Download presentation
Presentation is loading. Please wait.
1
Crash Course in Web Hacking
Mike Gerschefske Crash Course in Web Hacking
2
Hacking is illegal (most of the time)
Understand the laws Port Scanning can be considered illegal Post 9/11 can be act of terrorism DMCA Exceptions Educational Learning (Institution)
3
Who cares about web hacking?
The days of buffer overflows and root boxes are nearing an end… Non executing stacks People patching their systems Everything is turning into a web system
4
Power of Google Google knows all SSN/Credit Card, backend sql
intitle:snc-rz30 inurl:home/ Robots.txt Don’t put secrets in here
5
Power of the web browser
Is capable of HTTP GET/POST Capable of sending any kind of GET/POST Doesn’t have to run client side code (ie javascript) Can send anything it wants to Can be Bad: url: Vertical Escalation
6
Bad Code = Bad Security You are not able to control client end:
Cookies Do not put User Level (admin, user, etc.) Vertical Escalation Do not put user id Horizontal Escalation Posts Gets Session IDs All Data
7
Museum Example Code from two years ago: 1 #!/usr/bin/perl …
7 $first = param('first'); 8 $last = param('last'); 9 $password = param('password'); 10 25 if (($first eq "") || ($last eq "") || (! $password eq "unbreakable")) { 26 print "<p>Could not understand or wrong password!!</p>"; 27 } 28 else { 29 system "cat ./museum_ideas/${first}.${last}";
8
Some Good Combinations
Dump the password file: First Name: . Last Name : /../../../../etc/passwd Password : unbreakable Delete the whole directory: First Name: NOTEMPTY Last Name : & rm -rf /home/museum/public_html/cgi_bin/museum_ideas
9
Command Injection This is basic idea of command injection
Security through obscurity sometimes works Some people are very diligent
10
SQL Injections We can send commands, why not sql? What is SQL?
What can we do with SQL? Get any data we want (that the user has access to) Delete all the data the user has access to If user is root, dump database If user is root, can upload and execute java/c from database and root box
11
How to protect against it?
Check parameters Not really… Need to do SQL parameterization when at all possible Mark strings as strings, ints as ints SELECT * WHERE name
12
Why doesn’t checking params work?
If you’re really smart it will, but if you don’t understand the problem it wont This is a very difficult problem to understand Example: The problem is the ‘ (apostrophe) is a special character To fix we just find and replace all apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string NO!
13
Second Level SQL Injection
The problem actually isn’t solved, just more complicated Take: Username = ' OR 'a' = 'a‘ SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''
14
Goes in fine but coming out…
Get username from DB and put in var Var contains SQL We TRUST DB to give us good data Create another SQL Query and the second one is now vulnerable SELECT content FROM database WHERE username = VUNSQL
15
XSS – Cross Site Scripting
Malicious injection of JavaScript Cookie Hi-jacking MySpace – Replicate itself, add friends Samy - <script> document.write(“<img src= “ + document.cookie) </script>
16
Xpath Injection //user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’] Used with: XML RPC SOAP/WSDL
17
IDS Will Find You SQL/Command Injection is very easy to detect
IDS poor at packet fragmentation with timing attacks
18
Profiling Need to know what you’re attacking Can search for exploits
HEAD / HTTP/1.0 Example Everyone’s a little different Nmap is a good profiler Nessus will profile too
19
Tools Add N Edit Cookie – Mozilla Firefox extension Wget
TamperData – FireFox Modify Headers - FireFox Curl Netcat/Telnet Proxies Paros Proxy – Free Fiddler – Microsoft, Free Spike – Free
20
Timing Attacks Breaking Authentication
Username and password wrong may take x time while username doesn’t exist takes y time Successful timing attacks against encryption
21
ASP.NET Exploit Debugging (source code) only available to localhost
Bypass this check by sending the following: GET HTTP/1.0 Check’s server name variable rather then remote address
22
Mod_security
23
Replay Attacks Socrebot deletes flag Scorebot adds flag
Since the scorebot goes to everyone we have the delete and add sequence Can potentially replay same delete sequence across all enemy servers
24
Log Evasion Many logs only log ~4K of URL
Prevents DOS from filling up logs If payload at the end of 4k, wont log malicious payload YPAYLOAD Application ignores foo parameter Log shows up as GET /page.asp … Not just IIS, Sun One App Server
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.