Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Presentation"
m (Removed protection from "Summerschool Aachen 2004/Hacking the Web Presentation") |
|
(No difference)
|
Latest revision as of 22:23, 24 September 2018
Contents
Presentation Summary
Webapplications
- traditional weak security
- use simple ssl proxy to work with https like http
socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443 socat - tcp4:localhost:8888 socat - openssl:www.ccc.de:443
- install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
- popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins
PHP
- pushes externally defined global vars (get/post) to namespace (register_globals)
- unsecure use of eval function (unchecked vars)
- PAPER Study in Scarlet
- Path filters are often os dependent
- .inc files may not be protected by the webserver against reading (password disclosure)
- .inc files may be renamed to .inc.php, executing a config file, remote require problem
- execute arbitrary php files by namespace pollution (via query string vars)
- upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
- may execute uploaded php files with xss (javascript)
- insert php code into apache log file, then make the server exec the log file as php
- strings get converted to integer ('000'=0, but '000'!='0')
- php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
- older versions, accept <script> as session_id and reproduced in every link
Source Disclosure
- by changing filename casing to confuse handlers
- encode url, i.e.: . -> %2e
- double encode
- insert space, + after filename
- use helper or demo handlers to retrieve source
- changing hidden fields may allow spamming, file creation, etc.
- sessions/cookies may not check if Sessionid corresponds to a given username
- password disclosure in referer urls via query string
- XUser Surfing, use valid session to access other users data
- XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
- found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~
SQL Injection
- xp_cmdshell executes commands on server (tftp i.e.)
- sa account may not be password protected, disabled but not deleted...
- tool sqlat ?
- make conditions always eval to true (1=1,a'='a')
- php magic_quotes help against injection, but affects all sql commands
- use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
- hiding error messages does not help against injection (blind sql injection)
- use UNION in injected SQL to get at more interesting tables
- use substring/etc. to get mysql.user passwords (char by char)
- first column = 1 if char isn't guessed correct
- binary search < 'a' is more efficient
- if user can control some response header field 'header splitting' is possible (xss)
Top10 (OWASP)
- Unvalidated Input
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting
- Buffer Overflow
- Injection Flaws
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration Management