Protect Against Web Application Brute Force Attacks

The Black Hat conference a few weeks ago featured several sessions on web application attack techniques. One of the more interesting techniques discussed was the practice of brute forcing another person's session ID based on analysis of the URL.

Based on a URL, one can detect certain patterns in the creation scheme and then guess what other likely session IDs are being used. Based on that information it is possible, within some web applications, to retrieve information from other users.

This becomes a serious concern for home-grown web applications housing sensitive financial, medical, and legal information. We have already received reports of users from an unnamed medical site accidentally being able to pull up another patient's records. This particular incident was not an intentional misdirection, but with a little manipulation it is quite possible that every patient record could have been compromised from anywhere on the Internet.

The good news is that detecting this type of attack is fairly easy. The attack method is similar in nature to a port scan of a computer, which attempts to try every door until it finds one it can access, since a brute force attack of session IDs uses the same logic. For example, the following are valid session IDs within a URL – referred to as a URL space:

cgi-bin/session.cgi?sessargs=ae555YFrBTdYExs=
cgi-bin/session.cgi?sessargs=ae555GjXifhgYExs=
cgi-bin/session.cgi?sessargs=ae555EdasddkYExs=
cgi-bin/session.cgi?sessargs=ae555JeasklskYExs=
cgi-bin/session.cgi?sessargs=ae555GalslkekYExs=

From the above data, an attacker would attempt to brute force a key.

When administrators understand the logic of the brute force URL space hack, the best method of detection is to set up booby-trapped IDs which will trigger an alarm. Most web applications have functions that will generate these IDs, and creating booby-trapped IDs is simply a matter of creating an exception list inside of the application. This exception list would contain IDs that would never generate data and upon attempted use, and that would alert the administrator that someone is attempting to brute force a web application.

Another way to simply prevent a brute force attack from occurring, if you use IIS as your web server, is by using an IIS application firewall (such as eEye's SecureIIS) which has an automated alerting mechanism for this type of attack built in.

Similar to the methodology used by an attacker, administrators would analyze what the patterns are and create an algorithm to guess the unknown parts within the URL space (referred to as "fuzzing"). As administrators, guessing isn't necessary since in this scenario the code generation algorithms are at our disposal. Looking at the session arguments listed above (sessargs), we can see that the attacker will most likely fuzz inside the "=ae555" and "YExs=" boundaries.

Fuzzers are meticulous -- they usually try every possible combination within reason. This works to an administrator's advantage since we can be fairly certain that obvious IDs will be used such as:

cgi-bin/session.cgi?sessargs=ae555AAAAAAYExs=
cgi-bin/session.cgi?sessargs=ae555BBBBBBYExs=
cgi-bin/session.cgi?sessargs=ae555CCCCCCYExs=
cgi-bin/session.cgi?sessargs=ae555DDDDDDYExs=

Adding these obviously illicit session IDs to a keyword list within the application firewall and to an exception list within the web application code itself will allow administrators to monitor how many attempts are being made and also to drop those malicious requests before they can steal any vital information through the web application.

Thus, with a bit of investigation about how your web applications expose information in URLs, and a few customized changes to sidestep any possible fuzzers, your web application content can be more secured from unauthorized users.

eWeek - Microsoft to Boost Security Response
"Microsoft is in the process of overhauling its security response process in an effort to get patches to customers more quickly and to make it easier for researchers to report vulnerabilities." Full Article

CRN - FBI Official Sees Terrorist Cyberattacks On Horizon
"An unscientific FBI survey of 223 companies found that 90 percent had suffered some sort of network intrusion and those that had logged $456 million in losses as a result. The average loss of $2 million was up from $400,000 just several years ago." Full Article

Microsoft bCentral - Hacking Into the Mind of a Hacker
"The first thing to know about computer 'hackers' is that the term itself is a point of dispute. Many people who hack into systems without criminal intent proudly label themselves 'hackers', and say they're the good guys and the bad guys should be called 'crackers' or something else." Full Article

eWeek - Gauging the Weak Points
"With all the attention that vendors and government authorities are lavishing on security, it would stand to reason that security would be improving. Not so. In fact, not only is security not improving, it's deteriorating at a rapid rate." Full Article

Q: How do I use Retina to scan my machines for one specific vulnerability?

A: First, you will need to create a new Policy that contains only the vulnerability check that you wish to perform. This can be done by selecting 'Tools' and then 'Policies' within Retina.

Next, after having selected your new Policy, start a scan of your machines. The IP address of every machine scanned will appear in a list on the left of the Scanner pane. The IPs will be color-coded depending on the highest severity of vulnerability found.

Since you are only scanning for one vulnerability, only those IPs that are vulnerable will appear in color, allowing you to see which machines are vulnerable at a glance. You can also sort the machine list by IP address or by vulnerability by right-clicking in the pane.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

New Product: REM™ Remote Enterprise Management
Realizing the mission-critical nature of completely centralized events management, eEye Digital Security created REM, the Remote Enterprise Management system. Developed as an enterprise-class solution for centrally managing event logs (from programs like Retina and SecureIIS), REM solves the distributed network security dilemma faced by large enterprises. Full Article

Advisory: NAI's PGP Outlook Encryption Plug-in Vulnerability
A vulnerability in the NAI PGP Outlook plug-in can be exploited to execute attacker-supplied code on the target's computer. The vulnerability exists as a heap overflow in the interpretation and handling of the malformed email. The severity of this vulnerability is listed as High due to remote code execution. Full Article

Promotion: Retina Upgrade Program for CyberCop Clients
eEye is offering a competitive upgrade for all users of Network Associate's CyberCop vulnerability scanner. The upgrade program will permit registered CyberCop users to save 50% off the purchase of eEye's Retina® Network Security Scanner through the end of September 2002. Full Article

Promotion: Retina Maintenance Discount Offer for August
eEye is pleased to announce a special discount offer for maintenance renewals on Retina IP Pack licenses. Eligible clients will receive a 50% discount on the renewal of Retina maintenance. Eligible licenses include the IP Pack licenses with 768 IPs and up. The discount does not extend to the Retina Traveling license or to IP Packs that are 512 IPs and less. Maintenance renewal must be purchased in August 2002. Full Article

Marc Maiffret Testifies for Congress on Cyber-Terrorism
This July, eEye's Chief Hacking Officer testified for the Congressional Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. The hearing was entitled "Cyber-Terrorism: Is the Nation's Critical Infrastructure Adequately Protected?". Marc's written testimony can be found here: More

When Dreamcasts Attack
Kevin Poulsen for SecurityFocus writes: "Loaded with custom Linux-based software and covertly plugged into a spare network port under a desk or above a ceiling, the harmless-looking toy becomes the enemy within, probing the company firewall for a way out to the Internet." More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.