Professional Documents
Culture Documents
Security
for Beginners - Part 2
Adzmely Mansor
adzmely@gmail.com
Objective(s)
aid to better understand common exploitable vulnerabilities,
how it been exploit, and reversely (re)develop a defensive
mechanism securing web application deployed through best
practice
Information Leakage
Application can unintentionally leak:
information about their configuration or internal
workings
internal state via how long they take to process certain
operations or via different responses to different inputs
information about their internal state through detailed or
debug error messages
Information Leakage
This information can be leveraged to launch or even
automate more powerful attacks
Possible information harvest:
Server (OS, version, ...)
Programming language (Language, version, ...)
Database (Oracle, MySQL, ...) - (Version, Schema, ...)
Debug/Error/Stacktraces - SQL Statement...
Information Leakage
Exercise: open http://demo.testfire.net
try to find as many as information possible
Information Leakage
open: http://demo.testfire.net/
go to login page
view the html source
craft your hydra brute force attack
Code Execution
Code Execution
ability to execute command(s)/code on a target machine or
in a target process
inject and execute shell code / scripting code
ability to fully take control of the target machine
PHP/Code Injection
this is silly, hopefully nobody doing it:
Shell/Code Injection
this is silly, hopefully nobody doing it:
T
O
F
SR
C
YouTube.com
added video to a users Favourites, flagged videos as in
appropriate, etc....
etc
SOURCE: https://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks/
SOURCE: https://github.com/BKcore/NoCSRF
? cause .php
considered as URI
/vulnCode.php?page=/tmp/phpcode
/vulnCode.php?page=/etc/passwd%00
er
t
c
a
har
C
e
Byt
l
l
Nu
Exercise:
open: http://188.241.117.154/__dv__/
Null-Byte Injection
URL/WEB presentation as - %00
termination character / terminator
alter the intended logic of the application
// How about appending with .php
//
<?php
if (isset( $_GET['page'] )){
include( $_GET['page'] . .php );
}
?>
// http://www.example.com/vulnCode.php?page=/etc/passwd%00.php
Null-Byte Injection
Exercise: Open: http://demo.testfire.net
file boot.ini located in root directory, by using null byte
injection try to find a way to load the file
SQL Injection
SQL Injection
means - tricking an application into including unintended
SQL commands in the data sent to a backend interpreter
backend interpreter take strings and interpret them as
commands
SQL Injection
occurs when user input is not filtered for escape characters
manipulation of SQL statements
no sanitization of user input
no type casting
not using proper method in query
placeholder
SQL Injection
Typical Impact
spy out or manipulate data
manipulate the DB server or access underlying OS
bypass authentication or gain admin privileges
Correlation with information leakage
attackers use error messages or codes to verify the
success of an attack and gather informations
SQL Injection
SQL Injection
Bypass Authentication
admin -admin #
admin /*
or 1=1 - or 1=1 #
SQL Injection
by using placeholder method in SQL statement
XSS
Cross Site Scripting
File Upload
File Upload
allowing a user to upload a file in a website:
potentially opening a door for attacks/exploits
without validations and protections:
user can upload a server side script / shell code
possibility totally pawned the server easily
File Upload
File Upload to Document root without validation
malicious user can access directly uploaded file through
URL
putting the server totally vulnerable and open to
possibility of total compromised
File Upload
Sample exploitable file upload
// upload to document root / no validation / accessible via URL
//
<?php
$target_path = "uploads/";
$target_path = $target_path . basename($_FILES['uploadedfile']['name']);
if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file " . basename($_FILES['uploadedfile']['name']) . " has been
uploaded";
} else {
echo "There was an error uploading the file, please try again!";
}
?>
Resources Location
Prediction
Resources Prediction
scan web server using predicted list of common files/
folders/CGIs
outdated vulnerable server software
directories listing / traversal
etc
Resources Prediction
nikto - perl web scanner script
Social Engineering
Attack
https://www.facebook.com/notes/facebook-security/national-cybersecurityawareness-month-updates/10150335022240766
https://www.facebook.com/notes/facebook-security/national-cybersecurityawareness-month-updates/10150335022240766