A bit too contrived to be realistic

Session 16
Web application security

Alik kicked things off by outlining the objectives of the session. 1) As developers, we need to apply sound security engineering principles to our applications. 2) We need to plan for security throughout the software development lifecycle. 3) the ultimate goal to to produce more secure systems.

Security dilemmas facing the developer were identified:
How to authenticate users?

• How to authorize users?
• How to validate input?
• How to perform data access?
• How to handle exceptions?
• How to handle sensitive data?
• How to handle auditing and logging?

Much of the session from here on in was a practical demonstration of how to compromise the TechEd official website (although Alik later revealed that he had created a dummy site in order to prove the concepts).

So, first on the agenda was traffic sniffing. Sniffing traffic (on this site anyway) was easy to achieve by a) having the appropriate tools and b) having passwords sent as free text. Alik demonstrated this to us and concluded that where possible use Windows authentication. Where this is not possible, use https:// for secure transmission.

Next on the list was SEL Injection attacks. Alik performed an injection into the search field of the TechEd session lookup screen. The added SQL consisted of a search for a valid session plus a UNION with the SYSOBJECTS table. He then went on to locate any tables like '%login%' and finally performed a UNION on the LOGIN table to extract usernames and passwords. The lesson here was to ensure that you check data types, data lengths and ranges of anything being entered into your form fields.

This took us neatly onto exploiting over-privileged accounts. Again Alik inserted some extra commands into the search field:

;EXEC xp_cmdshell "netuser username password"

where username and password were Alik's. He then remote desktopped to the TechEd server and logged in with his new extended privileges. The lesson here is to apply the principle of least privilege accessand validate entry strings for correctness.

The next section related to exploing a single gate keeper and Alik showed easy it is to extract a password from the hash contained in the backup SAM file. The lesson here was to partition your website to physical folders and restict access. Also, apply a defence in depth approach using multiple gate keepers.

The final topic was live search hacking where Alik described a number of methods for gleaning useful "hacker related" information from a system.

Whilst interesting in parts, the example scenarios were so contrived, and the security flaws so obvious that you were left wondering if the Three Stooges had been responsible for implementing security on the "bogus site".