Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Presentation"
m (Removed protection from "Summerschool Aachen 2004/Hacking the Web Presentation") |
|||
| (4 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ==Presentation Summary== | |
| − | + | ||
| − | + | ===Webapplications=== | |
| − | + | * traditional weak security | |
| − | + | * use simple ssl proxy to work with https like http | |
| − | + | socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443 | |
| − | + | socat - tcp4:localhost:8888 | |
| − | + | socat - openssl:www.ccc.de:443 | |
| − | + | * install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries | |
| − | + | * popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins | |
| − | + | ||
| − | + | ===PHP=== | |
| − | + | * pushes externally defined global vars (get/post) to namespace (register_globals) | |
| − | + | * unsecure use of eval function (unchecked vars) | |
| − | + | * PAPER Study in Scarlet | |
| − | + | * Path filters are often os dependent | |
| − | + | * .inc files may not be protected by the webserver against reading (password disclosure) | |
| − | + | * .inc files may be renamed to .inc.php, executing a config file, remote require problem | |
| − | + | * execute arbitrary php files by namespace pollution (via query string vars) | |
| − | + | * upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..' | |
| − | + | * may execute uploaded php files with xss (javascript) | |
| − | + | * insert php code into apache log file, then make the server exec the log file as php | |
| − | + | * strings get converted to integer ('000'=0, but '000'!='0') | |
| − | + | * php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file | |
| + | * older versions, accept <script> as session_id and reproduced in every link | ||
| + | |||
| + | ===Source Disclosure=== | ||
| + | * by changing filename casing to confuse handlers | ||
| + | * encode url, i.e.: . -> %2e | ||
| + | * double encode | ||
| + | * insert space, + after filename | ||
| + | * use helper or demo handlers to retrieve source | ||
| + | * changing hidden fields may allow spamming, file creation, etc. | ||
| + | * sessions/cookies may not check if Sessionid corresponds to a given username | ||
| + | * password disclosure in referer urls via query string | ||
| + | * XUser Surfing, use valid session to access other users data | ||
| + | * XSS, push code to users browsers via modified links containing javascript and steal cookies, etc | ||
| + | * found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~ | ||
| + | |||
| + | ===SQL Injection=== | ||
| + | * xp_cmdshell executes commands on server (tftp i.e.) | ||
| + | ** sa account may not be password protected, disabled but not deleted... | ||
| + | ** tool sqlat ? | ||
| + | * make conditions always eval to true (1=1,a'='a') | ||
| + | * php magic_quotes help against injection, but affects all sql commands | ||
| + | * use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param) | ||
| + | * hiding error messages does not help against injection (blind sql injection) | ||
| + | * use UNION in injected SQL to get at more interesting tables | ||
| + | ** use substring/etc. to get mysql.user passwords (char by char) | ||
| + | ** first column = 1 if char isn't guessed correct | ||
| + | ** binary search < 'a' is more efficient | ||
| + | * if user can control some response header field 'header splitting' is possible (xss) | ||
| + | |||
| + | ===Top10 (OWASP)=== | ||
| + | * Unvalidated Input | ||
| + | * Broken Access Control | ||
| + | * Broken Authentication and Session Management | ||
| + | * Cross Site Scripting | ||
| + | * Buffer Overflow | ||
| + | * Injection Flaws | ||
| + | * Improper Error Handling | ||
| + | * Insecure Storage | ||
| + | * Denial of Service | ||
| + | * Insecure Configuration Management | ||
| + | |||
| + | |||
| + | ===Links=== | ||
| + | http://del.icio.us/peter_hacker/web | ||
| + | |||
| + | [[Category:Summerschools]] | ||
Latest revision as of 22:23, 24 September 2018
Contents
Presentation Summary
Webapplications
- traditional weak security
- use simple ssl proxy to work with https like http
socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443 socat - tcp4:localhost:8888 socat - openssl:www.ccc.de:443
- install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
- popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins
PHP
- pushes externally defined global vars (get/post) to namespace (register_globals)
- unsecure use of eval function (unchecked vars)
- PAPER Study in Scarlet
- Path filters are often os dependent
- .inc files may not be protected by the webserver against reading (password disclosure)
- .inc files may be renamed to .inc.php, executing a config file, remote require problem
- execute arbitrary php files by namespace pollution (via query string vars)
- upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
- may execute uploaded php files with xss (javascript)
- insert php code into apache log file, then make the server exec the log file as php
- strings get converted to integer ('000'=0, but '000'!='0')
- php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
- older versions, accept <script> as session_id and reproduced in every link
Source Disclosure
- by changing filename casing to confuse handlers
- encode url, i.e.: . -> %2e
- double encode
- insert space, + after filename
- use helper or demo handlers to retrieve source
- changing hidden fields may allow spamming, file creation, etc.
- sessions/cookies may not check if Sessionid corresponds to a given username
- password disclosure in referer urls via query string
- XUser Surfing, use valid session to access other users data
- XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
- found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~
SQL Injection
- xp_cmdshell executes commands on server (tftp i.e.)
- sa account may not be password protected, disabled but not deleted...
- tool sqlat ?
- make conditions always eval to true (1=1,a'='a')
- php magic_quotes help against injection, but affects all sql commands
- use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
- hiding error messages does not help against injection (blind sql injection)
- use UNION in injected SQL to get at more interesting tables
- use substring/etc. to get mysql.user passwords (char by char)
- first column = 1 if char isn't guessed correct
- binary search < 'a' is more efficient
- if user can control some response header field 'header splitting' is possible (xss)
Top10 (OWASP)
- Unvalidated Input
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting
- Buffer Overflow
- Injection Flaws
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration Management
