Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Presentation"

From C4 Wiki
Jump to: navigation, search
m (Reverted edit of 213.228.81.89, changed back to last version by Mario Manno)
Line 1: Line 1:
==Presentation Summary==
+
Hello! I found information intresting for me. Thank you.
 
+
<a href="http://buyphenterminecheap.myplace.com"> phentermine, buy phentermine </a>
===Webapplications===
+
<a href="http://cheap_phentermine_buy.tiki.com"> phentermine, cheap phentermine </a>
* traditional weak security
+
<a href="http://cheap-phentermine-drug.win.com"> phentermine, phentermine online </a>
* use simple ssl proxy to work with https like http
+
<a href="http://cheap-phentermine-online.italy.com"> phentermine, order phentermine </a>
    socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443
+
<a href="http://phentermine-2.atspace.com"> phentermine, buy cheap phentermine </a>
    socat - tcp4:localhost:8888
+
<a href="http://phentermine.novels.com"> phentermine </a>
    socat - openssl:www.ccc.de:443
+
<a href="http://phentermine_online.outdoors.com"> phentermine online </a>
* install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
+
<a href="http://phentermine-adipex.outdoors.com"> phentermine adipex </a>
* popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins
+
<a href="http://phentermine-buy.venus.com"> phentermine buy </a>
 
+
<a href="http://phentermine-buy-online.outdoors.com"> phentermine buy online</a>
===PHP===
+
<a href="http://phentermine-buy-phentermine.can.com"> phentermine buy phentermine </a>
* pushes externally defined global vars (get/post) to namespace (register_globals)
+
<a href="http://phentermine-online-phent.spain.com"> phentermine online phent </a>
* unsecure use of eval function (unchecked vars)
+
<a href="http://phentermine-online-phentermine.atspace.com"> phentermine online phentermine </a>
* PAPER Study in Scarlet
+
<a href="http://auto-loan.myplace.com"> auto loan </a>
* Path filters are often os dependent
+
<a href="http://cash-advance.venus.com"> cash advance </a>
* .inc files may not be protected by the webserver against reading (password disclosure)
+
<a href="http://cash-advance-loan.holidays.com"> cash advance loan </a>
* .inc files may be renamed to .inc.php, executing a config file, remote require problem
+
<a href="http://college-loan.atspace.com"> college loan  </a>
* execute arbitrary php files by namespace pollution (via query string vars)
+
<a href="http://home-equity-loan.ourplace.com"> home equity loan  </a>
* upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
+
<a href="http://home-loan.can.com"> home loan  </a>
* may execute uploaded php files with xss (javascript)
+
<a href="http://loan.spain.com"> loan </a>
* insert php code into apache log file, then make the server exec the log file as php
+
<a href="http://payday-loan.outdoors.com"> payday loan  </a>
* strings get converted to integer ('000'=0, but '000'!='0')
+
<a href="http://personal-loan.pebbles.com"> personal loan  </a>
* php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
+
<a href="http://student-loan.tiki.com"> student loan  </a>
* older versions, accept <script> as session_id and reproduced in every link
 
 
 
===Source Disclosure===
 
* by changing filename casing to confuse handlers
 
* encode url, i.e.: . -> %2e
 
* double encode
 
* insert space, + after filename
 
* use helper or demo handlers to retrieve source
 
* changing hidden fields may allow spamming, file creation, etc.
 
* sessions/cookies may not check if Sessionid corresponds to a given username
 
* password disclosure in referer urls via query string
 
* XUser Surfing, use valid session to access other users data
 
* XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
 
* found in the webtree, .mdb files,  .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~
 
 
 
===SQL Injection===
 
* xp_cmdshell executes commands on server (tftp i.e.)
 
** sa account may not be password protected, disabled but not deleted..
 
** tool sqlat ?
 
* make conditions always eval to true (1=1,a'='a')
 
* php magic_quotes help against injection, but affects all sql commands
 
* use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
 
* hiding error messages does not help against injection (blind sql injection)
 
* use UNION in injected SQL to get at more interesting tables
 
** use substring/etc. to get mysql.user passwords (char by char)
 
** first column = 1 if char isn't guessed correct
 
** binary search < 'a' is more efficient
 
* if user can control some response header field 'header splitting' is possible (xss)
 
 
 
===Top10 (OWASP)===
 
* Unvalidated Input
 
* Broken Access Control
 
* Broken Authentication and Session Management
 
* Cross Site Scripting
 
* Buffer Overflow
 
* Injection Flaws
 
* Improper Error Handling
 
* Insecure Storage
 
* Denial of Service
 
* Insecure Configuration Management
 
 
 
 
 
===Links===
 
http://del.icio.us/peter_hacker/web
 
 
 
[[Category:Summerschools]]
 

Revision as of 07:59, 26 April 2005

Hello! I found information intresting for me. Thank you. <a href="http://buyphenterminecheap.myplace.com"> phentermine, buy phentermine </a> <a href="http://cheap_phentermine_buy.tiki.com"> phentermine, cheap phentermine </a> <a href="http://cheap-phentermine-drug.win.com"> phentermine, phentermine online </a> <a href="http://cheap-phentermine-online.italy.com"> phentermine, order phentermine </a> <a href="http://phentermine-2.atspace.com"> phentermine, buy cheap phentermine </a> <a href="http://phentermine.novels.com"> phentermine </a> <a href="http://phentermine_online.outdoors.com"> phentermine online </a> <a href="http://phentermine-adipex.outdoors.com"> phentermine adipex </a> <a href="http://phentermine-buy.venus.com"> phentermine buy </a> <a href="http://phentermine-buy-online.outdoors.com"> phentermine buy online</a> <a href="http://phentermine-buy-phentermine.can.com"> phentermine buy phentermine </a> <a href="http://phentermine-online-phent.spain.com"> phentermine online phent </a> <a href="http://phentermine-online-phentermine.atspace.com"> phentermine online phentermine </a> <a href="http://auto-loan.myplace.com"> auto loan </a> <a href="http://cash-advance.venus.com"> cash advance </a> <a href="http://cash-advance-loan.holidays.com"> cash advance loan </a> <a href="http://college-loan.atspace.com"> college loan </a> <a href="http://home-equity-loan.ourplace.com"> home equity loan </a> <a href="http://home-loan.can.com"> home loan </a> <a href="http://loan.spain.com"> loan </a> <a href="http://payday-loan.outdoors.com"> payday loan </a> <a href="http://personal-loan.pebbles.com"> personal loan </a> <a href="http://student-loan.tiki.com"> student loan </a>

Retrieved from "https://wiki.koeln.ccc.de/index.php?title=Summerschool_Aachen_2004/Hacking_the_Web_Presentation&oldid=3289"