First post, ZaCon III report back
I have finally decided to get my act together and begin posting on my blog. Albeit still in need of a great deal of design work, I will make this post and make good on design promises soon.
So to kick off the blog, I will report back on the ZaCon III InfoSec conference (www.zacon.org.za) which I attended about a week ago. Almost straight after beginning my attendance at ISG Durban(Information Security Group), I heard about ZaCon, and as fate would have it, I would be in Johannesburg on the scheduled weekend.
With great excitement, off I went to attend presentations on both days. The first evening started a little slow, but after some drinks and socialising with the attendees, the first presentation began. Footprinting has always been the source of fun for me, and over the years I have developed a few methods of manually gathering information about certain targets. So it came as great surprise that the first presentation was about Maltego; footprinting software that I was unfamiliar with. I was enthralled by the presentation, which demonstrated exactly those skills I have developed. The second (and last) presentation of the evening was about pickle exploitation in the python programming language. Due to not being familiar with python, the presentation was mostly lost to me.
The next day was the main attraction, and more "conners" were in attendance. After some coffee, the conners filtered into the lecture theatre for the first presentation of the day: Real world SoC. Being a student, it was good to hear about how the industry enforces security related issues. Next up was a presentation on hash cracking, a subject I know a great deal about. While the theory behind it all was mostly already known to me, I was interested in the statistics and specific applications which the presenter included in his presentation. The presenter himself was a pleasure to listen to, given his accomplishments in the field. Following this was a presentation on NNTP cache enumeration and poisoning. At first I just glossed over the name of the presentation, but after it began, I realised it was something very close to home. Needless to say the presenter had my undivided attention as soon as I realised the implications to my use of usenet.
After a short tea break, presentations resumed with a presentation by a phD student from Rhodes, who was presenting on functional programming. I have heard a bit about functional programming through my years of studying computer science, but have never actively practised it. Due in large to its unproven status as a programming paradigm I suppose. The presenter proceeded to demonstrate just how effective functional programming is, from a security point of view, as well as a programming point of view in general. Following this, were presentations on OSX sandboxing, and systems application proxies.
After lunch, the first presentation was interesting to all those in attendance, entitled: "Can I go to jail if...". The presenters selected computing practices(particularly to do with hacking), and reasoned the laws surrounding them. The next presentation was done by a masters student (I think it was masters anyway) from UJ. He presented on his research into rootkits. His methods were interesting, despite being somewhat disturbing. Especially since my netbook began showing signs he mentioned were side affects of being infected with his rootkit (mainly BSODs). However, later I discovered that my netbook troubles were nothing to do with a rootkit, but rather a hard drive which was about to fail.
Next up was a relaxing presentation on a different side of hacking: lockpicking. Another topic which I have dabbled in over the years, so the theory was known to me. But that didnt stop me from remaining captivated (it was nice to know I am not the only one who is interested by such things). Following another tea break, were the last three presentations, and the keynote via skype.
"The protocol trench" was the next presentation, which was mainly about access restrictions to clients on the network (for their own safety of course), after which was a presentation (or more a plea) for security enthusiasts such as the audience, to be "builders", and not "breakers" of security measures. The last of the in house presentations was about enterprise security.
Lastly, was the keynote speech delivered via skype by Richard Thieme. His speech was very interesting, and posed many questions regarding the current state of affairs, but more importantly what is possibly going to arise in the future. I was particularly pleased that he mentioned threats on which I have had lectures on by researchers from MIT (who are actively involved in the development of), namely the usage of cellular devices as a means of tracking and recording data(and the associated AI systems).
So here ends my first post, I hope that I shall not be as lazy for the posts which are to follow.