AppSec2005DC Matt Fisher Google Hacking and Worms

Information about AppSec2005DC Matt Fisher Google Hacking and Worms

Published on August 30, 2007

Author: Barbara

Source: authorstream.com

Content

Google Hacking and Web Application Worms:  Google Hacking and Web Application Worms OWASP 2005 Matt Fisher, Sr. Engineer SPI Dynamics Happy Anniversary !:  Happy Anniversary ! Search Engine Hacking Almost Ten Years Old First solid documentation: SimpleNomad, 1996, AltaVista textfiles.com Web Hacking: Pick a site, find the vulnerability Google Hacking : Pick a vulnerability, find the site. Don’t Be A Target of Opportunity Just the beginning …:  Just the beginning … Non-Public Systems Intranets, access-restricted extranets, web services Not all internet systems crawled Have to request a crawl Extranets, customer portals Google: very limited crawl Robots.txt, forms, javascript Linked content only ! Exposure has to be hard-linked No tampering The Perfect Drug:  The Perfect Drug Warning ! Search engine hacking can be highly addictive Focus on what to look for, not on the search engine. A Few of my Favorite Things Source code galore: Need a code sample ? Grab a code sample ! File traversals : full system read access Command Execution : Executing shell commands through a browser, basically port 80 telnet. File Uploads: Don’t like the content ? Make your own ! Basic Google Hacking - Using File Types:  Basic Google Hacking - Using File Types Works for many other file types:  Works for many other file types Curioser and Curioser:  Curioser and Curioser Googling for a Recent Exploit – Using Constraints:  Googling for a Recent Exploit – Using Constraints Site frames content Content can be external Frame source specified on client side website.com/showframe.asp?src=fakesite.com/fakelogin.html Cross – Site Framing INURL:  INURL Restricts search terms to URL itself (buggy) Want the source to be specified in the client Want the source to be external; not on the same site Further qualifier Client-Sided Frame Source:  Client-Sided Frame Source Framed. :  Framed. Directory Traversals ! :  Directory Traversals ! SPAM ENGINES:  SPAM ENGINES Source Code :  Source Code Database queries. They’re source code. Hooray Source Code ! The Fun Never Stops:  The Fun Never Stops If you can read source code, what do source code do you read ? Depends on what you’re interested in ! How about some database connection strings ! The Proverbial Post-It On the Monitor :  The Proverbial Post-It On the Monitor Yes, those are real live database connection strings Yes, they contain real live usernames and passwords No, Special Agent, I didn’t try them out. Web App Hacking’s Cool. Google Hacking’s Cool.:  Web App Hacking’s Cool. Google Hacking’s Cool. Everyone Thought We Were Crazy …. Then Santy Climbed Down the Chimney:  Then Santy Climbed Down the Chimney Used a WEB APPLICATION VULNERABILITY in a common freeware PHP application Used GOOGLE to ID new targets Multiple improved variants already out December 20th 2004 Code Review of the Vuln App:  Code Review of the Vuln App URLDecode the input before removing special characters MagicQuotes in PHP:  MagicQuotes in PHP Escapes single quotes Turns ‘ into \’ Functional : prevents O’Malley and O’Brian from O’Crashing your query. MagicQuotes are magically functional, but not a security feature, and were never meant to be Rasmus Lerdof says …:  Rasmus Lerdof says … 'You always have to escape quotes before you can insert a string into a database. If you don't, you get an ugly SQL error and your application doesn't work. After explaining this simple fact to people for the 50th time one day I finally got fed up and had PHP do the escaping on the fly. This way the applications would work and the worst that would happen is that someone would see an extra \ on the screen when they output the data directly instead of sticking it into the database.' Source: SitePoint.com, Interview - PHP's Creator, Rasmus Lerdorf, http://www.sitepoint.com/article/phps-creator-rasmus-lerdorf/3 Attack of the Worms: How it works:  Attack of the Worms: How it works URLEncoded characters PHP Fwrite command PHP Fopen command Decoding the attack:  Decoding the attack Decode once and compare %27%2E is not a single quote MagicQuotes recognizes plain and encoded single quotes Back to the Code:  Back to the Code Turned the remaining %27%2E into ‘. Making the injection work. Application decoded again in the code Basic Google:  Basic Google Viewtopic.php with random numbers as a parameter ( 1414414=5858583) Numbers NOT evasion – ensure different websites in each result Unimaginative and easily signatured …. Google shutdown the query …:  Google shutdown the query … And gave me spyware advice …? Google Evasion:  Google Evasion Bonus :Spot the Google bug. Hmm …. Does Google recognize Blank Spaces ? Viewtopic by itself could be anything. Add phpBB’s footer and it’s more accurate Viewtopic.php is not the same as viewtopic and php Or Just “Switch”:  Or Just 'Switch' 4 Variants in JUST DAYS. There’s more than one engine to search the web Prologue:  Prologue New Version of phpBoard released Remedial Action suggested to immediate users of the software was to remove the 'URLDECODE' Prevents the second decode: ‘ remains as %27 Still not rock solid input validation Why Web Application Risks Occur:  Security Professionals Don’t Know The Applications 'As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to build security into my web applications.' The Web Application Security Gap 'As a Network Security Professional, I don’t know how my company’s web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.' Application Developers and QA Professionals Don’t Know Security Why Web Application Risks Occur The Old Paradigm:  The Old Paradigm Customer performs acceptance testing Program goes live Development builds Application QA performs functional testing Security tests server patches and configuration Functional defects are found and fixed App is declared ready for UAT Security applies any missing patches or tweaks configuration Deployment begins Security Cannot Fix Application Issues:  Security Cannot Fix Application Issues Customer performs acceptance testing Program goes live Development builds Application QA performs functional testing Security discovers application vulnerabilities App is declared ready for UAT Application either goes back to square one, or goes live with known vulnerabilities Deployment begins Security Testing To The Application Lifecycle:  Audit Development QA Production Security Operations and Auditors Developers QA and Developers Security Testing To The Application Lifecycle Auditors, Dev, Compliance, and Business Subject Matter Experts (SME) My Contact Info:  My Contact Info Matt Fisher [email protected] 240.463.9030

Related presentations


Other presentations created by Barbara

Solar System
17. 06. 2007
0 views

Solar System

Advanced SQL Injection
30. 08. 2007
0 views

Advanced SQL Injection

PrivateExchange
22. 04. 2008
0 views

PrivateExchange

07 fordjob1
17. 04. 2008
0 views

07 fordjob1

20061011114434853
13. 04. 2008
0 views

20061011114434853

Bruce Lambert Army Corps
10. 04. 2008
0 views

Bruce Lambert Army Corps

SPAC2007 Juan Rodriguez
09. 04. 2008
0 views

SPAC2007 Juan Rodriguez

Chapter7
07. 04. 2008
0 views

Chapter7

tourism chapter 04
30. 03. 2008
0 views

tourism chapter 04

LAC International Trade
28. 03. 2008
0 views

LAC International Trade

feb2006final
27. 03. 2008
0 views

feb2006final

virtualcommunities
26. 03. 2008
0 views

virtualcommunities

Mickey Mouse
26. 06. 2007
0 views

Mickey Mouse

1who gets tb in nyc
27. 09. 2007
0 views

1who gets tb in nyc

lijian
12. 10. 2007
0 views

lijian

O2 Diesel
08. 11. 2007
0 views

O2 Diesel

American Romanticism
30. 08. 2007
0 views

American Romanticism

233nm60
30. 08. 2007
0 views

233nm60

MBA Lecture Series v2
30. 08. 2007
0 views

MBA Lecture Series v2

hep2005 talk MarkVagins
09. 10. 2007
0 views

hep2005 talk MarkVagins

Control Tech
05. 12. 2007
0 views

Control Tech

DasuCMSTriggerUCSD
07. 10. 2007
0 views

DasuCMSTriggerUCSD

ams ppt
30. 08. 2007
0 views

ams ppt

Question Answering
16. 11. 2007
0 views

Question Answering

Facts x about Finland
22. 11. 2007
0 views

Facts x about Finland

OWAS PAppSecEU2006 CLASP Project
30. 08. 2007
0 views

OWAS PAppSecEU2006 CLASP Project

OWASP Flyer Sep06
30. 08. 2007
0 views

OWASP Flyer Sep06

fun with hyperplanes 2007
28. 12. 2007
0 views

fun with hyperplanes 2007

american history
28. 12. 2007
0 views

american history

Frank Garber Presentation
02. 01. 2008
0 views

Frank Garber Presentation

DPS07 65 01 Fritzius
03. 01. 2008
0 views

DPS07 65 01 Fritzius

Teaching Political Sociology
04. 01. 2008
0 views

Teaching Political Sociology

Gaming in Education
07. 01. 2008
0 views

Gaming in Education

Plume tracking hardware
07. 01. 2008
0 views

Plume tracking hardware

Altera
28. 11. 2007
0 views

Altera

dead reckon cdr
07. 01. 2008
0 views

dead reckon cdr

Infections 3
04. 12. 2007
0 views

Infections 3

CMC IR1001
27. 09. 2007
0 views

CMC IR1001

class2 3
16. 11. 2007
0 views

class2 3

mixload
06. 11. 2007
0 views

mixload

web query 0609
07. 11. 2007
0 views

web query 0609

FSA
27. 12. 2007
0 views

FSA

CompanyDossier
29. 09. 2007
0 views

CompanyDossier

Hunting For Black Holes
28. 11. 2007
0 views

Hunting For Black Holes

DAR
20. 02. 2008
0 views

DAR

8 Soci 1015 Chapter7 Family
24. 02. 2008
0 views

8 Soci 1015 Chapter7 Family

ABSSEI Oswald
29. 02. 2008
0 views

ABSSEI Oswald

NeMO Curr Part3 v2
26. 06. 2007
0 views

NeMO Curr Part3 v2

nelson sheinberg Presentation
26. 06. 2007
0 views

nelson sheinberg Presentation

n0002 SPIE1
26. 06. 2007
0 views

n0002 SPIE1

Metric System 1
26. 06. 2007
0 views

Metric System 1

media kit
26. 06. 2007
0 views

media kit

March 14 PMI Presentation
26. 06. 2007
0 views

March 14 PMI Presentation

fountain of age
26. 06. 2007
0 views

fountain of age

Lifting Equation
13. 12. 2007
0 views

Lifting Equation

Dietary Guidelines
04. 03. 2008
0 views

Dietary Guidelines

upshur pc1
10. 03. 2008
0 views

upshur pc1

crossref
30. 08. 2007
0 views

crossref

ddbppt
20. 11. 2007
0 views

ddbppt

DEPBasicsCourse
30. 12. 2007
0 views

DEPBasicsCourse

guerra
12. 11. 2007
0 views

guerra

James F Cooper
30. 08. 2007
0 views

James F Cooper

lubin talk
03. 01. 2008
0 views

lubin talk

NDD presentation compressed
30. 08. 2007
0 views

NDD presentation compressed

madcooper
07. 12. 2007
0 views

madcooper

graduacion1
01. 01. 2008
0 views

graduacion1

GBIF demo Japan081003
27. 11. 2007
0 views

GBIF demo Japan081003

20061019 1732 oberauer hql06
15. 11. 2007
0 views

20061019 1732 oberauer hql06

phpulse oct
05. 01. 2008
0 views

phpulse oct

media searching
26. 06. 2007
0 views

media searching

Smith Core values
17. 06. 2007
0 views

Smith Core values

Smith1
17. 06. 2007
0 views

Smith1

Significance of the Cross
17. 06. 2007
0 views

Significance of the Cross

Sharp
17. 06. 2007
0 views

Sharp

section 2 attitude to food
17. 06. 2007
0 views

section 2 attitude to food

Section4 5
17. 06. 2007
0 views

Section4 5

Spirituality
17. 06. 2007
0 views

Spirituality

sonnet presentation
17. 06. 2007
0 views

sonnet presentation

Star addition tutorial
17. 06. 2007
0 views

Star addition tutorial

stand up comedy
17. 06. 2007
0 views

stand up comedy

SS 1SBrown
17. 06. 2007
0 views

SS 1SBrown

Emerson Transcendentalism
30. 08. 2007
0 views

Emerson Transcendentalism

ABinEurope
23. 11. 2007
0 views

ABinEurope

TextMining 06
03. 10. 2007
0 views

TextMining 06

oct04ach
05. 11. 2007
0 views

oct04ach

SCP2
17. 06. 2007
0 views

SCP2

transcendentalism
30. 08. 2007
0 views

transcendentalism

micro ch03 presentation
04. 10. 2007
0 views

micro ch03 presentation

SC morning
17. 06. 2007
0 views

SC morning

ISIC cobrandNEUenglish
18. 03. 2008
0 views

ISIC cobrandNEUenglish

02b LisbonWeb
30. 12. 2007
0 views

02b LisbonWeb

ProvenceArchitecture
05. 11. 2007
0 views

ProvenceArchitecture

san diego 04
01. 11. 2007
0 views

san diego 04

noemie 2
26. 06. 2007
0 views

noemie 2

Community Service PP 06 FOR WEB
05. 11. 2007
0 views

Community Service PP 06 FOR WEB

Sections3 7
17. 06. 2007
0 views

Sections3 7

ECE TRANS WP29 GRSP 41 inf09e
26. 11. 2007
0 views

ECE TRANS WP29 GRSP 41 inf09e

srwg graz
26. 11. 2007
0 views

srwg graz

Meydan
23. 11. 2007
0 views

Meydan

LWS05
02. 11. 2007
0 views

LWS05

mal 2005 bra
30. 08. 2007
0 views

mal 2005 bra

Standards Aligned Classroom
17. 06. 2007
0 views

Standards Aligned Classroom

steenkampNVDRS
06. 03. 2008
0 views

steenkampNVDRS