Summerschool Aachen 2004/Hacking the Web Presentation

From C4 Wiki
< Summerschool Aachen 2004
Revision as of 04:55, 26 November 2004 by Mario Manno (talk | contribs) (copy)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Presentation Summary


  • traditional weak security
  • use simple ssl proxy to work with https like http
   socat tcp-l:8888,reuseaddr,bind=,fork
   socat - tcp4:localhost:8888
   socat -
  • install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
  • popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins


  • pushes externally defined global vars (get/post) to namespace (register_globals)
  • unsecure use of eval function (unchecked vars)
  • PAPER Study in Scarlet
  • Path filters are often os dependent
  • .inc files may not be protected by the webserver against reading (password disclosure)
  • .inc files may be renamed to .inc.php, executing a config file, remote require problem
  • execute arbitrary php files by namespace pollution (via query string vars)
  • upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
  • may execute uploaded php files with xss (javascript)
  • insert php code into apache log file, then make the server exec the log file as php
  • strings get converted to integer ('000'=0, but '000'!='0')
  • php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
  • older versions, accept <script> as session_id and reproduced in every link

Source Disclosure

  • by changing filename casing to confuse handlers
  • encode url, i.e.: . -> %2e
  • double encode
  • insert space, + after filename
  • use helper or demo handlers to retrieve source
  • changing hidden fields may allow spamming, file creation, etc.
  • sessions/cookies may not check if Sessionid corresponds to a given username
  • password disclosure in referer urls via query string
  • XUser Surfing, use valid session to access other users data
  • XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
  • found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~

SQL Injection

  • xp_cmdshell executes commands on server (tftp i.e.)
    • sa account may not be password protected, disabled but not deleted...
    • tool sqlat ?
  • make conditions always eval to true (1=1,a'='a')
  • php magic_quotes help against injection, but affects all sql commands
  • use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
  • hiding error messages does not help against injection (blind sql injection)
  • use UNION in injected SQL to get at more interesting tables
    • use substring/etc. to get mysql.user passwords (char by char)
    • first column = 1 if char isn't guessed correct
    • binary search < 'a' is more efficient
  • if user can control some response header field 'header splitting' is possible (xss)

Top10 (OWASP)

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting
  • Buffer Overflow
  • Injection Flaws
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration Management