Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Presentation"

From C4 Wiki
Jump to: navigation, search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The changing faces of Technology:
+
==Presentation Summary==
  
A category of hardware and software that enables people to use the Internet as the transmission medium for telephone calls. For users who have free, or fixed-price Internet access, Internet telephony software essentially provides free telephone calls anywhere in the world. To date, however, Internet telephony does not offer the same quality of telephone service as direct telephone connections.  
+
===Webapplications===
There are many Internet telephony applications available. Some, like CoolTalk and NetMeeting, come bundled with popular Web browsers. Others are stand-alone products. Internet telephony products are sometimes called IP telephony, Voice over the Internet (VOI) or Voice over IP (VOIP) products.
+
* traditional weak security
Interent Technology Links:
+
* use simple ssl proxy to work with https like http
[[http://poker2005.go.ro poker]]
+
    socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443
[[http://casino2005.go.ro casino]]
+
    socat - tcp4:localhost:8888
[[http://casino.arhaika.com casino]]
+
    socat - openssl:www.ccc.de:443
[[http://casino.arhiweb.com casino]]
+
* install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
[[http://poker.arhaika.com poker]]
+
* popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins
[[http://poker.arhiweb.com poker]]
+
 
[[http://Generic-Viagra.arhaika.com Generic Viagra]]
+
===PHP===
[[http://Human-Growth-Hormone.arhaika.com Human Growth Hormone]]
+
* pushes externally defined global vars (get/post) to namespace (register_globals)
[[http://Fat-Blast.arhaika.com Fat Blast]]
+
* unsecure use of eval function (unchecked vars)
[[http://Maxaman.arhaika.com Maxaman]]
+
* PAPER Study in Scarlet
[[http://Super-Viagra-Cialis.arhaika.com Super Viagra Cialis]]
+
* Path filters are often os dependent
[[http://Virility-Patch.arhaika.com Virility Patch]]
+
* .inc files may not be protected by the webserver against reading (password disclosure)
[[http://Prozac.arhaika.com Prozac]]
+
* .inc files may be renamed to .inc.php, executing a config file, remote require problem
[[http://Hangover-pills.arhaika.com Hangover pills]]
+
* execute arbitrary php files by namespace pollution (via query string vars)
[[http://Spermamax.arhaika.com Spermamax]]
+
* upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
[[http://Levitra.arhaika.com Levitra]]
+
* may execute uploaded php files with xss (javascript)
[[http://Cialis-Soft-Tabs.arhaika.com Cialis Soft Tabs]]
+
* insert php code into apache log file, then make the server exec the log file as php
[[http://Viagra-Soft-Tabs.arhaika.com Viagra Soft Tabs]]
+
* strings get converted to integer ('000'=0, but '000'!='0')
[[http://Horny-Goat-Weed.arhaika.com Horny Goat Weed]]
+
* php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
[[http://Viagra-Pro.arhaika.com Viagra Pro]]
+
* older versions, accept <script> as session_id and reproduced in every link
[[http://Generic-Viagra.arhiweb.com Generic Viagra]]
+
 
[[http://Human-Growth-Hormone.arhiweb.com Human Growth Hormone]]
+
===Source Disclosure===
[[http://Fat-Blast.arhiweb.com Fat Blast]]
+
* by changing filename casing to confuse handlers
[[http://Maxaman.arhiweb.com Maxaman]]
+
* encode url, i.e.: . -> %2e
[[http://Super-Viagra-Cialis.arhiweb.com Super Viagra Cialis]]
+
* double encode
[[http://Virility-Patch.arhiweb.com Virility Patch]]
+
* insert space, + after filename
[[http://Prozac.arhiweb.com Prozac]]
+
* use helper or demo handlers to retrieve source
[[http://Hangover-pills.arhiweb.com Hangover pills]]
+
* changing hidden fields may allow spamming, file creation, etc.
[[http://Spermamax.arhiweb.com Spermamax]]
+
* sessions/cookies may not check if Sessionid corresponds to a given username
[[http://Levitra.arhiweb.com Levitra]]
+
* password disclosure in referer urls via query string
[[http://Cialis-Soft-Tabs.arhiweb.com Cialis Soft Tabs]]
+
* XUser Surfing, use valid session to access other users data
[[http://Viagra-Soft-Tabs.arhiweb.com Viagra Soft Tabs]]
+
* XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
[[http://Horny-Goat-Weed.arhiweb.com Horny Goat Weed]]
+
* found in the webtree, .mdb files,  .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~
[[http://Viagra-Pro.arhiweb.com Viagra Pro]]
+
 
[[http://Generic-Viagra.atspace.org/ Generic Viagra]]
+
===SQL Injection===
[[http://Human-Growth-Hormone.atspace.com/ Human Growth Hormone]]
+
* xp_cmdshell executes commands on server (tftp i.e.)
[[http://Fat-Blast.atspace.com/ Fat Blast]]
+
** sa account may not be password protected, disabled but not deleted...  
[[http://Maxaman.atspace.com/ Maxaman]]
+
** tool sqlat ?
[[http://Super-Viagra-Cialis.atspace.com/ Super Viagra Cialis]]
+
* make conditions always eval to true (1=1,a'='a')
[[http://Virility-Patch.atspace.com/ Virility Patch]]
+
* php magic_quotes help against injection, but affects all sql commands
[[http://Prozac.atspace.biz/ Prozac]]
+
* use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
[[http://Hangover-pills.atspace.com/ Hangover pills]]
+
* hiding error messages does not help against injection (blind sql injection)
[[http://Spermamax.atspace.com/ Spermamax]]
+
* use UNION in injected SQL to get at more interesting tables
[[http://Levitra.atspace.name/ Levitra]]
+
** use substring/etc. to get mysql.user passwords (char by char)
[[http://Cialis-Soft-Tabs.atspace.com/ Cialis Soft Tabs]]
+
** first column = 1 if char isn't guessed correct
[[http://Viagra-Soft-Tabs.atspace.com/ Viagra Soft Tabs]]
+
** binary search < 'a' is more efficient
[[http://Horny-Goat-Weed.atspace.com/ Horny Goat Weed]]
+
* if user can control some response header field 'header splitting' is possible (xss)
[[http://Viagra-Pro.atspace.com/ Viagra Pro]]
+
 
[[http://Generic-Viagra.go.ro Generic Viagra]]
+
===Top10 (OWASP)===
[[http://Human-Growth-Hormone2005.go.ro Human Growth Hormone]]
+
* Unvalidated Input
[[http://Fat-Blast.go.ro Fat Blast]]
+
* Broken Access Control
[[http://Maxaman2005.go.ro Maxaman]]
+
* Broken Authentication and Session Management
[[http://Super-Viagra-Cialis.go.ro Super Viagra Cialis]]
+
* Cross Site Scripting
[[http://Virility-Patch.go.ro Virility Patch]]
+
* Buffer Overflow
[[http://Prozac.go.ro Prozac]]
+
* Injection Flaws
[[http://Hangover-pills.go.ro Hangover pills]]
+
* Improper Error Handling
[[http://Spermamax.go.ro Spermamax]]
+
* Insecure Storage
[[http://Levitra2005.go.ro Levitra]]
+
* Denial of Service
[[http://Cialis-Soft-Tabs.go.ro Cialis Soft Tabs]]
+
* Insecure Configuration Management
[[http://Viagra-Soft-Tabs.go.ro Viagra Soft Tabs]]
+
 
[[http://Horny-Goat-Weed.go.ro Horny Goat Weed]]
+
 
[[http://Viagra-Pro.go.ro Viagra Pro]]
+
===Links===
[[http://rental-car.arhaika.com/ rental car]]
+
http://del.icio.us/peter_hacker/web
[[http://rubber-stamp.arhaika.com/ rubber stamp]]
+
 
[[http://rental-car.arhiweb.com/ rental car]]
+
[[Category:Summerschools]]
[[http://rubber-stamp.arhiweb.com/ rubber stamp]]
 
[[http://www.software-engine.org/ | software]]
 
[[http://www.datasol.org/ | Data Recovery]]
 
[[http://www.wifi-planet.org/ |WIFI]]
 
[[http://www.voip-guide.org/internet-telephony.php | Internet Telephony]]
 
[[http://www.software-engine.org/bpo-software.php | BPO]]
 
[[http://www.voip-guide.org/ | VoIP]]
 
[[http://www.ebusiness-cards.org/ | business cards]]
 
[[http://www.secure-network.info/firewall.php | firewall]]
 
[[http://www.globalflights.org/ | flights]]
 
[[http://www.ecar-rentals.com/ | car rental]]
 
[[http://www.secure-network.info | network security]]
 
[[http://www.cruise-guide.org/ | cruises]]
 
[[http://www.wedding-knot.com/ | wedding]]
 
[[http://www.corporategifts-guide.com/ | corporate gifts ]]
 
[[http://www.globalflights.org/cheap-flights.php | cheap flights]]
 
[[http://www.software-engine.org/anti-virus-software.php | antivirus software]]
 
[[http://www.ebackground-checks.com/background-checks.php | Background Checks]]
 

Latest revision as of 22:23, 24 September 2018

Presentation Summary

Webapplications

  • traditional weak security
  • use simple ssl proxy to work with https like http
   socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443
   socat - tcp4:localhost:8888
   socat - openssl:www.ccc.de:443
  • install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
  • popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins

PHP

  • pushes externally defined global vars (get/post) to namespace (register_globals)
  • unsecure use of eval function (unchecked vars)
  • PAPER Study in Scarlet
  • Path filters are often os dependent
  • .inc files may not be protected by the webserver against reading (password disclosure)
  • .inc files may be renamed to .inc.php, executing a config file, remote require problem
  • execute arbitrary php files by namespace pollution (via query string vars)
  • upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
  • may execute uploaded php files with xss (javascript)
  • insert php code into apache log file, then make the server exec the log file as php
  • strings get converted to integer ('000'=0, but '000'!='0')
  • php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
  • older versions, accept <script> as session_id and reproduced in every link

Source Disclosure

  • by changing filename casing to confuse handlers
  • encode url, i.e.: . -> %2e
  • double encode
  • insert space, + after filename
  • use helper or demo handlers to retrieve source
  • changing hidden fields may allow spamming, file creation, etc.
  • sessions/cookies may not check if Sessionid corresponds to a given username
  • password disclosure in referer urls via query string
  • XUser Surfing, use valid session to access other users data
  • XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
  • found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~

SQL Injection

  • xp_cmdshell executes commands on server (tftp i.e.)
    • sa account may not be password protected, disabled but not deleted...
    • tool sqlat ?
  • make conditions always eval to true (1=1,a'='a')
  • php magic_quotes help against injection, but affects all sql commands
  • use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
  • hiding error messages does not help against injection (blind sql injection)
  • use UNION in injected SQL to get at more interesting tables
    • use substring/etc. to get mysql.user passwords (char by char)
    • first column = 1 if char isn't guessed correct
    • binary search < 'a' is more efficient
  • if user can control some response header field 'header splitting' is possible (xss)

Top10 (OWASP)

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting
  • Buffer Overflow
  • Injection Flaws
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration Management


Links

http://del.icio.us/peter_hacker/web