Smashing Web Apps

Applying Fuzzing to Web Applications and Web Services

Michael Sutton, Security Evangelist

 Overview

• Background
– Vulnerability discovery methodologies
– What is fuzzing?
• Web application fuzzing
– Challenges
– Inputs
– Detection
• Web 2.0 fuzzing
• Fuzzing with Google
• Conclusions

© SPI Dynamics 2007

 Whitebox vs. Blackbox

Whitebox Testing using System;

class HelloWorld
• Internal perspective {
public static int Main(String[] args)
{

• Static analysis Console.WriteLine("Hello world");

return 0;
}
}
• Manual or automated testing
– Insecure programming practices
– Improper input validation

Blackbox Testing
• External perspective
• Run-time analysis
• Manual or automated testing
– Known vulnerabilities
– Unknown vulnerabilities

© SPI Dynamics 2007

 Vulnerability Discovery Methodologies

Security
Source Code Analysis Binary Auditing Fuzzing
Audit
Automate Automate Automate
Manual Manual Manual
d d d
Code
Coverage      
Speed      
False
Positives      
False
Negatives      
Complex
Vulns.      
Verdict - There is no silver bullet.

© SPI Dynamics 2007

 A Brief History of Fuzzing

© SPI Dynamics 2007

 Fuzzing Approaches

1. Test cases Examples

– Hard coded data packets or files
 Broad coverage of studied protocols
 Time consuming to develop PROTOS Test Suites
 Impractical for custom applications
2. Brute force fuzzing
– All possible values attempted
 Minimal preparation
FileFuzz
 Broad coverage of targeted inputs
 Many wasted CPU cycles
3. Intelligent fuzzing
– Dynamically generated input adhering
to predefined constraints
SPIKE
 Decreased false negatives
 Time consuming to develop rules

© SPI Dynamics 2007

 Fuzzing Phases

Identify
Target

Identify
Inputs

Generate
Fuzzed Data

Execute
Fuzzed Data

Monitor for
Exceptions

Determine
Exploitability

© SPI Dynamics 2007

 Network vs. Web App Fuzzing

Network Web Application

Availability of tools 
Protocol structure 
Identifying inputs 
Detecting exceptions 
Code coverage 

© SPI Dynamics 2007

 Web App Fuzzing - Challenges

• Multi-layered technology
– Web server, application server, database server, etc.
• Where does the vulnerability lie?
• Network latency
– Network creates a bottle neck
• How can we speed up the process?
• Exception detection
– Numerous signals must be monitored/reviewed
• Did we miss anything?
• Code coverage
– Tracking business logic reached
• How do we know when to stop?

© SPI Dynamics 2007

 Web App Fuzzing - Inputs

• Request-URI
– /[path]/[page].[extension]?[name]=[value]& [name]=[value]
• Protocol
– HTTP/[major]. [minor]
• Headers
– [Header name]: [Header value]
• Post Data
– [Name1]=[Value1]&[Name2]=[Value2]
• Cookies Think Outside the Box
– Cookie: [Name1]=[Value1]; [Name2]=[Value2] ...

© SPI Dynamics 2007

 Input – Request-URI

/[path]/[page].[extension]?[name]=[value]& [name]=[value]
• Path
– Path traversal
• Page
– Predictable resource location
– Directory indexing
– Information leakage
• Extension
– Web filter bypass
– DoS
• Name
– Abuse of functionality (hidden functionality)
• Value
– SQL injection, XSS, file inclusion, command injection, etc.
• Separator
– Content spoofing (URI obfuscation)

© SPI Dynamics 2007

 Input – Protocol

HTTP/[major]. [minor]
• Fuzz variables
– Unsupported protocol version
• HTTP 1.1 (RFC 2616)
• HTTP 1.0 (RFC 1945)
• HTTP 0.9 (Deprecated)
– Non-RFC compliant values
• HTTP X.Y
• HTTP 2.2
• AAAAA
• Proxy issues
– Request may altered/blocked by ‘non-transparent’ proxies
• RFC 2145 - Use and Interpretation of HTTP Version Numbers

© SPI Dynamics 2007

 Input – Headers

[Header name]: [Header value]

• Buffer Overflow
– Content-Length
– User-Agent
– Accept Language
– Referer
• DoS
– Host
• Script/Code Injection
– User-Agent
– Referer
• SQL Injection
– User-Agent

© SPI Dynamics 2007

 Input – Post Data

[Name1]=[Value1]&[Name2]=[Value2]
• Name
– Abuse of functionality (hidden functionality)
• Value
– SQL injection
– XSS
– File inclusion
– Command injection
– Buffer Overflows

© SPI Dynamics 2007

 Case Study – Buffer Overflow

Linksys WRT54G Router Remote Admin apply.cgi Buffer Overflow

• CVE-2005-2799
• Exploit
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
...
A x 10000+
• Notes
– Buffer overflows rare for web applications
– Fuzzing web applications also tests underlying technologies

© SPI Dynamics 2007

 Input – Cookies

Cookie: [Name1]=[Value1]; [Name2]=[Value2] ...

• Name
• Value
– Cross Site Request Forgery (CSRF)
– Credential/session prediction
– Insufficient authentication
– Insufficient session expiration
– SQL Injection
– XSS

© SPI Dynamics 2007

 Case Study – Buffer Overflow

MyBB Index.PHP Referrer Cookie SQL Injection Vulnerability

• BID 16443
• Exploit
GET /index.php HTTP/1.1
Host: example.com
...
Cookie: referrer=
9999999999'%20UNION%20SELECT%20password,2,3,4,5,6
,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,
1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5
,6,7,8,9%20FROM%20mybb_users%20WHERE%20uid=1/*
• Notes
– Name/value pairs in cookies are often used to transfer values in
the same way that they are used in GET/POST requests

© SPI Dynamics 2007

 Web App Fuzzing - Detection

• HTTP Status codes

– 200 OK – predictable resource location
– 403 Forbidden – Restricted page
– 500 Internal server error – Unhandled exception
• Web server error messages
– Verbose SQL error messages
– Information leakage
• Dropped connections
• Log files
• Event Logs
• Debuggers

© SPI Dynamics 2007

 Web App Fuzzing - Tools

• Open Source
– WebFuzz
• michaelsutton.net/download/WebFuzz.zip
– SPIKE Proxy
• www.immunitysec.com/resources-freesoftware.shtml
– OWASP WebScarab
• www.owasp.org/index.php/Category:OWASP_WebScarab_Project

• Commercial
– SPI Fuzzer
• Included with SPIDynamics WebInspect

© SPI Dynamics 2007

 Demo WebFuzz

Fuzzing.org

© SPI Dynamics 2007

 Fuzzing Web 2.0

• What is Web 2.0?

– “A
"Webperceived
2.0 is the
or business
proposedrevolution
second generation
in the computer
of Internet-
industry
causedservices
based by the move
- suchtoas
thesocial
internet
networking
as platform,
sites,and
wikis,
an
attempt to understand
communication tools, and
the folksonomies
rules for success
- that
onemphasize
that new
platform.
online collaboration
Chief among andthose
sharing
rules
among
is this:users.”
Build applications
that harness network effects to get better the more that
– Wikipedia
people use them."
– Tom O’Reilly
• Web 2.0 vs. Web 1.0
Same vulnerabilities
+ Additional input vectors
= More complexity

© SPI Dynamics 2007

 Web Services Fuzzing

© SPI Dynamics 2007

 Web Services Fuzzing - Challenges

• Inputs
– XML parsing and generation
– Documented vs. undocumented
• WSDL (Web Services Description Language)
• Targets
– UDDI (Universal Description, Discovery and Integration)
• OASIS
– DISCO (Discovery of Web Services)
• Microsoft
• Protocol
– SOAP
• exchanging XML-based messages over HTTP

© SPI Dynamics 2007

 Web Services Fuzzing - Inputs

• Identify Targets
Identify
– UDDI
Targets
– DISCO
Identify
– Etc. Input
• Identify Inputs - WSDL Generate
– Blueprint for expected inputs Fuzzed Data
• Data types (i.e. integer) Execute
• Data ranges (i.e. 1-1000) Fuzzed Data
– Facilitates intelligent fuzzing Monitor for
• Generate fuzz variables outside of expected Exceptions
inputs
Determine
Exploitability

© SPI Dynamics 2007

 Web Services Fuzzing – Inputs - WSDL

http://api.google.com/GoogleSearch.wsdl
<message name="doGoogleSearch">
<part name="key" type="xsd:string"/>
<part name="q" type="xsd:string"/>
<part name="start" type="xsd:int"/>
<part name="maxResults" type="xsd:int"/>
<part name="filter" type="xsd:boolean"/>
<part name="restrict" type="xsd:string"/>
<part name="safeSearch" type="xsd:boolean"/>
<part name="lr" type="xsd:string"/>
<part name="ie" type="xsd:string"/>
<part name="oe" type="xsd:string"/>
</message>
...
<service name="GoogleSearchService">
<port name="GoogleSearchPort" binding="typens:GoogleSearchBinding">
<soap:address location="http://api.google.com/search/beta2"/>
</port>
</service>

© SPI Dynamics 2007

 Web Services Fuzzing - Tools

• Open Source
– OWASP WSFuzzer
• http://www.neurofuzz.com/modules/software/wsfuzzer.php
• Commercial
– SPI Dynamics WebInspect

© SPI Dynamics 2007

 AJAX Fuzzing

© SPI Dynamics 2007

 AJAX Fuzzing - Challenges

• AJAX frameworks may employ alternate data interchange

formats
– JSON - Atlas
– Serialized Java - Google Web Toolkit
– HTML
– XML
• Business logic dispersed between client and server side code
• Business logic dispersed among many client side pages and
script files
• Increased attack surface

© SPI Dynamics 2007

 AJAX Fuzzing - Implementations

• Multiple frameworks
– Prototype (http://www.prototypejs.org/)
– Script.aculo.us
– Dojo (http://dojotoolkit.org/)
– ASP.Net AJAX (http://ajax.asp.net/)
– Etc.
• Multiple browser objects
– Internet Explorer
• IE6 - XMLHTTP ActiveX control
• IE7 – XMLHTTP native script object
– Firefox
• XMLHttpRequest object

© SPI Dynamics 2007

 AJAX Fuzzing - Inputs

• Dynamic analysis (e.g. FireBug)

– Allows for targeted fuzzing
– No setup required
• Static analysis (e.g. spider/grep)
– Spider website and grep for XHR calls
– Challenging as logic for XHR is often spread among >1 web
page or JavaScript file
• Web page
– <script src=“ajax" type="text/javascript"></script>
– Ajax.Request()

• Script page

© SPI Dynamics 2007

 How Not to Implement AJAX - BlinkList

© SPI Dynamics 2007

 How Not to Implement AJAX - BlinkList

© SPI Dynamics 2007

 How Not to Implement AJAX - BlinkList

BlinkList XMLHttpRequests
• Verbose SQL errors
– Multiple
• XSS
• Exposed functionality
– Web based email
• Directory browsing

© SPI Dynamics 2007

 FUGGLE

Fuzzing
Using
Google
F u g g le
T
M

Gets
Low hanging fruit
Easily

© SPI Dynamics 2007

 Fuggle RI.gov

Hackers steal credit card info from R.I.

Web site
Dibya Sarkar
Published on Jan. 27, 2006

A Russian hackers broke into a Rhode Island government Web site and
allegedly stole credit card data from individuals who have done business online
with state agencies.

The story was first reported by The Providence Journal this morning and comes
two days after state and local government officials released national surveys
indicating they need more cybersecurity guidance and help in strengthening
their systems.

© SPI Dynamics 2007

 Fuggle Fuzzing Phases

Identify
Target

Identify
Inputs

Generate
Fuzzed Data

Execute
Fuzzed Data

Monitor for
Exceptions

Determine
Exploitability

© SPI Dynamics 2007

 Fuggle vs. Google Hacking

Fuggle
Focus on input Focus on output
e.g. URI parameters e.g. page content
Identifying targets for further testing Identifying pages using vulnerable
3rd party apps or leaking
confidential information
Flexible search terms Fixed signature based searches
e.g. inurl:"id=10" e.g. intitle:index.of "parent
directory"
Custom vulnerabilities Known vulnerabilities

© SPI Dynamics 2007

 Fuggle Prerequisites

• Vulnerabilities
– Input vectors must be indexed by Google and accessible via
search operators
 Title
 Displayed page content
 URI
 Request/response headers
 Page source code
– Effectively limits using Fuggle to pages using GET method
• Input vectors indexed in URL

© SPI Dynamics 2007

 Fuggle Threat

• How can Fuggle be abused?

• Indiscriminate web application hacking
• Vulnerability scanning for self propagating worms / web application
worms

© SPI Dynamics 2007

 Fuggle SQL Injection – Identify Input

• Input
– User supplied values concatenated into
SQL queries

www.example.com?id=10

SELECT product from products WHERE id=10;

• Goal
– Identify pages with verbose SQL errors

© SPI Dynamics 2007

 Fuggle SQL Injection – Identify Targets

• Search Term
– inurl:"id=10"
• Targets
– Retail stores
• E.g. Product catalog
– Informational sites
• E.g. News archive
• Search results
– Results 1 - 10 of about 2,010,000 for
inurl:"id=10". (0.05 seconds)
• Cleanse results
– Remove URLs w/out “id=10”
– Remove duplicate results form single domain

© SPI Dynamics 2007

 Fuggle SQL Injection – Generate Data

• Goal
– Identify pages with verbose SQL
errors
• Fuzz data
– id=‘10"
– Blind SQL injection
• id=10 OR 1=1
– Comment remainder of query
• id=‘10--
– Encode query
• id=%2710

© SPI Dynamics 2007

 Fuggle SQL Injection – Execute Data

• Submit queries
• Capture responses
– Raw response
• Headers
• HTML source code
– HTML Status codes
• Associate requests with
responses
• Archive for automated and
manual review

© SPI Dynamics 2007

 Fuggle SQL Injection – Monitor Exceptions

© SPI Dynamics 2007

 Fuggle SQL Injection - Exploitability

• Execute additional queries

– Confidentiality
• SELECT
– Integrity
• DROP
• INSERT
• DELETE
– System compromise
• Stored procedures
• Extended stored
procedures

© SPI Dynamics 2007

 Fuggle SQL Injection - Results

Initial population of URLs 1,000

Population after removal of duplicate servers 732

Population after removal of failed requests 708

Total number of verbose SQL errors 80

Percentage of sample web sites potentially vulnerable to

11.3%
SQL injection attacks

© SPI Dynamics 2007

 Fuggle XSS – Identify Input

• Input
– User supplied values echoed back in
displayed web page

www.example.com?user=joe

Welcome back <?php echo $_GET[“user"]; ?>

• Goal
– Identify pages which display unfiltered user
input

© SPI Dynamics 2007

 Fuggle XSS – Identify Targets

• Search Terms
– inurl:"search=xxx" intext:"search results for xxx"
– inurl:"query=xxx" intext:"search results for xxx"
– inurl:"q=xxx" intext:"search results for xxx"
• Targets
– Search pages
• Blogs
• Video sharing
• News
• Search results
– Typically < 1000
– Numerous duplicate sites
• Cleanse results
– Remove URLs w/out "search|query|q=xxx"
– Remove duplicate results form single domain

© SPI Dynamics 2007

 Fuggle XSS – Generate Data

• Goal
– Identify pages echoing unfiltered user
input in responses
• Fuzz data
– Client side script
• JavaScript, VBScript, EMCA
Script, HTML, etc.
– Encoded data
• URL encoding
• Hexadecimal encoding
• Unicode encoding
• US-ASCII
• Etc.

© SPI Dynamics 2007

 Fuggle XSS – Execute Data

• Fuzz Variable
– IMG tag
• Non existent page on local
web server
• Detection
– Allows implicit ‘phone home’
capability
– Log entry = vulnerable web page
– HTML likely to evade ineffective
input filters

© SPI Dynamics 2007

 Fuggle XSS – Monitor Exceptions

IIS Web Server Log File

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2007-01-31 00:57:34
#Fields: time c-ip cs-method cs-uri-stem sc-status
00:57:34 127.0.0.1 GET /xss-vulnerable.com 404

• Vulnerable site dynamically concatenated into request

• Requested resource does not need to exist on local web
server
– 404 status code is just as good as 200

© SPI Dynamics 2007

 Fuggle XSS – Exploitability

• Reflected XSS
– DOM based content spoofing in phishing
attacks
– Stealing session credentials and
confidential data
• Persistent XSS
– Web based worm propagation
• October 4, 2005 – MySpace Samy worm

© SPI Dynamics 2007

 Fuggle XSS - Results

Unique sites identified by Google 288

Unique sites accessible at time of testing 272

Sites with confirmed XSS vulnerabilities 47

Percentage vulnerable 17.3%

© SPI Dynamics 2007

 Fuggle Lessons Learned

• Vulnerable websites are everywhere

• Previously unknown vulnerabilities can easily be identified
through a combination of search engine queries and basic web
page requests
• Viable tactic for phishers and worms that do not discriminate
when selecting victims
• Google knows that you’re vulnerable. Do you?

© SPI Dynamics 2007

 Fuzzing and the SDLC

Training
& Fuzzing Tools
Education

Developers QA Team Security Team

Planning Requirements Design Build QA Production

Application Security Monitoring

© SPI Dynamics 2007

 The future of Fuzzing

• Tools
– Frameworks
– Integrated test environments
– Commercial tools
• People
– Wider audience
– Proactive fuzzing – the shift from offense to defense

© SPI Dynamics 2007

 Any Questions?

Michael Sutton
Security Evangelist
SPI Dynamics
http://portal.spidynamics.com/blogs/msutton

© SPI Dynamics 2007