Welcome to Volume 2, Issue 8 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
The editorial calendar at this time includes:
For previous Insights issues, click here.
TISC is about sharing clue. So is the newsletter. We promise to provide some- thing useful each issue. If we don't, flame me.
Saumil Udayan Shah, a principal consultant at Foundstone, performs ethical hacking with TISC instructors George Kurtz and Eric Schultze. In today's feature column, he explains and provides examples of attacks that can be executed against web-based applications. Nasty stuff, good read.
Enjoy, and be safe,
Black Watch Labs reports the following vulnerability. BizDB Search Script Enables Shell Command Execution at the Server BizDB is a database and search engine software by Cnctek. Part of the installation is a CGI script, "bizdb-search.cgi" which is used to search the bizdb database. This script is vulnerable to modification of its paramater, in such way that causes it to run user provided shell commands on the server. The full advisory is published at http://www.perfectotech.com/blackwatchlabs/.
Following a quick read of last week's InfoWatch column by Stuart MacClure and Joel Scambray, I followed their suggestion and downloaded NTInfoScan, now called Cerberus InfoScan, from http://www.cerberus.com. This is a very nice little vulnerability scanner for NT users.
We visualize hackers as people sitting in corners of dark rooms, faces illuminated by the glow of a computer screen, always searching for information that lies beyond them locked away in towers full of electronic circuits and arrays of tapes. Those were the days of mainframes and centralized computing systems, where securing the computer system meant allowing connections to only those authorized to use the information stored on it. The most critical element in hacking the mainframe was to gain access to the operating system running on the mainframe. After that, it was all about discovery and what one could hope to find in the piles of information stored on the system.
Not much had changed in this basic technique until now. The main objective of a hacker is to gain unauthorized access to the operating system of the target computer and then escalate their privilege to "super user" status. Traditional attacks on operating systems and network protocols rely on finding a loophole or vulnerability, and then use that vulnerability to gain unauthorized access. Most of these attacks are buffer-overflow attacks, where a program or a service running on the remote computer is given excessive input, causing the program to terminate abruptly. Crafting the input carefully can make the remote program execute arbitrary commands within its security privileges before it aborts. If performed successfully, a buffer-overflow attack gives an attacker control of the underlying operating system. The goal is then to seek the sensitive data hosted on the target system.
The World Wide Web has changed the playing field. Information is now being disseminated over the Internet, using well-known standards and protocols of delivery, regardless of the type of computer or operating system. For example, the information that was once tucked away into a bank's mainframe computer is now available to the bank's customers through a web-based application. Any Internet user can connect to the bank's website but access to a customer's account through the website is restricted to only that particular customer by security controls in the web based application.
The focus of hackers is now changing. It is no longer necessary to gain control of the operating system in order to access sensitive data hosted on computer systems. It is much simpler to find vulnerabilities in web-based applications and exploit them to gain access to sensitive information.
Web based applications are the weakest link in the security framework of today's information systems. There have been reports of web-based shopping carts where product information, including the price, passed from one stage to another via hidden fields in a web page. It was possible to alter the values of the hidden fields to change the price of the articles purchased, and users could purchase the items at prices lower than the original. If this is not e-shoplifting, what is? Imagine a web-based brokerage service which tracks individual account usage by means of "cookies" stored on customers' web browsers. If the "cookie" contents were to be reverse-engineered, it may be possible to assume another customer's identity simply by altering the cookie stored on the local computer. At times, forcing meta-characters, such as "*" in a search field have resulted in all stored records being displayed. The reason? Characters such as "*" in database query languages like SQL are known as wildcards, which are used to match every field in a query. For example,
SELECT CREDIT_CARD, BALANCE FROM ACCOUNTS WHERE ACCOUNT_NUMBER = 31337;
would be a typical database query to retrieve the credit card number and balance for account number 31337. If it were possible to pass a "*" in place of "31337", one would obtain the entire list of credit card numbers and balances of all the accounts in the bank.
These are just a few examples of attacks against web-based applications. Additionally, some web sites have all their web pages delivered through a viewer script, by passing it the page to display as an argument. For example, the URL below would display the page "welcome.html".
If the program "view.pl" does not perform the appropriate checks, it would be possible to retrieve any file on the target computer system. The URL below causes view.pl to display the /etc/passwd file, which stores all the passwords on a Unix system. The %2F is a way of representing the "/" character.
These are just a few examples of web based application attacks. Web-based hacking is in its infancy and everyday additional attacks are observed. It is imperative that companies scrutinize the security of their web-based applications thoroughly during the design phase as well as after the application is put into production. Organizations should consider a web application security audit where all aspects of web-based security are inspected for vulnerabilities. It is no longer necessary to launch attacks via the command line. A browser, some time, and a dose of creativity may allow hackers access to your companies crown jewels.