Hack Using Firefox

Ahmad Prayitno,CEHahmad.prayitno@gmail.com

Reconnaissance Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) SQL Injection

Agenda

Reconnaissance

What is Reconaissance

Finding as much information about the target as possible before launching the first attack

Types Of Reconaissance

Active ReconaissancePassive Reconaissance

Active Reconaissance

Active reconnaissance is a type of reconnaissance in which an attacker engages with the targeted person/corporate to gather information. DNS Whois Netcraft Archives Search Engine Social Media

Passive Reconnaissance

Passive reconnaissance is an attempt to gain information about targeted person/corporate without actively engaging with the systems. Go to Target Office Interview with target Read from newspaper Etc

Useful Information

Names (administrative, technical, billing contacts) for social engineering attack

Telephone numbers Email addresses Format of email addresses eg. First.last@abc.com Family (Wife/Husband, Childre, etc) Places Birthday

Wappalyzer WorldIP Site Information

Firefox Addon

XSS

What is XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

XSS Type

Reflected XSSTriggers off of a linkInteractiveExample : victim.com/{vulnerable_here}

Stored XSSPersistentTriggers when the exploited page is viewedExample : Comment forms

XSS Attack

XSS attack works this way: The attacker identifies a web site that has one or more XSS bugs (for

example echoing data input, or lacking data input validation) The attacker crafts a special URL that includes a malformed and

malicious querystring containing HTML and script The attacker finds a victim and gets him to click the link The victim clicks the link and the victim’s browser makes a request

to the vulnerable server, passing the malicious querystring. And cookies.

The vulnerable server echoes malicious input, including the script, back to the victim’s browser

The victim’s browser executes the malicious script, which may be crafted to pass data from the victim to the attacker, or other actions

Cross-Site Scripting Attack in Action

1. The attacker sends a victim a link containing a malicious payload.

2. The victim, tricked into clicking the link, sends a request (and the payload) to the vulnerable application interface.

3. The interface (i.e. a user registration form) accepts the request (and payload), and responds with a confirmation screen. Embedded in the confirmation screen is the malicious code, which has been formatted in such a way that a browser will interpret it as if it were any other JavaScript code.

4. When the victim receives the response, the browser executes the payload, which could send cookie values (including session identifiers) and other sensitive data to the attacker.

Attack Vectors

Forms that are filled out where values are later presented to the user

Web message boards that allow users to post their own messages

Why Cookies

Because Cookies is a ticket !

Firefox Addon

XSS Me Cookie Manager etc

CSRF

What is CSRF

Cross-site request forgery, also known as one-click attack or session riding is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. CSRF exploits the trust that a site has in a user's browser.

Cross-Site Request Forgery

Threat Models

Client Injects content onto trusted site Unauthorized Application Request

Web Attacker Owns https://www.attacker.com user visit

Example

Bank Website Request http://bank.com/transfer.do?

acct=budi&amount=100000

Attacker create link <a href="http://bank.com/transfer.do?

acct=hacker&amount=100000">View my Pictures!</a>

SQL Injection

What is SQL Injection

SQL Injection is vulnerability in web application which using this method hackers

able to inject SQL commands into the database through input form.

25

How common is it?

It is probably the most common Website vulnerability today! It is a flaw in "web application" development,

it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the php tutorials & php demo are vulnerable Even worse, a lot of solutions posted on the Internet are not good

enough

26

Vulnerable Applications

Almost all SQL databases and programming languages are potentially vulnerable MS SQL Server, Oracle, MySQL,

Postgres, DB2, MS Access, Sybase, Informix, etc

PHP, ASP, etc

27

How does SQL Injection work?

Common vulnerable login query SELECT * FROM users WHERE username = 'ahmad'AND password = 'rahasia'

28

Injecting through Strings

$username = ' or ‘1’=‘1’ – – $password = anything

Final query would look like this:SELECT * FROM usersWHERE username = ' ' or ‘1’=‘1’ – – AND

password = 'anything'

29

If it were numeric?

SELECT * FROM clients WHERE account = 12345678AND pin = 1111

PHP/MySQL login syntax$sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";

30

Injecting Numeric Fields

$formacct = 1 or 1=1 # $formpin = 1111

Final query would look like this:SELECT * FROM clientsWHERE account = 1 or 1=1 -- AND pin = 1111

Hack Bar

Firefox Addon