Download presentation
Presentation is loading. Please wait.
1
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12
2
Overview Think like a hacker SQL injection Cross-site scripting (XSS) Doupé - 4/23/12
3
Me 7 years as UCSB student –2 nd year PhD student ~ 1 year at Microsoft as Software Dev Research securing web applications Professional pentester Doupé - 4/23/12
4
Web Hacks LulzSec – 2011 –Hacked into Arizona law enforcement UCLA – 2006 –800,000 identities stolen University of Texas, Austin – 2006 –197,000 student records stolen Doupé - 4/23/12
5
UCSB Hacks 2005 –http://www.dailynexus.com/2005-03- 30/altered-grades-lead-to-students-arrest/http://www.dailynexus.com/2005-03- 30/altered-grades-lead-to-students-arrest/ 2000 –http://news.bbc.co.uk/2/hi/business/640087.st mhttp://news.bbc.co.uk/2/hi/business/640087.st m Doupé - 4/23/12
6
Definitions Security Vulnerability Exploit Hacker Doupé - 4/23/12
7
Ethics Only hack into sites you own –Or you have permission You will get caught Doupé - 4/23/12
8
Hacker Mindset Motivation –Fame –Money –Lulz Understand the application –Build mental model Only need to find one flaw Doupé - 4/23/12
9
Injection Vectors User input to the application Web application –Query parameters –POST parameters –Cookies –Referer header –Files Doupé - 4/23/12
10
Burp Proxy Intercepts traffic between you and website –Can manipulate the request directly Industry quality –I use the full version professionally Demo Doupé - 4/23/12
11
WackoPicko Background Added functionality –Reset Self-guided exploration Doupé - 4/23/12
12
SQL Injection Allows attacker to alter semantics of SQL query Consequences –Steal database –Alter database –Bypass login Doupé - 4/23/12
13
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “10” select * from `users` where `id` = ‘10’; Doupé - 4/23/12
14
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1 or 1=1” select * from `users` where `id` = ‘-1 or 1=1’; Doupé - 4/23/12
15
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’ or 1=1” select * from `users` where `id` = ‘-1’ or 1=1’; Doupé - 4/23/12
16
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’ or 1=1; #” select * from `users` where `id` = ‘-1’ or 1=1; #’; Doupé - 4/23/12
17
SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’; drop table `users`;#” select * from `users` where `id` = ‘-1’; drop table `users`;#’; Doupé - 4/23/12
18
SQL Injection – Examples “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#” select * from `users` where `id` = ‘- 1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#’; Doupé - 4/23/12
19
SQL Injection – Detection Passive – Look for success – 1+2 – (select 2) Active – Look for errors – O’Malley – < 10 Doupé - 4/23/12
20
SQL Injection – WackoPicko Where is it possible? –Imagine how the application works Guided exploration Doupé - 4/23/12
21
SQL Injection – WackoPicko login.php –What is the error message? –What does the query look like? Guided attacking Demo! Doupé - 4/23/12
22
SQL Injection – Second Order Result of query used unsanitized in another query $location = “select location from pizza where id = 1;” $vuln = “select name from pizza where location = $location” Where in WackoPicko? Self-guided exploration Doupé - 4/23/12
23
SQL Injection – Second Order register.php Self-guided attacking Completed exploit –Create user with firstname of ‘ or 1=1# –Then visit similar names page –See all users Doupé - 4/23/12
24
SQL Injection – Prevention Prepared statements –Specify structure of query then provide arguments Prepared statements – example $stmt = $db->prepare(“select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;”); $stmt->bindParam(':name', $name); $stmt->bindParam(':pass', $pass); Sanitize inputs Doupé - 4/23/12
25
XSS Malicious JavaScript running in the context of your web application Consequences –Steal cookies –Perform actions as the user –Present fake login form Doupé - 4/23/12
26
XSS – Examples Hello Doupé - 4/23/12
27
XSS – Examples $name = “adam”; Hello adam Doupé - 4/23/12
28
XSS – Examples $name = “ alert(‘xss’); ”; Hello alert(‘xss’); Doupé - 4/23/12
29
XSS – Detection Understand how input is used in HTML source Input “forbidden” characters – –‘ “ ; / Understand what sanitized is performed Doupé - 4/23/12
30
XSS – WackoPicko Where might there be a XSS? Guided exploration Doupé - 4/23/12
31
XSS – WackoPicko search.php Self-guided attacking –Can you get alert box to appear? Demo – Fake login form Doupé - 4/23/12
32
XSS – WackoPicko Where does WackoPicko store data? Where is this echoed to the user? Self-guided exploration Doupé - 4/23/12
33
XSS – WackoPicko guestbook.php –Can you get an alert box to appear? Demo – stealing cookies HttpOnly for cookies! Doupé - 4/23/12
34
XSS – Prevention Sanitize all user inputs using known sanitization routine Depends on context – necessary in HTML –Only need ‘ in JavaScript Doupé - 4/23/12
35
Review Hacker mindset –Understand the application –Build a mental model –Break the mental model Generalize to your applications Doupé - 4/23/12
36
Tools Wireshark Burp Proxy SQLMap WackoPicko OWASP Broken Web Apps Project Google Gruyere Doupé - 4/23/12
37
Questions? Go forth and hack! (ethically, of course) adoupe@cs.ucsb.edu Doupé - 4/23/12
Similar presentations
![Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.](/18/6171772/big_thumb.jpg "Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.>")
