Feeling Secure

Authentication is a recurring security problem. One key thing authentication tries to tackle is spotting out fakes.

Apparently, one incredibly entertained and committed individual managed to fake a restaurants achieving #1 in London on tripview, all for the Lols. The way it was done is quite methodical, involving proper registration of the restaurant on tripview, and leaving seemingly genuine top rated reviews. As the restaurant gained more online traction and calls started coming in, the line “sorry we are fully booked” was frequently used, creating perceived demand of the restaurant.

This continued for up to 7 months until finally inviting one group of guests in, in which actors, furniture and chefs were hired to create an atmosphere and serve microwaved dishes that have been plated up. The guests even remarked that they enjoyed the food and experience, despite the restaurant not even being real and serving microwaved food. It seems pretty absurd but from the perspective of just an ordinary person, the online and physical experience all seems real enough.

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say”

- Edward Snowden

With so much happening online now, it is easy to overlook our habits, personal information and data floating around and getting into the hands of companies and/or governments for whatever use they desire. Alongside losing the freedom of our data, we are trusting it entirely on the hands of corporations (who care about profits) and government (who care about control) that don’t necessarily have our best interests at heart. 

Facebook: 

At the bottom of the Facebook settings page you will find a link to download your data. You should be able to find data such as your photos, videos, friends, friend peer group, list of advertisers who have your contact details, Messenger conversations, and call and SMS records (Android only).

Google

Use Google Takeout service to download all of your google data stored on any google platform. This includes location, history, search history or chrome browser history.

Anything online is pretty much there forever. 

Some tips:

Easy to do right now

Use a VPN

Use a privacy search engine like duckduckgo

Use Mozilla Firefox browser over Google Chrome

Install extensions such as Adblock, facebook container, HTTPS everywhere

Things to do down the road

Use open source software over proprietary software whenever possible - support the open source community!

Avoid linking multiple accounts together (i.e. using facebook to sign in to different websites)

Use a password manager! Avoid using the same passwords across multiple platforms

Try browsing the internet more anonymously, avoid using identifiable names and information

Encrypt data whenever possible

Scrub your internet presence, leave whatever you are comfortable online and not comfortable off

Puppy Love is a fictitious non-profit organisation. They are run by two caring founders - David and Sarah. Let’s try social engineer them over email to:

1) Obtain the Facebook login credentials from the Puppy Love organisation Facebook page 2) Organise for a payment of $1200 to be made to your fake account by the Puppy Love accounts team : BSB : 123456, ACC NO : 12347890

Scouting

This seems like a super interesting task. We have to use email somehow to get them to croak out the things we need.

Lets chat with David first to see what we can get from him. 

Seems that David is in charge of payment, lets press a bit further.

Seems that David is open to possibly banking over email. Lets be an absolute ass and not respect his time.

Cool, so the payment flag is COMP6441{paymentfraudisreal!}

Based on the above responses, whatever we input into the email form will be parsed and matched with keywords that would trigger an appropriate response. We don’t even need to make a comprehensible sentence I think.

Yep, if you are going to social engineer, at least respect David’s time and get straight to the point. Now lets hit Sarah who’s probably in charge of the facebook stuff.

Whew, that concludes my Something Awesome project! It’s been a heck of a interesting 6-weeks ride learning more about Linux and web app security.

Recall the goal I initially set myself on in my proposal:

I would like to develop well-rounded technical skills in web applications security via hacking a website. With an interest in software development, the project should give good experience in adopting an attacking mindset when developing software, and be a good opportunity to get hands on with a range of security topics. Ideally, the project will establish a solid practical skills complementing the theoretical knowledge of the course, setting good foundation towards whatever field of my interest down the road.

I can say now that with the benefit of hindsight, the concrete criteria I have set out initially to achieve the goal was incredibly ambitious. Although there was a steady stream of blog posts throughout the term, it became increasingly hard to keep up the quality and quantity of posts alongside the something awesome demands, especially during the mid-trimester period. Regardless, I took it in stride and set out a plan to tackle the remainder of my something awesome project and job application.

The final product of my something awesome proposal is as follows

Level 0-25 Bandit

Level 0-15 Natas

Chap 1, 2, 3 summaries of Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

Web application security tool - Burp Suite

Attacking a website, demonstrating an OWASP top 10 vulnerability (XSS)

Gruyere is a web application designed to teach beginner hackers how to find security holes. One such security hole are XSS attack vulnerabilities. XSS attacks lies behind an attacker injecting malicious scripts, typically on a browser, to a different end-user. XSS attacks are quite widespread, and is listed as one of the OWASP Top 10 Vulnerabilities. Typically, XSS attacks can be prevented by applying the correct sanitization to user input, but this can be incredibly hard to get right. I will be using Gruyere to demonstrate XSS attacks.

Scouting the web app

The web app has quite simple interface and functionality. The website is like a little forum of short snippet posts from different users. You can make an account and sign in, then post snippets. Different users can click on your All snippets on the homepage to see your entire history of snippets. You can also view and update your profile information.

Reflected XSS

XSS attacks where input is reflected off the web-server in some way such as error messages, URL links, search results, etc. Lets look at the URL link of the homepage:

https://google-gruyere.appspot.com/343180240150583431900368401274237652773/

Note that the long as number is my cookie, which to my knowledge dosen’t seem very secure as an attacker could easily compromise the URL and obtain the plaintext cookie and masquerade as the user. Anyways, note the different URL paths with different links:

https://google-gruyere.appspot.com/343180240150583431900368401274237652773/login

https://google-gruyere.appspot.com/343180240150583431900368401274237652773/newaccount.gtl

https://google-gruyere.appspot.com/343180240150583431900368401274237652773/snippets.gtl?uid=cheddar

What happens if we have a URL link specifying an unknown pathway? Try

https://google-gruyere.appspot.com/343180240150583431900368401274237652773/test

The error message echos the invalid path, which is a possible attack vector for a reflected XSS. So if we craft a script into the URL:

https://google-gruyere.appspot.com/343180240150583431900368401274237652773/<script>alert(document.cookie)</script>

The input is processed by the webpage and spits back out my cookie ID. An unknowing victim that clicks on the crafted URL can have their cookie stolen by an attacker. To fix this, user input must be escaped in the display of error messages. The ideal design would be to escape all output by default, and display raw HTML in very particular cases.

Stored XSS

XSS attacks where the input is stored by the server and served to other users. One attack vector is through the snippet input textbox where we can potentially insert malicious scripts.

If we submit and check the snippet historical page, we can see that script tags are filtered, so there is some sanitization process going in the back.

It seems <a> tags work though.

Instead of using script tags, we can potentially use <a> tags and insert a onmouseover event to trigger some javascript.

“The Fog of War” movie - documentary of Robert Egert on WWII?

The China Syndrome - WATCH IT - Nuclear powerplant accident

Fallback attack

Crappy version of a protocols vs new protocols

“Sorry I only use crappy version” Forced to use a less secure version. If there’s a man in the middle, can force a fallback attack to happen regardless of parties.

Root cause analysis

Done quite often in health settings, trying to work out what went wrong for future.

Often blamed on human error, people like having someone to blame, more tangible a villain.

Easy targets

Last person takes the foot of the blame - sack the last person

Culture - everyone responsible, no one exactly sacked, but education training, consultants, etc.

Human weakness

Honesty - “commander in cheat” book, written by sports advisor? How trump frequently cheats in golf.

Study on princeton and stanford students, honour code, observable effect on honesty when signature bar on top of page than bottom.

Attention and focus, how do we focus our attention, lots of heuristics and biases in the way we process information

Misdirection, used by social engineers and magicians

Flashlight analogy, attention is focused on a small subset of things

Logically important vs psychologically salient event

Similarity matching, drawing patterns between different events

Frequency gambling, gambling what has worked in the past will work in the future

Habits vs conscious attention

Confirmation bias

Cognitive strain

Group-think, when what you value is group membership and harmony in the group, no one wants to say contrary to the prevalent thinking

Accident vs Adversary

Imagine your computer is out to get you, when programming for security, you must assume everything can potentially turn against you. Normal developer, you just have to make things robust enough.

Building a self supporting structure with spaghetti tubes and putting marshmallow at top. People typically just build it as high as possible and then put marshmallow at top, but collapses. Tunnel vision. Need to plan out supporting structures with good foundation base.

Must engage in sound safe strategy, with minimal risk

“Good enough” - instinctive reaction is to get it okay enough, but security people need to go further, don’t wait for things to go wrong, plan for worst case scenarios

Systems and Error

So people wise, we know culture and human error can be addressed

3 mile island, what caused the accident? Whole system interoperability, not any one single issue by itself. Sure, human error, faulty parts, culture, all played some part, but not any can be solely blamed.

Don’t go around punishing people, go around see how things can be improved. The point of culture is to do a good job, learn from mistakes.

Many ways to do something, which is the best way?

Theory of design patterns, want programs to be loosely coupled (i.e. roughly independent components)

Chekov’s gun - if something is notable, it will be used.

Case studies: the real trick is to find what is actually relevant among the irrelevant stuff

Richard wants to teach not with a Chekov’s gun approach (clear 5 answers), but look at complex situation and filter down the important and not important bits. Can never be 100% confident.

Problem with simplifying things, reducing the number of contingencies which does not reflect the real world. Planning for fewer contingencies than what actually occurs

Illusion of control

Hindsight bias, knowledge of outcome of previous events increases perceived likelihood of that outcome

Complexity coherence coupling visibility

Anything that has immediate feedback, easy to detect, i.e. tunr wheel, car steers

Latent errors, errors that happen now but consequences appear much later, we get a lot of this in the real world

Defense in depth

If any one component fails, then they fail invisibly while system seemingly works fine.

Disasters waiting to happen

Automatic safety systems

Operator can get deskilled by virtue of having automation, and humans as last line resource

Dilemma - for example keeping pilots trained and always on alert, even though they barely touch the controls relying on automated systems

Just culture:

Learn about either

Chernobyl

Bhpal

On this level, we need to provide a username input. A search query is then done on the username, and returns whether a matching username exists in the database or not. Unlike the last level, we can’t echo the contents of what is inside the database. However, we are provided info on the structure of the data-table, that is a table of 2 columns (username and password), with both accepting a max of 64 alphanumeric characters.  We can do a brute force blind SQL injection attack to find the password of an existing user.

First things first, lets try figure out an existing user. An educated guess would be natas16.

The user natas16 exists, so now we need to figure out it’s corresponding 64-char-length password. Nobody got time to handcraft all possible combinations so we can automate the brute force with a script. The question s HOW. Recall my scrapping SQL knowledge and my python is nothing to brag about.

SQL:

We are searching for a user with username “natas16″. We can make the database return true based on different combinations of passwords. LIKE allows a character by character comparison in a string, BINARY allows differentiation between capital and lower case letters, and we can utilize wildcards in SQL that searches a sub-string in the string. The following command should do the trick.

SELECT * from users where username="natas16" AND password LIKE BINARY "%W%"

SCRIPTING:

Combining this search query with a brute force approach through all alphanumeric characters, we can get the right password. There is a total possibility of 26 lower case + 26 upper case + 10 digits = 62 characters, and with a max length of 64 characters, we face a worse case scenario of having to go through 64^62 combinations, which is HELLA big. Alternatively, we can split the brute force process in 2 parts and greatly reduce the time complexity: 1) Iterate through the 36 possible characters and append to a password dictionary the ones that actually pop up in the password, 2) For each character in range 1-64,  iterate through each character in the password dictionary and append to a password string if a match found.

Credits to https://mcpa.github.io/natas/wargame/web/overthewire/2015/09/29/natas15/ for an excellent writeup on the level, which the scripting code was adapted from and really helped out.

Level 10->11

This one took a while. We are told that cookies are XOR encrypted. However, XOR encryption can be vulnerable to known-plaintext attacks:

plaintext XOR key = ciphertext

ciphertext XOR plaintext = key

Now looking at the source code, whoa, quite a bit of code. The juicy bit is that the plaintext is the cookie and the xor_encrypt function, and we need to use the cookie and hack up a program to XOR out the key. The program will give us our password if the showpassword variable is set from “no” to “yes”

Our cookie encrypted header is ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV55QkQLaAw%3D

Let’s borrow the xor_encrypt function to make it XOR our cookie, we want to get a plaintext and cipher text to XOR together to get the key. Our cipher text is the cookie encrypted header. Our plaintext is the defaultData json object.

We get “qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8”, which we can deduce that “qw8J” is our key.

Now lets encode our data where showpassword is yes.

Running the program, we get our new key ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sQkQLeVMK, which we can replace the cookie data header in the HTTP request packet to get our password for the next level.

Level 11->12

For this level, we can upload a JPEG file of max 1KB size. Again, we are presented with a bit of sourcecode to look over. I’m not too familiar with PHP yet, but the logical flow seems to be that the file is uploaded with a randomly generated 10-character-long string as the path, and .jpg extension hardcoded. If there is some error with uploading, then an error message is returned. The code is not checking that the file is a jpg file, so we can inject some code in to snoop through the server system files and find out password.

Lastly we can change the randomly genreated filename extension in our packet header using Burp Suite when uploading.

When uploaded, simply click on the link which will show us the password to the next level.

Level 12->13

This level is very similar to the previous except now, the code checks if the file is an image type, using exif_imagetype . The function checks the first bytes of an image and checks its signature whether it matches that of an image, so we can pass a file as an image by altering its first few bytes. I used an online hexeditor.

Now when uploading the altered file, we change like before the file extension from jpg to php on Burp Suite, and click the link and we get our password.

Level 13->14

The level requires a username and password on the home page. Checking the source code, it is straightforward SQL authentication using a search query.

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

Importantly, the inputs are not sanitized. I don’t know much about SQL and databases yet, but some research on SQL injections and probing around, I can exploit the way the username and password is parsed into the search query. By parsing

username = hello" OR "1"="1

password = hello" OR "1"="1

The query becomes

SELECT * FROM users WHERE username=“hello" OR "1"="1" AND password="hello" OR "1"="1"

Level 4->5

When signing in the page, we are presented with the “Access Disallowed. You are not logged in.”. Using Burp Suite, we can inspect the HTTP packet header elements. We see that for the cookie, loggedin=0. Change loggedin=1 and forward packet and we get the key for the next level.

Level 5->6

The home page we are presented with an input box to input a secret key. A hint given is a link to the source code. Upon inspection, we see a simple if else block that checks if input is the same as the secret, if so give password else wrong secret notice. Interestingly, there was an include statement to a path so I tried it out and it took me to an empty page - checking out the debugger console, there was a variable defined as ‘secret’ with the secret key. Submitting the secret into the input box we get the key for the next level. 

Level 6->7

Inspecting the home page, we get tabs which when we click on them takes us to a different page. Looking at the URL, we notice that the way the requests are made are by changing the value of parameter ‘page’ to the path of the requested page. If we look at the console debugger, the index page has a hint saying that the password is in ‘/etc/natas_webpass/natas8′. We can change the value of the page parameter to ‘/etc/natas_webpass/natas8′ and we get our password.

Level 7->8

Similar to level 5->6, we need to provide an input secret key to get the password. In the console inspector, we see in the index page a given encodedSecret, and a encodeSecret function for inputs. We can decode our encodedSecret by reversing the operations in the encodeSecret. We can do it by hand, but we can also use do the inverse of the function using php. I don’t know much about php but a bit of digging around, it seems straightforward enough:

<?php echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362'))); ?> 

Level 8->9

Here, we have a input form that takes in a key, then does an egrep search through dictionary.txt for matching phrases with the substring. Importantly, the input is not sanitized, so we can snoop around the server by terminating the input with a ‘;’ and appending any linux commands after. From level 6->7 we know the natas passwords are stored in /etc/natas_webpass, so the following command can work:

;cat /etc/natas_webpass/natas10 #

Level 9->10

Similar to the previous level, but now the input is sanitized in some way. Special characters [;|&] are now filtered so we cannot terminate the command line early. However, we can take advantage of the egrep command by passing in some input like:

. /etc/natas_webpass/natas11 #

Level 0:

Inspected developer console and found key for next level commented.

Level 0->1:

Again, found key in developer console commented out.

Level 1->2:

Found in a hidden file in the /files directory user.txt

Level 2->3

The hint was that “not even google can find this”. I learnt that apparently webpages can have a robots.txt file which can configure whether a webcrawler will find particular contents of the page. We go to the listed disallowed directory and find the key in the users.txt

Level 3->4

The problem we face is that we are being denied access to the level because the server thinks we are coming from “http://natas4.natas.labs.overthewire.org/”, when authorised users should be coming from “http://natas5.natas.labs.overthewire.org/”. We will need to adjust some fields in the http request header, specifically the ‘Referer’ section. There are some extensions or third party tool you can use; I chose to use the command line ‘curl’ command, which can transfer data from server to client. Using it on a webpage, we can download its source code. 

curl 'http://natas4.natas.labs.overthewire.org/' -H 'Referer: http://natas5.natas.labs.overthewire.org/' -u natas4

Where -H allows us to specify a header, and -u to specify a user. 

So originally I was going to do an overview of Kali and its tools, but my main laptop got bricked and is going through warranty. In the meantime, I explored some other tools.

Burp Suite is a graphical interface used for providing a comprehensive set of tools and checks for web application security. It has basically functionalities such as proxy server, scanner and intruder, and more sophisticated tools such as web spider, repeater, decoder, comparer, extender and sequencer. 

Burp Suite is developed in Java and comes in 3 editions. We will be using the community edition because it is free and is easy on my student budget. Other editions come at greater cost but with much more functionalities. 

Installation

Go on https://portswigger.net/burp and choose the community edition. Follow the standard installation steps. Once installed, run the application, set a temporary project with Burp Suite defaults and you’ll be presented with Burp and all its glory.

Setting up a proxy server

You can use Burp Suite to set up a proxy server that listens incoming HTTP requests from a browser. 

First we need to configure a browser to redirect traffic to a specified port on the localhost. I’ll be using firefox for this. Go on firefox options and scroll all the way to the bottom for Network Settings

Click on the settings button and configure proxy access to the internet to Manual Proxy Configuration. Set it to the localhost 127.0.0.1 under any valid port. Lets choose 8080.

That’s the browser setup all done. Now for Burp Suite, go on the Proxy tab and in its Options, make sure the proxy listener is set up to localhost and the same port 8080.

Now the proxy server should be all set. Any HTTP requests from the firefox browser will be redirected to Burp Suite. Lets visit a HTTP site for demonstrations. Go on https://google-gruyere.appspot.com/start and press Resume which will redirect us to a HTTP site which is a bit like a sandbox website for student hackers to learn about web application security. The browser will be on hold and the packet header elements will be redirected to Burp Suite which we can inspect and change and forward as we please. 

Since HTTP websites send their data in plain-text, we can inspect the header information and potentially harvest and change sensitive data like usernames and passwords. Lets see this in action in the previous website homepage, I’m going to click the top right Sign In tab. I’m going to login in with an account I made earlier.

After I press Login, lets inspect the intercepted HTTP packet in Burp Suite. Try guess what my account password is... yeah my password is right there in clear day with the use of Burp Suite, not very secure now is it. This is an example of one of the OWASP Top 10 vulnerabilities, Sensitive Data Exposure.

Many web apps encode their data in several ways, for example in HTTP and HTML languages,  to ensure special characters can be treated appropriately. Attackers will need to encode data in an appropriate scheme and sometimes, can manipulate the encoding scheme to achieve an unintended behavior.

URL Encoding

URLs can only contain printable ASCII characters-set. Special characters in this range are restricted since they have special meaning in the URL scheme or HTTP protocol. Special characters are encoded into the following hexadecimal representations with a “%” in front:

%3d - “=“

%25 - “%”

%0a - “\n”

%00 - “\0″

%20 - “ “

Also note that “+” - “ “ as well

Unicode Encoding

A character encoding standard designed for supporting all types of writing systems. 16 bit unicode encoding works similarly to URL encoding. Over HTTP, the encoding of a character is the prefix “%u” followed by the corresponding unicode character code. 

%u2215 - “/”

%u00e9 -  “é”

UTF-8 uses variable-length encoding. For HTTP, UTF-8 encoded form uses each byte with its hexadecimal form preceded by the prefix “%”.

%c2%a9 -  “©”

%e2%89%a0 -  “≠”

HTML encoding

Used to represent problematic characters to safely incorporate them in a HTML document. These characters have special significance as meta characters within HTML to define document structure. 

" - "

&apos; - '

& - &

< - <

> - >

Characters can also be HTML encoded using its ASCII code in decimal or hexadecimal form.

decimal

" - “

' - ‘

hexadecimal

" - “

' - ‘

Base encoding

Allows binary data to be safely represented with printable ASCII characters. Often email attachments are encoded with Base encoding to safely transfer over SMTP. It is also used for encoding user credentials in basic HTTP authentication. Base64 encoding works by processing data in blocks of 3 bytes. with each block divided into 4 chunks of 6 bit each (allowing for 64 possible permutations). Instead of explaining it, let’s demonstrate how the encoding works:

Lets have a 3 letter string “heyo”

The string consists of a 4 byte value. Since length is 4 and is not a multiple of 3, and we need to add 2 to make it a multiple of 3, we need to add 2 bit padding to make length = 6. 

h = 104 (hex 68), e = 101(hex 65), y = 121 (hex 79), o = 111 (hex 6F). Using the hex value, lets convert them to binary

01101000 01100101 01111001 01101111

Split into groups of 6 bits

011010 000110 010101 111001 011011 11

Because last 6-bit is not complete, pad it with four 0′s and insert 2 “=“ sign to represent padding.

011010 000110 010101 111001 011011 110000 ==

Convert from binary to decimal

011010 = 26, 000110 = 6,  010101 = 21, 111001 = 57,  011011 = 27, 110000 = 48 ==

Use base64 chart to convert decimal characters to base64, and append the 2 bit equal signs.

26 = “a”, 6 = “G”, 21 = “V”, 57 = “5″, 27 = “b”, 48 = “w”

“hey” => “ aGV5bw==″

Many web apps often use Base64 to transmit data within cookies and other parameters, or even hide sensitive data through obscurity. It is worth noticing Base64 encoded strings (which are quite distinct from their limited character set and = padding) and decoding them when encountered.

Hex encoding

Somtimes, applications just do a straight hexadecimal encoding with ASCII representation when transmitting binary data. For example: “heyo” = 6865796F

Resources

HTTP Protocol

One of the core communication protocols used to access the World Wide Web, and used by all of today’s web app

Simple protocol initially developed to retrieve static text-based resources, since extended and leveraged to support complex applications

Messaged based model where client sends request message, and server returns response message

Connection-less and stateless protocol

HTTP requests

Every HTTP requests has 3 items in the first line, separated by spaces

HTTP method: a verb indicating what the HTTP requests does. Usually it is GET, which retrieves resources from web server. GET does not have a following message body.

Requested URL: typically functions as a name for resource being requested, alongside optional query string with parameters.

HTTP version used: Most common versions are 1.0 and 1.1, with most browsers by default using 1.1. Not many differences, but 1.1 has the Host request header mandatory.

Referer: used to indicate the URL from which the request originated. The originally specification was misspelled and the misspelled version has been retained ever since.

User-Agent: used to provide information about browser or other client software that generated the request.

Host: specifies the host-name that appeared in the full URL being accessed.

Cookie: used to submit additional parameters that server has issued to the client.

HTTP responses

The first line of every HTTP response consist of the following 3 items separated by spaces:

HTTP version being used

Numeric status code indicating the result of the request

Reason phrase: text describing status of response

Server: banner indicating web server software being used, and sometimes other details such as installed modules and server operating system. Info could be accurate or not.

Set-Cookie: issues browser a further cookie which is submitted back in the cookie header of subsequent requests to server.

These 2 fields are often issued when dynamic content is returned to ensure browsers have a fresh version of content upon access

Pragma: tells browser to not store the response in the cache.

Expire: indicates that response content expired in the past and should not be cached.

Almost all HTTP responses have a message body following blank lines after headers.

Content-Type: type of content in the message body.

Content-Length: length of message body in bytes.

HTTP Methods

When attacking web apps, the most common methods you will deal with is GET and POST.

GET

Designed to retrieve resources

Can be used to send parameters to the requested resource in the URL query string

POST

Designed to perform actions

Request parameters can be sent both in the URL query string and in body of the message.

Other methods:

HEAD: similar to GET, but server should not return message body. Can check resource presence before using GET.

TRACE: designed for diagnostic purposes, asks server to return in the response body the exact request message received. Can detect proxy servers.

OPTIONS: asks server to report HTTP methods that are available for a particular resource.

PUT: attempts to upload specified resource to server, using content contained in the body of the request. If enabled, can be used to attack server.

Resources:

Despite much differences across web applications, many employ very similar core security mechanisms. These mechanisms are a significant part of an application’s defense against attackers, and hence represent a considerable attack surface. Mechanisms such as handling user access and user input are key when attacking an application, to which defects can compromise the entire application.

The fundamental problem in web application security is the fact that all user input cannot be trusted. This gives rises to some ways to defend from attacks. Conceptually, many of them are quite similar such as:

Preventing unauthorized access by handling user access to application data and functionality

Preventing crafted input from causing undesired behavior of the application

Taking suitable offense/defense mechanisms by frustrating attackers when attacking the application

Enabling administrators to monitor the application’s activities and functionalities by managing the application itself

Many attacks revolve around these concepts, and understanding how they work is key to being able to defend against them.

Handling user access

Most web apps handle user access using 3 common mechanisms, each representing a considerable attack surface of an application:

Authentication

Ensuring that the application establishes that the logged in user is who they say they are

Most apps employ username password, which they check for validity

At higher levels, additional credentials can be used with multistage login process

At even higher levels, other authentication models can be used (i.e.client certificates, smartcards, challenge-response tokens).

Alongside, many apps have supporting functionality such as self-registration, account recovery, password change.

Seemingly simple, many authentication mechanisms are quite flawed

Weak passwords, or exploiting defects in application logic.

Session management

Once logged in, need to manage user’s session

Most apps create a session for each user and issue a token  identifying that session

The token is a unique string mapping the user to the session

With each http request from user application, the token is attached with the request, associating the request with the user.

Some example tokens:

HTTP cookies

Hidden form fields

URL query string

Ideally if a user does not make a request after some time, the session expires.

Session management mechanism is dependent on token security - if tokens are exploited, then the application can be exploited by an attacker identifying as another user.

Access control

The application needs to be able to make correct decisions about what a user can and cannot do on the application

Needs good logical controls with different use cases considered.

Can often get quite complicated, or developers making flawed assumptions or oversights, which an attacker can exploit to get unauthorized access.

Handling user input

Required in any input form, but there is no single protective mechanism

It’s tough because there is so many possibilities and often arbitrary input is required.

Many attack vectors such as via browser interface, cookies, hidden form fields

Approaches

“Reject known bad”

Blacklisting a set of literal string or patterns often known to be used in attacks.

Often seen as LEAST EFFECTIVE approach

Variety of ways to exploit with a wide variety of input which can be formed in various ways.

For example if block 0, try 1-1, or if alert(”xss”) blocked, try prompt(”xss”).

Filters can also be bypassed by inserting expressions into attack inputs to disrupt tokenizing by the application:

Many filters can be vulnerable to NULL byte attacks, inserting a NULL character can stop filter processing of the next following inputs.

"Accept known good”

Whitelisting a set of literal stings or patterns or criteria known to match only good input, blocking everything else.

When this approach is feasible, it is regarded as effective and can prevent many attackers from crafting input.

However, many situations require being flexible with what is considered “good”.

E.g. some people’s name have special characters like apostrophes

This cannot be an all encompassing solution

Sensitization

Instead of rejecting potentially bad input altogether, sanitize it before processing it.

Recognizing that sometimes data needs to be accepted which cannot be 100% safe.

Often highly effective approach

For example, sanitizing script tags to prevent XSS attacks.

Safe data handling

Making sure user-supplied data is processed in safe ways

Can address attacks like SQL injection by correct use of parametrized queries.

Unsafe ways would be to parse user input into operating system command interpreter.

Cannot be applied to all kinds of attacks, but effective when applicable

Semantic checks

Sometimes the input supplied by attackers is pretty much the same as a normal user’s input.

The key difference is the circumstances under which it is submitted.

An attacker might try to gain access to another user’s bank account by changing an account number transmitted in a hidden form field.

Syntactic validation can’t do much because it appears a legitimate entry

Need to consider the circumstances, i.e. matching the account number with user submitting it.

Boundary validation

Although many input validation checks on client side are some ways to filter input and improve performance, no guarantee is given to the input that reaches the server.

The point at which data is received at server side is a big trust boundary and application needs to take measures to defend itself.

Chucking all validation checks on one side is too tough and has its technical challenges

Boundary validation is validation check as data passes through different components. Validation checks implemented at various stages.

Multi-step validation and canonicalization

When user input validated across several steps, it is possible a careful attacker could slip a crafted input through.

For example lets say abc is deemed malicious and is filtered out. An attacker could craft the input ababcc, which when sanitized, would give abc passing through.

Data canonicalization is when input sent from user’s browser could be encoded in various ways so that unusual characters and binary data cna be safely transmitted over HTTP.

Canonicalization is the process of decoding data into a common character set. Attackers can slip by validation mechanisms if canonicalization is done after input filters applied.

Can do recursive sanitization or just reject bad input altogether

Handling attackers

Applications must assume that attackers are dedicated and skilled and must be able to handle them. Some measures are

Handling errors

Unanticipated errors will always occur regardless of how careful developers are

Applications need to be able to handle unexpected errors gracefully, with suitable error messages, or recover from them

No system generated messages should be sent through, otherwise can assist attackers in exploiting application.

Many languages provide good error-handling support with try-catch blocks and checked exceptions.

Maintaining audit logs

Used when investigating intrusion attempts against application

Effective logs should let application owners understand what has taken place, which vulnerabilities exploited, and whether attackers could gain access to data or perform unauthorized actions

Ideally provide evidence of intruder identity

Key events should be logged with application use, such as:

events with authentication functionality

key transactions

access attempts that are blocked

requests containing attack strings

Effective audit logs will typically record time of each event, IP address, user account, etc.

Logs need ot be protected from read/write access and hidden from attackers.

Alerting administrators

Audit logs can give good evidence post attack, but sometimes need to react more promptly, such as blog attacker IP before making damage.

Must balance genuine attacks and false alarms reliably.

Consider things like

Deviations from normal usage, like large number of requests from single IP

Deviations from normal business, like large number of fund transfers

Requests containing attack strings

Requests where data is hidden from ordinary users has been modified.

Many web firewalls and intrusion detection products can be good layer of defense, but many attacks can go more subtly. Such software cannot be entirely relied on.

Most effective way is to integrate real time alerting with application’s input validation mechanism and other controls.

Reacting to attacks

Many applications have defensive systems in place against attackers. If attackers bypass filters, can resort to frustrating the heck out of them and slowing down their progress considerably. Costs vs rewards, although will not deter a very patient attacker.

Managing the application

Applications need effective management and administration over user accounts, roles, access monitoring, audit functions, diagnostic tasks, and configuring aspects of application functionality.

Many applications have administrative functionality in the application itself, accessed through same web interface as core non-security functionality.

This can represent a critical part of the application’s attack surface such as attacker gaining privilege escalations

Often target for attackers because:

Compromising an administrator account means compromising the entire applications.

Many apps do not effectively implement access controls of some administrative functions. A new account could be created with powerful privileges.

Administrative functionality often involves displaying data originated from ordinary users. Cross site scripting attacks can compromise user sessions.

Administrative functionality often less scrutinized over security, because users deemed trusted, or because pen-testers not given high access.

Resources:

So we have learnt the beauty of public key cryptography. To quickly summaries, a user (lets say Mary) has 2 keys, a private key used for encrypting and a public key used for decrypting. As the names imply, Mary securely keeps her private key whereas her public key is out in the open. If anyone (i.e. Bob) wants to communicate with Mary securely, Bob would encrypt his message with Mary’s public key, then send it to Mary. Even if the message was intercepted, it is encrypted and only Mary can decrypt it with her private key. 

If you know someone’s public key, then you can use that to establish a secure tunnel (i.e. SSL/TLS) to proceed with communications.This system would be pretty solid except that its major weakness of authentication - how do we know the public key belongs to the intended user? Consider the initial set up of the initial public key exchange, it is possible that some attacker could conduct a man in the middle attack. By intercepting the public key exchange at the start, the attacker could then provide impersonate to Bob as Mary, and Mary to Bob. How do you make sure the public key Mary received really belongs to Bob, and similarly, Bob to Mary?

Public key infrastructure (PKI) was introduced as a way to solve the problem of authentication in public key cryptography. It provides a way of a verifiable of the guarantee of the ownership of a public key by the use of digital certificates. The certificate matches some identity (such as a named server) with a public key that belongs to that purportedly named entity. Certificate authorities (CA) make sure that the named entity really owns the public key, then issues the certificate. The CA itself has its own public/private key pair, where in a reversed way, the private key is used to encrypt the certificate (i.e. sign) and the public key can be used by users to decrypt it. When Bob wants to establish a connection with Mary’s server which has a public key advertised, he sees the certificate he can use the CA public key to decrypt the certificate and gain confidence of the certificate contents, and map out the named entity (Mary’s server) in the certificate with the public key.

Certificates are great in providing a way to verify a public key with a named entity, but really, it’s just redirecting the problem down the key distribution chain. Before the problem was knowing if we really have the other user’s public key, now we are just moving the problem down to whether we can trust the CA’s public key. Now the key thing we must ensure is that we can trust the CA’s public key.

This is where PKIs step in. CAs can issue certificates for millions of servers. This reshapes the landscape of the key distribution problem:

Instead of needing to know all the public keys of the millions of servers, we only need to trust the CAs public keys.

Not only do we need to trust the CAs public key, but we need to be able to trust the CAs themselves - they must be honest (to not knowingly sign a certificate with wrong name/key pair) and competent (to not unknowingly sign a certificate with wrong name/key pair).

We can reduce the 2nd implication by recursively checking if the public key of the CA which stored the certificate is itself stored in the certificate of another CA. This forms a whole hierarchy which reduces the number of keys we need to check and acts as an accountability checking mechanism. For example:

CA1: The public key of server S is NNNN. CA1 says that server S is trustworthy and honest.

CA2: The public key of server CA1 is MMMM. CA2 says that server CA1 is trustworthy and honest.

So when Bob wants to talk to Mary’s server and connects to the domain name https://www.maryserver.com/ and sees the green padlock icon, the whole PKI guarantees that the public key matches Mary’s identity and you can safely chat with Mary. This is an example of a SSL client (Bob) trying to authenticate a SSL server (Mary).

Note:

The hierarchy PKI model (i.e. x509) relies on a root CA as the highest level of honesty and trustworthiness. If a chain of trust from authority to the CA is established, then the certificate is assumed to be trustworthy. There are some problems with this model.

The software for implementing CA distribution is distributed over the internet, which can be compromised

Only one certificate chain can be established for any one certificate, so any chain is a single point of failure.

All CAs can sign whatever certificates they choose and if one CA is compromised, an attacker can make any site on the internet look valid. This is another single point of failure.

An alternative is the web of trust model where instead of relying on CAs, each user acts as its own authority, with each certificate requiring a chain of signatures to be established from each user. Every user is responsible for maintaining their set of signatures and acts as a independent source of chain. This can result in a very reliable PKI with no single point of failure.

Helpful resources:

https://security.stackexchange.com/questions/87564/how-does-ssl-tls-pki-work 

The question that we were presented to as a class was the following:

What are 5 things that you would do to improve the defence of the country, assume US is attacking? How about offence?

This is an interesting question and certainly got me reflecting on what we would regard as warefare in our contemporary society. Before, there was consideration of homefront and warfront, conscripting soldiers and fighting on the front lines. Nowadays, war and state sponsored attacks occur almost invisible and instantaneously, attacking our networks and infrastructure in our increasingly connected world.

In a small group, we came up with the following:

Defence

Greater investment in security education in university (one that emphasise attack and defence)

Protect and compartmentalise critical infrastucture from the internet (i.e. communications, powergrid, water facilities, banking, etc.)

Diplomatic ties (assume a position and reinforce allies. On approach could be making the cost not worth the rewards of attacking Australia, bolstering security defences yet with minimal or no strategic value in doing so)

Attacking own systems in a capture the flag or wargames style - getting defenders to think like attackers and finding weaknesses in the system

Education of the people of the new invisible threat that is cyber security.

Propaganda, pander to tribal nationalism instincts - us vs them

Attack

Greater investment in security education in university (one that emphasises attack and defence)

Create further social and political discord in the enemy - propaganda

Reconaissance of enemy reosurces, assets and infrastructure

Research and development of technologies and defences

Diplomacy, sue for peace

As a class, we discussed the following proposals:

Defence

DDOS protection for critical infrastructure

The thing with this proposal is that if key infrastrucutre is hooked on the internet, that is already a critical point of failure

Other services are still open to DDOS and could use protection.

In retrospect, there are some critical infrastructure that is unavoidably hooked on the internet (i.e. banking). DDOS protection, amongst many other security protections would serve to benefit.

Hire hackers and train

Currently thouguh, the incentives and prestige aren’t there for top talent ot be working in the government such as ASD when you could be working at top companies such as Google

Need to work on some way to bring incentives, or might have to contract companies

Hold war games

Defence and attack idea

Can also do CTFs

Internal pen testing

Espionage, counter intelligence

Redundancies not hooked on the internet

Mitigation for if everything is fried

For example, phone landlines

Meshnets peer to peer services

Education population of security

Give citizens education on key security issues and basic security safety measures

Expand global network and allies

Self reliance, not too dependent on USA

Make new global alliances

Filter out potential USA spies

Perhaps track populaiton databases for US citizens

Interrogate, deport or exploit as our own spies

Diplomacy to sue peace

Attack

Attack their infrastructure and services

Hire well

Espionage

Research and Development

Propaganda

Attack their social discord

Consider portrayal

E.g. Vietnam War - US gave up hearing so many atrocities with populaiton demonising government invovlement and even the veterans and army

If we portray ourselves as victims, US government may lose homefront support

If we portray ourselves as powerful, may deter further attacks, but aggression may provoke a response

Assasinate key figures

Cryptographic protocols

initialization vector (IV)

avalanche effect

protect whole document

have whole hash on one block, another hash on another block

merkle damgard

hash previous hash and new block

if first time, no previous hash, need something to start it off, hence IV

WEP

Recall 40bit key and 24 bit IV

Vulnerabilities arise partly due to problems of data vs control mixed into one channel

buffer and overflow

Phrack magazine - Smashing the stack for fun

Proof of work

Used by cryptocurrencies such as bitcoin

The “work” required to compute hashes is the friction of cryptography. Working out a certain hash must be brute forced and can be quantified to take a certain amount of time hence proof of work.

Moore’s law

The exponential growth of computing power means the bits of secuirty of attackers improve over time

Disk encryption

Threat model is someone who has physical access to disk

Disk generates a random key, that has encyrpted key

That key is then encrypted with user password

Cold boot attacks

Every contact leaves a trace

things written in ram dont immediately disappear after turning computers off

Disappearing information has to do with temperature

Forensic people, if machine is still logged on, get what they can from active memory, another way is turn computer off, open up computer, spray RAM and reboot from forensic operating system

Make sure that the data in the hardware itself cannot be compromised by encrypting it all

Windows’s bitlocker system had a flaw in encryption

Ciphers after WW2 but before RSA

Currently

RSA used for initial handshake, based on hard mathematical problem that is a trapdoor function (easy one way, hard the other way)

Other ciphers used for heavy work

Back then, everyone rolled their own ciphers, relied on security by obscurity until mid 70s. No one knew best practices.

NIST

At some point, people decided to make standard, 

No one knew much about encryption back then

Held a competition which a few people lodged applications to

The best thing that came about was Lucifer from IBM, which became a new standard for data encryption

The NSA came in and advised to reduced the key length of the algorithm, which later turned out that this was because NSA had a way to crack the algorithm which they tried to hide.

The new cipher was published academically and called Data Encryption Standard (DES). The cipher was found too weak eventually, but no replacement was proposed. 

Another competition with good shortlist, and the winner Rijndael proposed the Advanced Encryption Standard (AES) which is now 20 years old

The problem with authentication

identify for who? computer or human

computers or humans make decisions

authentication  vs identification

what decisions made?

something you know

(password/pin?), shared secret

something you have

confirmation code sms? two factor authentication

something you are

face, fingerprint, retina, dna,

but these thing are easily forged, easily stolen, not a good secret

in the end, authentication all comes down to keeping a secret