x’ or ‘a’=’a
The Chronicles of Daniel Hadaway the Ungeek and Owner of Neville Bartholomew’s Credentials!
So I need to prepare for my demonstration, to start the IBA’s IT Security Conference, called Hack Attack Live. Last year Matt Jonkman of Emerging Threats Pro blew away all the non-technical ISOs (and caused chuckles among the technicians) when he hacked into a website right before our very eyes. Evaluations came in on his talk saying things like “that guy scares me” and “he really knew his stuff.”
So this year, as we tried to out-do last year’s excellent conference, the big question was: “why not start the conference out with a Hack Attack Live?” We collectively knew a lot of really smart geeks who would be able to wow us one more time, and doing so would serve a worthy purpose: to set the mood for the conference that yes, there are still real vulnerabilities out there that we should be considering in our next risk assessment: our marketing sites.
But there was one problem: the hack-attack-live part of Matt’s presentation took a total of about 8 minutes. Matt warned us last year that this would be the case, but he had a talk already prepared (about Surricata and Honeypots and Sandnets and all kinds of cool uber-geek stuff they’re working on at Emerging Threats Pro).
Finding a technical person who could speak, and who’d be willing to speak for only 8 minutes, seemed daunting. That’s when I made the statement: “If I can do this, we’re all in trouble!!!!”
In other words, if a non-technical guy like me can learn how to hack into a website, then boy, we need to take likelihood up a few notches. Right? And other than not wanting me to put that actual statement in the marketing flyer, for fear it would turn people off to the entire conference, the folks at the IBA said “let’s do it. Sounds great! Dan will learn to hack into a website without any help from his technical staff.”
Yeah! Right on! No help from the geeks! All by myself. Yahoo!
That was in May.
May was a big month for me . . . . it was the month I delivered my “Megaconference Talk.” It was the month we started our 2010 risk assessment. It was the month we completely revised our Vendor Management tool set for an IBA workshop and it was the month I bought tickets to five White Sox games.
I took on a lot of challenges that month. I think it’s because of the spring weather or something. But yes, I might have bitten off a lot more than I should have in May.
And I agreed to the clause: without any help from the geeks!
Well I’m a firm believer that the best way to accomplish a task which starts off looking like a daunting task is to take the “salami approach.” Instead of staring at this huge, unappealing hunk of meat, cut it down to smaller, more attractive, more manageable slices.
So by early June, I had home-paged the OWASP home page (www.owasp.org . . . . check it out if you are serious about information security.) I figured that if OWASP loaded every time I launched my browser, I’d eventually find the time to learn how to hack into a website.
Without any help from the geeks.
By early July, I had found the Webgoat project, a REALLY COOL project that, if you take a “this-is-an-adventure-game” mentality with you, will teach you how vulnerabilities arise in a web application and, if you study hard, you can learn how to exploit those vulnerabilities (and mitigate them if you are a coder.) Webgoat is a series of lessons intended to teach developers how to bring a security mentality into the software development life cycle.
But that’s all I did. I made http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project my home page.
After a few weeks, I realized I was procrastinating. So indeed, I tried to read the Webgoat page several times.
In fact, the Webgoat page seemed to raise more questions in my non-technical mind than it provided answers. It had hundreds of links off-site. I couldn’t understand half of what I was reading on it. Each time I tried to read the Webgoat page, I finished a bit more scared than I was when I started. It assumed I’d understand words like catalina and tomcat and apache and sql and injection and . . . . . all without any help from the geeks.
I have to admit, I became guilty of the one thing I hate: procrastination. The “salami approach” wasn’t working
Then on August 9th, the FFIEC examiners left our Kokomo office. The “examination prep” phase of my busy year had officially evolved into the “IT Security Conference Prep Phase.” So it was on August 9th that I rolled up my sleeves and tried understanding the webgoat page. Boy did Wikipedia get a lot of hits that week! But instead of gaining just a little bit of confidence, I found myself wondering (by Friday the 13th, in fact) whether I’d really be able to do this.
But I stuck with it. I was still daunted, but I started following all the links off of that page. And little by little, the links that Webgoat sends you to started paying off. I mean, there were pages defining all the terms that were used to define the terms that were on the Webgoat page. There were MOVIES showing you how to successfully complete the labs. There were entire websites written by enthusiasts showing how to set up an Apache Tomcat Server (which is required in order to take the lessons).
The whole time I was more or less a “lurker,” meaning that I was reading, not participating, and surely not loading anything onto my computer. I was not going to do anything until I understood what I was doing. At least that was my starting theory. After a while, I realized that I was not going to completely understand what I was doing until I actually just did it. In other words, I was going to have to learn by doing as well as by reading.
Then finally, on a warm Saturday morning (August 28th), I decided I was ready to play the game. I felt confident enough that I’d at least be able to install the Apache Tomcat Server on my laptop. So, following one of the policies that I swear was in place BEFORE we entered the FFIEC Examination program, I emailed Sean Waugh, CISSP, MCSA for permission to install the Webgoat Project on an Infotex Information Asset (my laptop.) I sent him a link to the Webgoat page as well as a link to what I intended to download and launch. I admit, I was hoping he’d say “no way are you going to install that on our assets.” But he didn’t . . . .
His response was this: “Yes, go ahead and install, just make sure it isn’t running all the time by default and only when you manually start the application.”
Huh? Make sure what isn’t running all the time, by default? Make sure what isn’t running? The website? Can you shut off a website? Or was he meaning the server. Is the Apache Tomcat Server something you can shut off?
Well, I would have liked to ask Sean all those questions, but that would be cheating. Again, during Hack Attack Live I want to be able to say I learned this all by myself, by researching the web and NOT by asking my technical staff for help. So instead of downloading the files that I had thought I should download, I went back to the drawing board.
Meanwhile, I decided that no matter what, I was NOT going to install something I didn’t really understand on my shiny new laptop. So what I did was pull out the old laptop that the shiny new laptop replaced. I reinstalled Windows XP on it (thinking the entire time, is Tomcat going to work on something this old?) I even put Kaspersky on it, using one of my three licenses that I acquired when I installed Kaspersky on my shiny new laptop. I wanted to be sure that I wasn’t introducing a vulnerability to the infotex system. That would be really embarrassing.
Then I got the bright idea of disabling the wireless card on the laptop. That way, if I couldn’t shut Tomcat off, big deal, right? To this day I’m still a bit leery about what having this faulty website on my laptop will expose me to, so to play it safe, every time I fire up the old beast the first thing I do is check to make sure the wireless card is still disabled. Remember, I’m a non-technical person. I have no trust of technology. I want to be sure that what I turned off doesn’t automatically turn on again.
And, I can’t ask my geeks for help. Did I mention that?
Of course, getting Tomcat ON the laptop became a bit more problematic. I can’t remember exactly why, but I eventually decided I needed to enable the wireless card, download the tar file (or was it 7z?) , then disable the wireless card again.
I actually had to do this very thing one more time, on September 21st, when I realized that I needed a plugin for Firefox in order to tamper with input data. The plugin was actually called “tamper data.” And it had a very simple end-user license agreement that I had to acknowledge before it would allow me to install the plugin. That end-user license agreement is still scary to me. So scary that I did a print-screen of it so I could show it during the preface to Hack Attack Live. The end-user license agreement looked like this:
“This is a development and security testing tool, not unlike many others.
You are responsible for how you use it.”
Now I don’t know how it comes off to technical people, but to an Ungeek like me, that statement, as a license agreement, intimidates me. “You are responsible for how you use it.” Wow . . . .
I was tempted to ask Sean for permission to install it, but then decided that might be cheating because Sean would need to ask me why and the temptation was just too great that I would say, “I’m not sure, why would YOU install it?”
So I didn’t. Instead, I literally closed my eyes and pressed the “accept and install” button–
That’s not actually what I did. I double-clicked on the wireless adapter icon and had it there ready for me to press disable as soon as the plugin was done installing, and THEN I pressed “accept and install.” And then I immediately disabled my wireless card and as soon as the laptop beeped saying that the card was disabled, I checked it again just to be on the safe side.
So by September 21st I had learned to fire up an Apache Tomcat Server. I had installed Java on the old laptop. I had the ability to tamper with input data using my web browser. I learned that I had to put my browser in “on-line mode” even though I was truly off-line. I set up the webgoat website on my laptop.
And I had studied the SQL INJECTION lesson enough to know what I wanted to do.
And then I did it. Taking advantage of an authentication page that didn’t properly sanitize input data (by stripping out the syntax), I was able to implement a string sql injection and log into the Goat Hills Financial Human Resources application as Neville Bartholomew! Neville is the boss of that operation, and . . . . using the words of my geek friends . . . . I OWNED HIM.
Yes, I am ready for Hack Attack Live. Yes, I was able to do it without any help from my geeks.
And yes, interestingly, I want to take more lessons and learn more about web application vulnerabilities.
OWASP, you guys are doing great work. To teach a non-technical person like me how easy it is to hack into a poorly crafted website is a great thing in my book. It helps me understand what my developers are going through, and it helps bridge that communication gap between my technical clients and their management team.
I’m not saying I learned everything I should have learned . . . . . yet. I still don’t really know how to “discover” if a website has the type of sanitation problem that would allow me to implement my exploit. However, I did try the exploit on every single authentication interface my company has exposed to the web. (Fortunately, it didn’t work.)
And most importantly, this entire experience taught me a little bit beyond how to exploit a single vulnerability that I don’t really know how to find. For one, it taught me that we are indeed all in trouble, if we don’t take application security more seriously. (Remember: If Dan can do it, we’re ALL in trouble.) But the experience also taught me that we non-technical people CAN roll up our sleeves and start learning what the geeks wish we’d understand. And it taught me that it doesn’t really take that much time to learn these things. It seems daunting, but if you stick with it, you eventually will understand what you need to know.
And hey, it taught me that my old laptop isn’t dead after all!
Thank you, OWASP!
Dan’s New Leaf is a blog by:
Dan Hadaway, CISA, CISM, CRISC