Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Slides:



Advertisements
Similar presentations
Web Security Never, ever, trust user inputs Supankar.
Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”
The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
SQL Injection Timmothy Boyd CSE 7330.
Introduction to Application Penetration Testing
Secure Software Engineering: Input Vulnerabilities
Workshop 3 Web Application Security Li Weichao March
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
Web Applications on the battlefield Alain Abou Tass.
Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Javascript worms By Benjamin Mossé SecPro
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Web Application Bug Hunting
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
Cross-Site Scripting Travis Deyarmin.
API Security Auditing Be Aware,Be Safe
Penetration Testing following OWASP
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
CSE 154 Lecture 26: web security.
Lecture 2 - SQL Injection
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Lecture 27 Security I April 4, 2018 Open news web sites.
Presentation transcript:

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12

Overview Think like a hacker SQL injection Cross-site scripting (XSS) Doupé - 4/23/12

Me 7 years as UCSB student –2 nd year PhD student ~ 1 year at Microsoft as Software Dev Research securing web applications Professional pentester Doupé - 4/23/12

Web Hacks LulzSec – 2011 –Hacked into Arizona law enforcement UCLA – 2006 –800,000 identities stolen University of Texas, Austin – 2006 –197,000 student records stolen Doupé - 4/23/12

UCSB Hacks 2005 – 30/altered-grades-lead-to-students-arrest/ 30/altered-grades-lead-to-students-arrest/ 2000 – mhttp://news.bbc.co.uk/2/hi/business/ st m Doupé - 4/23/12

Definitions Security Vulnerability Exploit Hacker Doupé - 4/23/12

Ethics Only hack into sites you own –Or you have permission You will get caught Doupé - 4/23/12

Hacker Mindset Motivation –Fame –Money –Lulz Understand the application –Build mental model Only need to find one flaw Doupé - 4/23/12

Injection Vectors User input to the application Web application –Query parameters –POST parameters –Cookies –Referer header –Files Doupé - 4/23/12

Burp Proxy Intercepts traffic between you and website –Can manipulate the request directly Industry quality –I use the full version professionally Demo Doupé - 4/23/12

WackoPicko Background Added functionality –Reset Self-guided exploration Doupé - 4/23/12

SQL Injection Allows attacker to alter semantics of SQL query Consequences –Steal database –Alter database –Bypass login Doupé - 4/23/12

SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “10” select * from `users` where `id` = ‘10’; Doupé - 4/23/12

SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1 or 1=1” select * from `users` where `id` = ‘-1 or 1=1’; Doupé - 4/23/12

SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’ or 1=1” select * from `users` where `id` = ‘-1’ or 1=1’; Doupé - 4/23/12

SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’ or 1=1; #” select * from `users` where `id` = ‘-1’ or 1=1; #’; Doupé - 4/23/12

SQL Injection – Example “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’; drop table `users`;#” select * from `users` where `id` = ‘-1’; drop table `users`;#’; Doupé - 4/23/12

SQL Injection – Examples “select * from `users` where `id` =‘” + $id + “’;” $id = “-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#” select * from `users` where `id` = ‘- 1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#’; Doupé - 4/23/12

SQL Injection – Detection Passive – Look for success – 1+2 – (select 2) Active – Look for errors – O’Malley – < 10 Doupé - 4/23/12

SQL Injection – WackoPicko Where is it possible? –Imagine how the application works Guided exploration Doupé - 4/23/12

SQL Injection – WackoPicko login.php –What is the error message? –What does the query look like? Guided attacking Demo! Doupé - 4/23/12

SQL Injection – Second Order Result of query used unsanitized in another query $location = “select location from pizza where id = 1;” $vuln = “select name from pizza where location = $location” Where in WackoPicko? Self-guided exploration Doupé - 4/23/12

SQL Injection – Second Order register.php Self-guided attacking Completed exploit –Create user with firstname of ‘ or 1=1# –Then visit similar names page –See all users Doupé - 4/23/12

SQL Injection – Prevention Prepared statements –Specify structure of query then provide arguments Prepared statements – example $stmt = $db->prepare(“select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;”); $stmt->bindParam(':name', $name); $stmt->bindParam(':pass', $pass); Sanitize inputs Doupé - 4/23/12

XSS Malicious JavaScript running in the context of your web application Consequences –Steal cookies –Perform actions as the user –Present fake login form Doupé - 4/23/12

XSS – Examples Hello Doupé - 4/23/12

XSS – Examples $name = “adam”; Hello adam Doupé - 4/23/12

XSS – Examples $name = “ alert(‘xss’); ”; Hello alert(‘xss’); Doupé - 4/23/12

XSS – Detection Understand how input is used in HTML source Input “forbidden” characters – –‘ “ ; / Understand what sanitized is performed Doupé - 4/23/12

XSS – WackoPicko Where might there be a XSS? Guided exploration Doupé - 4/23/12

XSS – WackoPicko search.php Self-guided attacking –Can you get alert box to appear? Demo – Fake login form Doupé - 4/23/12

XSS – WackoPicko Where does WackoPicko store data? Where is this echoed to the user? Self-guided exploration Doupé - 4/23/12

XSS – WackoPicko guestbook.php –Can you get an alert box to appear? Demo – stealing cookies HttpOnly for cookies! Doupé - 4/23/12

XSS – Prevention Sanitize all user inputs using known sanitization routine Depends on context – necessary in HTML –Only need ‘ in JavaScript Doupé - 4/23/12

Review Hacker mindset –Understand the application –Build a mental model –Break the mental model Generalize to your applications Doupé - 4/23/12

Tools Wireshark Burp Proxy SQLMap WackoPicko OWASP Broken Web Apps Project Google Gruyere Doupé - 4/23/12

Questions? Go forth and hack! (ethically, of course) Doupé - 4/23/12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.