Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Hacking: Beginners

Similar presentations


Presentation on theme: "Web Hacking: Beginners"— Presentation transcript:

1 Web Hacking: Beginners
SQL Injection Broken Authentication Code Injection Insecure Direct Object References

2 Websites: Basics You (the client), request/send data to the server
Server side languages (PHP, Python with Flask/Django etc), process data on the server, while client side languages (mainly JavaScript) process data on your client Most vulnerabilities occur because the server trusts you will send it data as it expects Sending unusual/unexpected data can cause unexpected behaviour in server

3 Source All the code which runs on your web browser (client) can be viewed CTRL+U / Right click and Inspect Source Can help you understand what the web application does and how it might be exploited In rare cases developers can forget about information left in the source code This can be valuable to an attacker

4 Broken Authentication
When web applications are installed within a corporate environment quite often the administrative panel comes with a default username and password Very often these are not changed (people forget or can’t be bothered) Default credentials can usually be found on google Usually easy to take control of the server once logged in to admin panel

5 Broken Authentication
Quite often there are also weak passwords in use A weak password is generally one that is short or easily guessable Tools exist which can brute force credentials, using either password wordlists or randomly generated passwords Examples are: Hydra, which works well against most websites WPScan for Wordpress Ncrack is another popular general purpose one

6 SQL Language which is used to handle databases
SQL: Very common database language Usually logins are handled like: if username == suppliedUsername and password == suppliedPassword: login Program expects something along the lines of suppliedUsername=admin and suppliedPassword=password SuppliedUsername and suppliedPassword are not variables but any sequence of characters

7 SQL Injection However, we can craft an input to defeat this logic
suppliedUsername=admin OR 1=1 -- SQL query becomes: if username == admin OR 1=1 -- and password == suppliedPassword: login Double dash comments out rest of line OR username == ‘admin’ OR ‘1’=’1’ and password == ‘suppliedPassword’: login if username == admin OR 1=1: login 1=1 always evaluates to true, so login occurs without password or username required One of the most common web vulnerabilities out there Common programming error which is easy to make <--User Input

8 Code Injection (Bash) Server side languages often have direct access to the operating system the web server is running on Is a very powerful tool but also very dangerous Bash is a shell and command language and is generally the default shell for most Linux distributions and macOS - runs commands on the system Has huge amount of commands, ls (list), cd (change directory) and ping being some of the most common Can chain together commands with semicolon, e.g. ls; cd /home; ls

9 Code Injection (Bash) Imagine a server which monitors the health of other servers You can input a server IP and it will ping that server to see if it exists On the server side: execute(‘ping USER_SUPPLIED_HOST’) We can insert an IP, then append a semicolon and we can execute whatever we want Insert ‘IP_ADDRESS; ls’ Will end up with execute(‘ping IP_ADDRESS; ls’), and the server will execute ls With remote code execution the server is P W N E D

10 Burp Suite #1 tool in web hacking
Has many different features to be explored For now we will just use one: proxy Proxy enables you to intercept data going between your computer (client) and the server

11 Insecure Direct Object References
Sometimes the server trusts the client with important information This is (almost) never a good thing For example, a web application may have an ‘admin’ string set to false Hidden on client side However, as the server reads this information from the client it can be intercepted and changed

12 Prevention Injections can be prevented by input sanitization
For example, PHP can create SQL parameterized queries, where the query is planned before the user supplied strings are parsed Be sure to use strong passwords and change default passwords Never trust data coming from the client - with the right tools it can be modified

13 Now Your Turn - Labs - introductory - replacement (free) - good practice - also introductory, has lessons as well as challenges Burp Suite - web proxy, very useful (it is what we used) Google if you don`t know - plenty of examples


Download ppt "Web Hacking: Beginners"

Similar presentations


Ads by Google