Summerschool Aachen 2004/Hacking the Web Presentation

From C4 Wiki
Jump to: navigation, search

Presentation Summary

Webapplications

  • traditional weak security
  • use simple ssl proxy to work with https like http
   socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443
   socat - tcp4:localhost:8888
   socat - openssl:www.ccc.de:443
  • install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
  • popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins

PHP

  • pushes externally defined global vars (get/post) to namespace (register_globals)
  • unsecure use of eval function (unchecked vars)
  • PAPER Study in Scarlet
  • Path filters are often os dependent
  • .inc files may not be protected by the webserver against reading (password disclosure)
  • .inc files may be renamed to .inc.php, executing a config file, remote require problem
  • execute arbitrary php files by namespace pollution (via query string vars)
  • upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
  • may execute uploaded php files with xss (javascript)
  • insert php code into apache log file, then make the server exec the log file as php
  • strings get converted to integer ('000'=0, but '000'!='0')
  • php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
  • older versions, accept <script> as session_id and reproduced in every link

Source Disclosure

  • by changing filename casing to confuse handlers
  • encode url, i.e.: . -> %2e
  • double encode
  • insert space, + after filename
  • use helper or demo handlers to retrieve source
  • changing hidden fields may allow spamming, file creation, etc.
  • sessions/cookies may not check if Sessionid corresponds to a given username
  • password disclosure in referer urls via query string
  • XUser Surfing, use valid session to access other users data
  • XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
  • found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~

SQL Injection

  • xp_cmdshell executes commands on server (tftp i.e.)
    • sa account may not be password protected, disabled but not deleted...
    • tool sqlat ?
  • make conditions always eval to true (1=1,a'='a')
  • php magic_quotes help against injection, but affects all sql commands
  • use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
  • hiding error messages does not help against injection (blind sql injection)
  • use UNION in injected SQL to get at more interesting tables
    • use substring/etc. to get mysql.user passwords (char by char)
    • first column = 1 if char isn't guessed correct
    • binary search < 'a' is more efficient
  • if user can control some response header field 'header splitting' is possible (xss)

Top10 (OWASP)

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting
  • Buffer Overflow
  • Injection Flaws
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration Management


Links

http://del.icio.us/peter_hacker/web http://x6x.a.la/testosterone/ http://www99.zapto.org/testosterone-replacement/ http://root.dns.bz/testosterone-cream/ http://www69.findhere.org/testosterone-level/ http://www9.servequake.com/testosterone-gel/ http://www69.fw.nu/1-testosterone/ http://re.rutan.org/testosterone-therapy/ http://www69.ugly.as/increase-testosterone/ http://www69.dynu.com/testosterone-advantage/ http://qz.informs.com/testosterone-magazine/ http://us.kopuz.com/testosterone-replacement-therapy/ http://33b.b33r.net/testosterone-deficiency/ http://www3.ddns.ms/testosterone-patch/ http://www4.epac.to/natural-testosterone/ http://www5.3-a.net/depo-testosterone/ http://www9.trickip.org/high-testosterone/ http://7x7.ruwe.net/testosterone-in-women/ http://x25.2mydns.com/testosterone-enanthate/ http://x24.xxuz.com/low-testosterone-levels/ http://55.2myip.com/testosterone-patches/ http://911.x24hr.com/testosterone-supplement/ http://top.pcanywhere.net/testosterone-propionate/ http://dir.opank.com/testosterone-diet/ http://dos.velek.com/testosterone-production/ http://www6.ezua.com/testosterone-injections/ http://www6.ns1.name/testosterone-for-women/ http://www7.25u.com/testosterone-treatment/ http://x4.lov3.net/normal-testosterone/ http://s32.bilsay.com/effects-of-testosterone/ http://x25.plorp.com/the-testosterone-advantage/ http://www7.ygto.com/increasing-testosterone/ http://o8.aus.cc/female-testosterone/ http://sx.nazari.org/boost-testosterone/ http://www99.bounceme.net/testosterone-com/ http://www69.bestdeals.at/testosterone-side-effects/ http://www8.ns01.us/buy-testosterone/ http://sx.z0rz.com/women-testosterone/ http://pop.egi.biz/testosterone-test/ http://x888x.myserver.org/testosterone-symptoms/ http://bx6.blrf.net/testosterone-suspension/ http://cc5f.dnyp.com/testosterone-booster/ http://x8x.trickip.net/low-testosterone-level/ http://24x7.soliday.org/testosterone-pills/ http://www69.byinter.net/testosterone-levels-in-women/ http://x6x.a.la/www-testosterone/ http://www99.zapto.org/normal-testosterone-levels/ http://root.dns.bz/low-testosterone-symptoms/ http://www69.findhere.org/testosterone-low/ http://www9.servequake.com/testosterone-boosters/ http://www69.fw.nu/raise-testosterone/ http://re.rutan.org/testosterone-hormone/ http://www69.ugly.as/testosterone-increase/ http://www69.dynu.com/herbal-testosterone/ http://qz.informs.com/elevated-testosterone/ http://us.kopuz.com/testosterone-200/ http://33b.b33r.net/symptoms-of-low-testosterone/ http://www3.ddns.ms/testosterone-female/ http://www4.epac.to/increase-testosterone-levels/ http://buy-vicodin-online.denmark.com/ http://buy-phentermine-online.spain.com/ http://search-hydrocodone.italy.com/ http://buy-xanax-online.fiji.com/ http://buy-lortab.venezuela.com/ http://phentermine.netherlands.com/ http://buy-fioricet-online.latvia.com/ http://lorazepam.thatslife.com/ http://alprazolam.reform.com/ http://diazepam.win.com/ http://www5.3-a.net/how-to-increase-testosterone/ http://www9.trickip.org/testosterone-effects/ http://7x7.ruwe.net/testosterone-estrogen/ http://x25.2mydns.com/testosterone-depression/ http://x24.xxuz.com/testosterone-implants/ http://55.2myip.com/high-testosterone-levels/ http://911.x24hr.com/testosterone-in-men/ http://top.pcanywhere.net/testosterone-shots/ http://dir.opank.com/estrogen-testosterone/ http://dos.velek.com/bioavailable-testosterone/ http://www6.ezua.com/testosterone-natural/ http://www6.ns1.name/what-is-testosterone/ http://www7.25u.com/testosterone-and-women/ http://x4.lov3.net/lower-testosterone/ http://s32.bilsay.com/methyl-testosterone/ http://x25.plorp.com/normal-testosterone-level/ http://www7.ygto.com/testosterone-testing/ http://o8.aus.cc/testosterone-boost/ http://sx.nazari.org/testosterone-cream-for-women/ http://www99.bounceme.net/transdermal-testosterone/ http://www69.bestdeals.at/hormone-testosterone/ http://www8.ns01.us/too-much-testosterone/ http://sx.z0rz.com/testosterone-tablets/ http://pop.egi.biz/testosterone-supplementation/ http://x888x.myserver.org/low-testosterone-in-women/ http://bx6.blrf.net/dhea-testosterone/ http://cc5f.dnyp.com/zinc-testosterone/ http://x8x.trickip.net/side-effects-of-testosterone/ http://24x7.soliday.org/excess-testosterone/ http://www69.byinter.net/testosterone-libido/ http://x6x.a.la/increase-testosterone-naturally/ http://www99.zapto.org/testosterone-online/ http://root.dns.bz/topical-testosterone/ http://www69.findhere.org/testosterone-muscle/ http://www9.servequake.com/testosterone-implant/ http://www69.fw.nu/testosterone-sex/ http://re.rutan.org/women-and-testosterone/ http://www69.ugly.as/testosterone-men/ http://www69.dynu.com/libido-testosterone/ http://qz.informs.com/testosterone-pellets/ http://us.kopuz.com/hydroxy-testosterone/ http://33b.b33r.net/low-testosterone-in-men/ http://www3.ddns.ms/testosterone-depot/ http://www4.epac.to/increased-testosterone/ http://www5.3-a.net/lack-of-testosterone/ http://www9.trickip.org/raising-testosterone/ http://7x7.ruwe.net/total-testosterone/ http://x25.2mydns.com/steroids-testosterone/ http://x24.xxuz.com/testosterone-transdermal/ http://55.2myip.com/finger-length-testosterone/ http://911.x24hr.com/maximum-testosterone/ http://top.pcanywhere.net/raise-testosterone-levels/ http://dir.opank.com/causes-of-low-testosterone/ http://dos.velek.com/my-testosterone/ http://www6.ezua.com/testosterone-suppliments/ http://adsearch.www1.biz/ http://www6.ns1.name/masturbation-testosterone/ http://www7.25u.com/progesterone-testosterone/ http://x4.lov3.net/testosterone-dosage/ http://s32.bilsay.com/testosterone-enhancers/ http://x25.plorp.com/testosterone-foods/ http://www7.ygto.com/effects-of-low-testosterone/ http://o8.aus.cc/testosterone-enhancement/ http://sx.nazari.org/testosterone-prostate/ http://www99.bounceme.net/testosterone-hair-loss/ http://www69.bestdeals.at/testosterone-finger/ http://www8.ns01.us/depression-testosterone/ http://sx.z0rz.com/increasing-testosterone-levels/ http://pop.egi.biz/testosterone-nation/ http://x888x.myserver.org/sources-of-testosterone/ http://bx6.blrf.net/testosterone-and-depression/ http://cc5f.dnyp.com/4-hydroxy-testosterone/ http://x8x.trickip.net/estrogen-and-testosterone/ http://24x7.soliday.org/www-testosterone-com/ http://www69.byinter.net/testosterone-2/ http://x6x.a.la/testosterone-boosting/ http://www99.zapto.org/testosterone-cycle/ http://root.dns.bz/oral-testosterone/ http://www69.findhere.org/testosterone-syndrome/ http://www9.servequake.com/testosterone-boys/ http://www69.fw.nu/testosterone-treatments/ http://re.rutan.org/hormones-testosterone/ http://www69.ugly.as/menopause-testosterone/ http://www69.dynu.com/testosterone-200-depot/ http://qz.informs.com/testosterone-libero/ http://us.kopuz.com/testosterone-metabolism/ http://33b.b33r.net/testosterone-penis/ http://www3.ddns.ms/testosterone-uk/ http://www4.epac.to/testosterone-precursor/ http://www5.3-a.net/testosterone-synthesis/ http://www9.trickip.org/testosterone-aggression/ http://7x7.ruwe.net/increase-testosterone-level/ http://x25.2mydns.com/testosterone-ether/ http://cialis-levitra-viagra.com.cn/ http://x24.xxuz.com/testosterone-kills/ http://55.2myip.com/high-levels-of-testosterone/ http://911.x24hr.com/testosterone-cream-women/ http://top.pcanywhere.net/testosterone-molecule/ http://dir.opank.com/testosterone-prescription/ http://dos.velek.com/foods-that-increase-testosterone/ http://www6.ezua.com/soy-testosterone/ http://www6.ns1.name/androgel-testosterone/ http://www7.25u.com/testosterone-ointment/ http://x4.lov3.net/testosterone-shot/ http://s32.bilsay.com/alcohol-testosterone/ http://x25.plorp.com/high-testosterone-level/ http://www7.ygto.com/testosterone-creams/ http://o8.aus.cc/testosterone-ethanate/ http://sx.nazari.org/testosterone-propinate/ http://www99.bounceme.net/exercise-testosterone/ http://www69.bestdeals.at/injectable-testosterone/ http://www8.ns01.us/sublingual-testosterone/ http://sx.z0rz.com/testosterone-deficiency-symptoms/ http://pop.egi.biz/symptoms-low-testosterone/ http://x888x.myserver.org/synthetic-testosterone/ http://bx6.blrf.net/testosterone-enhancer/ http://cc5f.dnyp.com/testosterone-and-aggression/ http://x8x.trickip.net/dht-testosterone/ http://24x7.soliday.org/how-to-increase-testosterone-levels/ http://www69.byinter.net/testosterone-research/ http://x6x.a.la/testosterone-and-estrogen/ http://www99.zapto.org/testosterone-poisoning/ http://root.dns.bz/low-testosterone-women/ http://www69.findhere.org/testosterone-buy/ http://www9.servequake.com/testosterone-exercise/ http://www69.fw.nu/testosterone-loss/ http://re.rutan.org/testosterone-therapy-for-women/ http://www69.ugly.as/elevated-testosterone-levels/ http://www69.dynu.com/hrt-testosterone/ http://qz.informs.com/testosterone-masturbation/ http://us.kopuz.com/testosterone-suppliment/ http://33b.b33r.net/low-testosterone-treatment/ http://www3.ddns.ms/marijuana-testosterone/ http://www4.epac.to/testosterone-levels-women/ http://www5.3-a.net/testosterone-products/ http://www9.trickip.org/baldness-testosterone/ http://7x7.ruwe.net/testosterone-hormone-replacement/ http://x25.2mydns.com/testosterone-receptor/ http://x24.xxuz.com/female-testosterone-levels/ http://55.2myip.com/testosterone-dht/ http://911.x24hr.com/testosterone-heart/ http://top.pcanywhere.net/ways-to-increase-testosterone/