Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crash Course in Web Hacking

Published byFerdinand Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "Crash Course in Web Hacking"— Presentation transcript:

1 Crash Course in Web Hacking
Mike Gerschefske Crash Course in Web Hacking

2 Hacking is illegal (most of the time)
Understand the laws Port Scanning can be considered illegal Post 9/11 can be act of terrorism DMCA Exceptions Educational Learning (Institution)

3 Who cares about web hacking?
The days of buffer overflows and root boxes are nearing an end… Non executing stacks People patching their systems Everything is turning into a web system

4 Power of Google Google knows all SSN/Credit Card, backend sql
intitle:snc-rz30 inurl:home/ Robots.txt Don’t put secrets in here

5 Power of the web browser
Is capable of HTTP GET/POST Capable of sending any kind of GET/POST Doesn’t have to run client side code (ie javascript) Can send anything it wants to Can be Bad: url: Vertical Escalation

6 Bad Code = Bad Security You are not able to control client end:
Cookies Do not put User Level (admin, user, etc.) Vertical Escalation Do not put user id Horizontal Escalation Posts Gets Session IDs All Data

7 Museum Example Code from two years ago: 1 #!/usr/bin/perl …
7 $first = param('first'); 8 $last = param('last'); 9 $password = param('password'); 10 25 if (($first eq "") || ($last eq "") || (! $password eq "unbreakable")) { 26 print "<p>Could not understand or wrong password!!</p>"; 27 } 28 else { 29 system "cat ./museum_ideas/${first}.${last}";

8 Some Good Combinations
Dump the password file: First Name: . Last Name : /../../../../etc/passwd Password  : unbreakable Delete the whole directory: First Name: NOTEMPTY Last Name : & rm -rf /home/museum/public_html/cgi_bin/museum_ideas

9 Command Injection This is basic idea of command injection
Security through obscurity sometimes works Some people are very diligent

10 SQL Injections We can send commands, why not sql? What is SQL?
What can we do with SQL? Get any data we want (that the user has access to) Delete all the data the user has access to If user is root, dump database If user is root, can upload and execute java/c from database and root box

11 How to protect against it?
Check parameters Not really… Need to do SQL parameterization when at all possible Mark strings as strings, ints as ints SELECT * WHERE name

12 Why doesn’t checking params work?
If you’re really smart it will, but if you don’t understand the problem it wont This is a very difficult problem to understand Example: The problem is the ‘ (apostrophe) is a special character To fix we just find and replace all apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string NO!

13 Second Level SQL Injection
The problem actually isn’t solved, just more complicated Take: Username = ' OR 'a' = 'a‘ SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''

14 Goes in fine but coming out…
Get username from DB and put in var Var contains SQL We TRUST DB to give us good data Create another SQL Query and the second one is now vulnerable SELECT content FROM database WHERE username = VUNSQL

15 XSS – Cross Site Scripting
Malicious injection of JavaScript Cookie Hi-jacking MySpace – Replicate itself, add friends Samy - <script> document.write(“<img src= “ + document.cookie) </script>

16 Xpath Injection //user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’] Used with: XML RPC SOAP/WSDL

17 IDS Will Find You SQL/Command Injection is very easy to detect
IDS poor at packet fragmentation with timing attacks

18 Profiling Need to know what you’re attacking Can search for exploits
HEAD / HTTP/1.0 Example Everyone’s a little different Nmap is a good profiler Nessus will profile too

19 Tools Add N Edit Cookie – Mozilla Firefox extension Wget
TamperData – FireFox Modify Headers - FireFox Curl Netcat/Telnet Proxies Paros Proxy – Free Fiddler – Microsoft, Free Spike – Free

20 Timing Attacks Breaking Authentication
Username and password wrong may take x time while username doesn’t exist takes y time Successful timing attacks against encryption

21 ASP.NET Exploit Debugging (source code) only available to localhost
Bypass this check by sending the following: GET HTTP/1.0 Check’s server name variable rather then remote address

22 Mod_security

23 Replay Attacks Socrebot deletes flag Scorebot adds flag
Since the scorebot goes to everyone we have the delete and add sequence Can potentially replay same delete sequence across all enemy servers

24 Log Evasion Many logs only log ~4K of URL
Prevents DOS from filling up logs If payload at the end of 4k, wont log malicious payload YPAYLOAD Application ignores foo parameter Log shows up as GET /page.asp … Not just IIS, Sun One App Server

Download ppt "Crash Course in Web Hacking"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
ACM Web Development Workshop - PHP By Luis Torres.

ACM Web Development Workshop - PHP By Luis Torres.
Penetration Testing Training Day Capture the Flag Training.

Penetration Testing Training Day Capture the Flag Training.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Similar presentations

Ads by Google