Alberto Moro

1
Alberto Moro

• Bruteforcing Web Applications

2
Bruteforcing WebApps

• Introduction
• Why BF WebApps?
• BF Problems
• What BF

• Strategies
• Countermeasures
• References

3
Introduction

• What is Bruteforcing?
• Cryptanalysis method of defeating a
  cryptographic scheme by trying a large number of
  possibilities
• What is a Web Application?
• A Web application is generally comprised of a
  collection of scripts, that reside on a Web
  server and interact with databases or other
  sources of dynamic content
• Ex search engines, Webmails, shopping carts,
  portal systems, etc.

4
Introduction

• Bruteforcing Web Applications
• Method of enumerate (preferable automatically)
  all possible solutions for a given HTTP problem

HTTP requests (GET/POST)?
HTTP responses
Web Server
Auditor
5
Why BF WebApps?

• Most popular attacks are against Web Servers
• BF is a very good method for knowing more about
  your enemy
• Helps in looking for well know and new
  vulnerabilities
• Allows automation -gt distributed multi
  threating attacks
• Depending of the attack, when performed, many
  IDS/IPS won't be noticed

6
BF Problems

• Each environment is different
• You are not sure a priori what you should BF
• Key space varies from applications
• Responses are not homogeneous between servers or
  applications
• The analyst must have always the final word, we
  need all the responses for each possible solution

7
What BF

• Credentials
• Application user names
• Passwords
• URLs for discovering unlinked files and
  directories. Locate
• Administrative panels
• Default server scripts
• Badly secured internal pages

8
What BF

• Variable values
• Changing for new ones
• The application could take us to another worlds
  )?
• Injecting special data for discovering well known
  vulnerabilities or new ones
• Cross-Site Scripting
• SQL Injections
• Path transversal
• Fuzzing inject lot of data in different parts of
  the request, format strings (n, s) to retrieve
  memory information, DoS, code execution...

9
What BF

• SessionIDs
• Stored in the user cookies
• As parameter in the URL
• Into hidden input fields
• If the attack is successful, it will be possible
  to impersonate another users

10
Strategies

• Enumerating resources
• For each possible input, grab the response. If
  the response is a solution, then discard the
  rest.
• Enumerating users
• Try a lot of user names via dictionaries and
  discard bad responses (user doesn't exists try
  again)?
• Enumerating files
• Check response codes or returned text for every
  possible request. (200OK, 404Not Found)?

11
Strategies

• Attacking user's accounts
• One user, multiple passwords
• One password, multiple users (reverse BF)?
• SessionIDs
• Limit the key space
• Weak algorithms Request a lot of IDs and study
  possible sequential patrons
• Short IDs BF most of the key space

12
Strategies

• Access to unlinked parts of the application
• BF the variables present in the URLs
• http//www.server.com/inbox?uId124653
• Stored inside hidden fields ltform
  methodpostgt ltinput typeuId value124653gt lt/for
  mgt
• Or inside the cookies
• Cookie SESSIONID4032FE640CEB482AB432E1
  uId12564

13
Strategies

• Limiting the key space
• Password reminder application that sends the user
  an email link like this
• http//www.server.com/validate/00546489432441
• http//www.server.com/validate/41246489432436
• http//www.server.com/validate/26146489432451
• Keyspace of 1,000,000,000,000,000 limited to
  1,000,000 possible combinations
• 00046489432400
• ...
• 99946489432499

14
Examples
15
Examples

Nº
Codes Lines Words Requests
16
Examples
17
Examples
200 OK
301 Moved
403 Forbidden
18
Examples
19
Examples
20
Examples
21
Examples
22
Examples
23
Examples
24
Examples
25
Countermeasures
26
Countermeasures

• Weak Passwords discovering
• Account lockouts
• User lockout. Problem with legitimate
  user'sApplication layer Denial of Service
  (DoS)?
• IP Blocking. Problem ISP Proxies, NAT... DoS
  problem again, and the hacker's countermeasures
  Open Proxies, anonymous p2p networks (tor),
  distributed attacks, etc.
• Slow down responses incremental timeouts
• Captcha

27
Countermeasures

• Popular Client-Side languages (java, javascript
  and vbscript) calculations
• Good practices maintain good password policies
• Complexity
• Minimum password length
• Aging

28
Countermeasures

• User names enumeration
• Don't give too much information to the attacker
  (or customer)?
• SessionIDs
• Use strong cryptography algorithms
• Well known vulnerabilities
• Well known programming practices )?
• Other attacks
• Web Application Firewalls (WAF) like ModSecurity

29
References

• Burp Intruder PortSwiggerhttp//www.portswigger
  .net/intruder/
• Bruteforce-Force Exploitation of Web Application
  Session IDs - David Endler -iDefensehttp//www.cg
  isecurity.com/lib/SessionIDs.pdf
• Anti Brute Force Resource Metering -
  NGSSsoftwarehttp//www.ngssoftware.com/papers/NIS
  R-AntiBruteForce ResourceMetering.pdf
• Brute force attack - Wikipediahttp//en.wikipedia
  .org/wiki/Brute_force_attack
• Crowbar New generation web application brute
  force attack tool - Senseposthttp//www.sensepos
  t.com/research/crowbar/crowbar0861.pdf

30
References

• ModSecurity Web Application Firewallhttp//www.mo
  dsecurity.org/

31
Thank You