Professional Documents
Culture Documents
Overview
Countermeasures
Internet
WWW
Web application
Website
Webpage
Web browser
Firewalls
Advantages !! Attackers
Time-of-Market
Complexity is Growing
Moreinclinationongettingthejobdone
How do we respond ?
Tools
Techniques
Myths - Developers
Myths - Developers
Fact...
It needs to be secure
Administrator - Myths
Reporting
Reporting
Reporting
Reporting
Reporting
Reporting
Executive Summary
Findings Summary
Information Gathering
Through IP/domain
Information Gathering
Through IP/domain
dig
nslookup
whois
Information Gathering
Through IP/domain
Information Gathering
Through IP/domain
Information Gathering
Through IP/domain
Web Server
Recordset
Database
Server
POST/Login/Login.action HTTP/1.0
username=test&pwd=test123&app=sample
Host : www.sample.com
Web Browser
Proxy
Server
Web Server
Request
body
Response
Cookies
Cookies
Persistent -
Non-persistent
Cookies details
Cookie Manipulation
Real world example
Cookie: Location=India; ADMIN=N; time=10:30;
SessionID=BasedRteR234553636336
Session Management
Needtobeshowneachtimetheyareaskedfor else
you'llbethrownout.
Terminating Sessions
Solutions
SQL can :
Aggregate functions
Sum(), count()...etc
Group By
Metadata
varsql=Select*fromuserswherelogin='$username'and
password='$pwd';
when injected something its replaced like this...
Select * from users where login='' OR 1=1 ;-where -- is comment in most sql like Oracle, PostgreSQL, Mysql, HSQl,
/* comment*/ - for some, ({}) - Informix, DB2
OR 1=1 makes the condition true what ever is the username
Demo
Thus, the Magic Quotes, 'OR' and '=' are mostly used to
test the SQL injection.
When an application is vulnerable for SQL injection, Blind
SQL Injection can also be used. Blind SQL injection can be
done using logical stmts injected into the SQL statement
like OR 1=1
Usually usage of GROUP, HAVING in the query
statements throws error messages with clear cut field
types which helps SQLInjection
Remember
Countermeasures
Restrict users through web applications
grant all on *.* to root@localhost identified by '';
grant <INSERT,DELETE,SELECT> on <test>.* to
user@localhost identified by 'password';
HTML Injection
Demo
Types of XSS
Reflective (non-persistent)
Injected code is reflected off the web server
Delivered to the victims via another route (email
or another web server)
Reflective XSS
Any page that takes user input and displays it back as is:
Ex: Search results, validate user details.
Bank.com
1
Reflected Code
<SCRIPT> Send cookie to attacker</SCRIPT>
4
http://bank.com/login/
Malicouse Code
http://bank.com/account.jsp?<SCRIPT>Send cookie to attacker.com</SCIPRT>
User
Internet
Banking
Cookie
Executed
Stored XSS
The site takes user input
Attacker gives input with malicious code
Stored it in databae without validating it
Another user tries to view the input
The appliction shows the input with the script
The script executes on the victim's browser
Javascript URLs
Javascripturlshavetheformatjavascript:code
An example Javascript url
javascript:alert(HelloWorld)
Few Observations
We din't click on anything to get the script executed
There was no <script> tag
What other events are there?
mousedown, mouseup
click
dblclick
mouseover, mouseout, mousedown
mouseenter, mouseleave
Defending XSS
Don't allow HTML in posts
Filter out dangerous characteds
',,?,&,>,<,;,etc
Replace
<
<
>
>
(
)
#
&
&
CAPTCHA
Completely Automatic Public Turing Tests to Tell
Computers and Humans Apart
Insecure Implementation
We are not focusing weakness of CAPTCHA generation
Verifying CAPTCHA on client side
Having limited set words
Black
Database Security
Nikto
Paros Proxy
Webscarab
WebInspect
Burpsuite
Wikto
Acunetix *
Thank You