Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Web Security Never, ever, trust user inputs Supankar.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Introduction The concept of “SQL Injection”
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Introduction to Application Penetration Testing
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Server-side Scripting Powering the webs favourite services.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Attacking Applications: SQL Injection & Buffer Overflows.
Feedback #2 (under assignments) Lecture Code:
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Application Security Testing A practitioner’s rambling advice & musings.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Cross Site Scripting and its Issues By Odion Oisamoje.
Crash Course in Web Hacking
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
 Samy (also known as JS.Spacehero)  XSS worm that was designed to propagate across the MySpace social-networking site. At the time of release, it.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Web Applications on the battlefield Alain Abou Tass.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Defense In Depth: Minimizing the Risk of SQL Injection
Javascript worms By Benjamin Mossé SecPro
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Building Secure ColdFusion Applications
Web Application Bug Hunting
Internet Self Defense 101 Rex Booth.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
Example – SQL Injection
Myths About Web Application Security That You Need To Ignore.
Riding Someone Else’s Wave with CSRF
Web Security Advanced Network Security Peter Reiher August, 2014
Lecture 2 - SQL Injection
Lecture 27 Security I April 4, 2018 Open news web sites.
Presentation transcript:

Matthew Hughes

Who am I? Pen tester Coder Blogger All around nice guy.

Who am I? Ethical Hacking for Computer Security BSc Internship at Mad Security Internship at St Noble/MMV – 2011 Developer at CIC Unemployed “Entrepreneur” – Current

What is this all about then? Most web applications are insecure. Secure coding is hard. Developers generally don’t know how to test their own sites. Insecure web applications are generally bad.

Why should you care? Security breaches are very expensive. Security breaches make you look like a moron. It’s fairly easy to mitigate against them. Hacking is fun. Security consultants are fucking expensive.

What will this talk cover? This talk is not exhaustive. It will only cover a fraction of the basics. It will discuss various kinds of attack you can expect your application to endure. It will give you an understanding of how to test for security vulnerabilities in your application.

What will this talk cover? Detection Reflected XSS Stored XSS XSRF SQLi Mitigation Vulnerability disclosure

What will this talk cover? This talk is an introduction. It won’t cover everything. Web application security is a HUGE domain.

A bit of history… 1995 – Most websites tended to be static pages coded in pure HTML – Perl and PHP gain popularity, and their relative ease of use allow for beginners to make web apps. And it sorta goes downhill from there…

So, what happened next? Nobody really understood the risks involved with dynamic websites. More and more companies began to rely on web apps. More and more companies experienced security breaches… Which for the most part has been fun to watch…

Notable examples Sony PSN Hack 77 million pieces of personally information were leaked via SQLi. Biggest leak in history. Outage lasted for 24 days. Total costs were $171 Million USD

TJX Hack 45 million pieces of credit card information were leaked. Attacker used SQLi and sniffed traffic. Breach cost $200 million Notable Examples

Samy worm Samy Kamkar used an XSS vulnerability in MySpace to get anyone who viewed his profile to friend request him, and add “and most of all, Samy is my hero” and the exploit code to their profiles. Within 20 hours, over 1,000,000 had their pages compromised.

What conclusions can we draw? Security breaches can happen to large corporations with huge amounts of resources. Security breaches are expensive. Really expensive. They can also be pretty funny.

Cross Site Scripting (XSS) XSS happens when an input isn’t correctly sanitized and is either reflected in the page (reflected XSS) or stored within the application and rendered for each subsequent user (stored XSS). Whilst XSS attacks may seem harmless, they can be the precursor to social engineering attacks, XSRF attacks and can be used to steal cookies.

Cross Site Scripting (XSS) alert(‘xss’) Some sites in order to mitigate against XSS attacks forbid the usage of ‘alert’… This doesn’t really mitigate against XSS. Just use ‘prompt’. As we will see in the next slide… Tags with attribute values can be mitigated by crafting your attack string with “> at the front. “> alert(‘xss’);

Cross Site Scripting (XSS)

SQL Injection Generally, most dynamic websites contain a data store. These are generally interacted with using SQL. SQL is standardized, meaning that the attack syntax generally works an all DBMS’ ORM and NoSQL databases are vulnerable to injection attacks. Just not SQL attacks.

SQL Injection Consider the following SQL query “Select * from users where username What would happen if we were to put in the following parameter. “dave’ or ‘1’ = 1” Since one does equal one, it will return all values. With union queries, one can add data into other tables, creating the potential to create new accounts.

SQL Injection SQL Injection can also be used to bypass authentication. Consider the following SQL query “Select * from users where username and passworld What would happen if you were to pass it the following Admin ‘ --- You can now authenticate against any account without knowing the password…

Cross Site Request Forgery (XSRF) Consider the following URL: i&amount=9001&for=JenniferEllison i&amount=9001&for=JenniferEllison If the user is authenticated and the site is vulnerable to XSRF, then Jennifer Ellison is about to get over nine thousand pounds from Purple Aki “But surely this is just a browser/local user issue?”

Cross Site Request Forgery (XSRF) Well, yes and no… The user has to be authenticated on their local machine and have a valid cookie. But… consider the following code. pleaki&amount=9001&for=JenniferEllison Now, this isn’t a valid image… But the browser will still call that URL.

Going on from here… This is going to be the last I’m going to talk about when it comes to vulnerability discovery… It’s a huge field. Web Application Hackers Handbook is a good place to start… DVWA is a great sandboxed environment where you can use offensive security testing techniques. A lot of testing can be automated and there are various firefox/Chrome plugins which do a lot of the legwork.

Going on from here OWASP is a group dedicated to web app security. They meet fairly often in these parts and entrance is free. Read the OWASP Top 10. Just do it.

Another valid point… It’s generally frowned upon to test systems that don’t belong to you. Don’t do it, unless you have permission, or you like prison food.

Mitigation A good offense is generally the best defence… Your best is often not good enough, especially against a really motivated hacker. Web Application firewalls are a solid line of defence against many attacks. Trustwave’s ModSecurity is very, very good.

Mitigation There’s no point reinforcing a door if you’re going to leave the windows open. Ensure that the underlying infrastructure is regularly patched, you have an IDS (Snort is free and very, very good) and you reduce the surface of attack by turning off services you don’t need and running a firewall.

Responsible vulnerability disclosure… We’re all geeks. We’re curious. I know some of you will discard my valid point I made earlier. Full Disclosure is bad. Very bad. Responsible disclosure is good. Very good. Upsploit.com is a good resource for handling vulnerability disclosure.

Keep in touch? Twitter.com/matthewhughes Facebook.com/matthewjhughes Matthewhughes.co.uk

Thank you! Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.