Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Presentation"
(spam) |
m (Removed protection from "Summerschool Aachen 2004/Hacking the Web Presentation") |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
− | + | ==Presentation Summary== | |
− | + | ===Webapplications=== | |
− | + | * traditional weak security | |
− | + | * use simple ssl proxy to work with https like http | |
+ | socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443 | ||
+ | socat - tcp4:localhost:8888 | ||
+ | socat - openssl:www.ccc.de:443 | ||
+ | * install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries | ||
+ | * popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins | ||
− | + | ===PHP=== | |
− | + | * pushes externally defined global vars (get/post) to namespace (register_globals) | |
− | + | * unsecure use of eval function (unchecked vars) | |
− | + | * PAPER Study in Scarlet | |
− | + | * Path filters are often os dependent | |
− | + | * .inc files may not be protected by the webserver against reading (password disclosure) | |
− | + | * .inc files may be renamed to .inc.php, executing a config file, remote require problem | |
− | + | * execute arbitrary php files by namespace pollution (via query string vars) | |
− | + | * upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..' | |
− | + | * may execute uploaded php files with xss (javascript) | |
− | + | * insert php code into apache log file, then make the server exec the log file as php | |
− | + | * strings get converted to integer ('000'=0, but '000'!='0') | |
− | + | * php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file | |
− | + | * older versions, accept <script> as session_id and reproduced in every link | |
− | + | ||
− | + | ===Source Disclosure=== | |
− | [[ | + | * by changing filename casing to confuse handlers |
+ | * encode url, i.e.: . -> %2e | ||
+ | * double encode | ||
+ | * insert space, + after filename | ||
+ | * use helper or demo handlers to retrieve source | ||
+ | * changing hidden fields may allow spamming, file creation, etc. | ||
+ | * sessions/cookies may not check if Sessionid corresponds to a given username | ||
+ | * password disclosure in referer urls via query string | ||
+ | * XUser Surfing, use valid session to access other users data | ||
+ | * XSS, push code to users browsers via modified links containing javascript and steal cookies, etc | ||
+ | * found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~ | ||
+ | |||
+ | ===SQL Injection=== | ||
+ | * xp_cmdshell executes commands on server (tftp i.e.) | ||
+ | ** sa account may not be password protected, disabled but not deleted... | ||
+ | ** tool sqlat ? | ||
+ | * make conditions always eval to true (1=1,a'='a') | ||
+ | * php magic_quotes help against injection, but affects all sql commands | ||
+ | * use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param) | ||
+ | * hiding error messages does not help against injection (blind sql injection) | ||
+ | * use UNION in injected SQL to get at more interesting tables | ||
+ | ** use substring/etc. to get mysql.user passwords (char by char) | ||
+ | ** first column = 1 if char isn't guessed correct | ||
+ | ** binary search < 'a' is more efficient | ||
+ | * if user can control some response header field 'header splitting' is possible (xss) | ||
+ | |||
+ | ===Top10 (OWASP)=== | ||
+ | * Unvalidated Input | ||
+ | * Broken Access Control | ||
+ | * Broken Authentication and Session Management | ||
+ | * Cross Site Scripting | ||
+ | * Buffer Overflow | ||
+ | * Injection Flaws | ||
+ | * Improper Error Handling | ||
+ | * Insecure Storage | ||
+ | * Denial of Service | ||
+ | * Insecure Configuration Management | ||
+ | |||
+ | |||
+ | ===Links=== | ||
+ | http://del.icio.us/peter_hacker/web | ||
+ | |||
+ | [[Category:Summerschools]] |
Latest revision as of 22:23, 24 September 2018
Contents
Presentation Summary
Webapplications
- traditional weak security
- use simple ssl proxy to work with https like http
socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443 socat - tcp4:localhost:8888 socat - openssl:www.ccc.de:443
- install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
- popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins
PHP
- pushes externally defined global vars (get/post) to namespace (register_globals)
- unsecure use of eval function (unchecked vars)
- PAPER Study in Scarlet
- Path filters are often os dependent
- .inc files may not be protected by the webserver against reading (password disclosure)
- .inc files may be renamed to .inc.php, executing a config file, remote require problem
- execute arbitrary php files by namespace pollution (via query string vars)
- upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
- may execute uploaded php files with xss (javascript)
- insert php code into apache log file, then make the server exec the log file as php
- strings get converted to integer ('000'=0, but '000'!='0')
- php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
- older versions, accept <script> as session_id and reproduced in every link
Source Disclosure
- by changing filename casing to confuse handlers
- encode url, i.e.: . -> %2e
- double encode
- insert space, + after filename
- use helper or demo handlers to retrieve source
- changing hidden fields may allow spamming, file creation, etc.
- sessions/cookies may not check if Sessionid corresponds to a given username
- password disclosure in referer urls via query string
- XUser Surfing, use valid session to access other users data
- XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
- found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~
SQL Injection
- xp_cmdshell executes commands on server (tftp i.e.)
- sa account may not be password protected, disabled but not deleted...
- tool sqlat ?
- make conditions always eval to true (1=1,a'='a')
- php magic_quotes help against injection, but affects all sql commands
- use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
- hiding error messages does not help against injection (blind sql injection)
- use UNION in injected SQL to get at more interesting tables
- use substring/etc. to get mysql.user passwords (char by char)
- first column = 1 if char isn't guessed correct
- binary search < 'a' is more efficient
- if user can control some response header field 'header splitting' is possible (xss)
Top10 (OWASP)
- Unvalidated Input
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting
- Buffer Overflow
- Injection Flaws
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration Management