Tuesday, August 24, 2010

Offensive- Security.com WiFu Training Class……………..

A couple of weeks ago I was looking at that the latest Backtrack release and decided to finally check out offensive-security.com. For those of you unfamiliar with offensive-security.com it is a training organization that uses Backtrack to teach penetration testing. It was founded by Mati Aharoni, creator of WHAX and a core developer of Backtrack.

Offensive-Security offers 3 training courses, Pentesting With Backtrack (PWB), Cracking the Perimeter (CTP), and Offensive-Security Wireless Attacks (WiFu). Upon successful completion of the course and hands on lab for that course you are awarded the OSCP(PWB Course), OSCE(CTP) or the OSWP(WiFu) certifications.

What makes these certifications challenging is they are not testing on your ability to memorize answers, they present you with a challenge and you must correctly complete the challenge in an allocated amount of time to be awarded the certification.

I did some online research and saw some really good reviews so I thought I would look into the cost of some classes. I was surprised by the cost ranging of the course, 350 USD for WiFu to 1500 USD for CTP with 60 days of lab access. Although I had done some wireless security work in the past I thought I would give the WiFu course a try.

I went through the registration process and received my course material in the allotted amount of time. The material included a PDF for the class, and some video tutorials. I would say the PDF (and the class) is broken up into two parts, the first is about wireless and wireless security, and the second is about attacking wireless.

I spent last week going over the first half of the class. Because I had not used my wireless skills in a long time this was a great refresher. This part of the class covered 802.11 standards, different wireless modes, different types of packets you will see on a wireless network, and how to choose hardware.

The hardware section was of great interest to me, because of the details it gave. In this section it covered different type of wireless adapters, chip sets, and antenna's details. This section gave some good details on how to choose wireless equipment for what you are testing.

The information in the first part of the class as been wonderful so far and I am looking forward to the "attacking" phase of the class. Once I get more into the attaching phase of the class I will post some more blogs about the class.

Tuesday, August 3, 2010

Bypassing Client Side input validation…..

Last post I discussed how to implement client side input validation, and previously have discussed whey it should be used. Today I will discuss the best part of client side input validation, how easy it is to bypass!

This post hope to explain how easy bypassing client side input validation really is. For demonstration purposes the code examples from the previous post will be used to demonstrate three very easy attacks that bypass client side validation. To recap here is the HTML code for zip.html, the form to enter in a zip code.

<-title->Please enter in your zip code<-/title->
<-script language=JavaScript->
function validateme()
var zv = document.zipform.zip.value;
if (zv.length != 5)
alert("Please enter in 5 characters");
return false;
if (zv.match(/\d\d\d\d\d$/))
return true
alert("The Zip Code field does not contain 5 digits.");
return false;
<-form method="POST" name= “zipform” onsubmit=”return validateme()” action="zip.php"->
<-center->Enter in your zip code (Only 5 digits please):<- input type=text name="zip" maxlength=5->
<-input type="submit" value="Enter Zip Code"-><-/center->

The first and simplest attack to bypass client side validation, drum roll please…., is to disable JavaScript in the browser. That’s it, a pretty tough attack since you must restart the browser to take effect. A variation of this attack is use a browser like Firefox that supports extension with the NoScript extension installed and forbid the host from running scripts.

The second method requires a very special and 3l1+3(elite in l33t speak) tool called a text editor such as gedit or notepad. In the sample code zip.html, validation must be bypassed in two places, the HTML MAXLENGTH Attribute and the validateme function. To begin performing this attack, open up zip.html in a web browser of your choice and save the page to the local system.

The first thing to deal with is submitting the form back to the original website, in this example www.badwebapp.com. If the page is using relative paths as seen in the example code below, the form action properties must be changed.

<-form method="POST" name= “zipform” action="zip.php"->

To send form back to badwebapp.com change the action property to www.badwebapp.com, as seen in this code example:

<-form method="POST" name= “zipform” action="http://www.badwebapp.com/zip.php"->

If this is not change the form will attempt to post the data to the local system and a 404 error will be returned to the browser.

With the form ready to be processed on the original website the first thing to deal with is the HTML MAXLENGTH Attribute. Open up the file zip.html go to this line:

<-center->Enter in your zip code (Only 5 digits please):<- input type=text name="zip" maxlength=5->

Delete the MAXLENGTH Attribute, and the first validation input is ready to be bypassed. Save the file to the local system, than open the file in a web browser. It is now possible to enter in more than 5 digits in the input field, however a warning box from the validateme function will indicate that more than 5 digits was entered.

There are three options to bypass the JavaScript validateme function. The first is to use HTML comment tags (< ! - - What is to be commented out goes here - - >, change the code itself, or remove the onsubmit property from the form properties as seen in this example:

<-form method="POST" name= “zipform” onsubmit=”return validateme()” action="zip.php"->

Any of the three methods will be sufficient enough to bypass the validatme function. After completing the changes to the file, save it to the local system. Open zip.html in a web browser, and enter in any information such as ABCDE12345 and submit the form for processing by the web server. Since this web server performs no server side input validation the following message will be returned:

Congratulations! Your zip code is ABCDE12345 Thanks!

Changing the code can be a lot of work, especially in a web application that performs multiple client side input validation checks. What about changing data after the validation, but before its submitted to the webserver? That is what is done in the third attack.

To perform this attack a web proxy intercepting application such as OWASP WebScarab is used.

After installing WebScarab, fire it up and configure it to intercept request. When running WebScarab in the Lite interface just click on the Intercept tab and check the Intercept Request box. Next open up your browser of choice and configure it to use as the proxy server.

Now enter in 5 digits, which is the valid length for a zip code, and click on Enter Zip code button. As soon as this occurs the following screen shot will popup:

Now change the variable zip value to ABCDE12345 and click on the Accept Changes button. Once again you are presented with the following message:

Congratulations! Your zip code is ABCDE12345 Thanks!

As you can see client side input validation is great to detect typos’ and data entry mistakes, but does not increase the security of an application.

Much like a border router, adding client side input validation to a web application can be used as the first layer of defense in the security of a web application. Just remember how easy client side validation can be bypassed as seen in this example, and should NEVER be trusted!
Site Meter