nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection
•
2 likes•647 views
(secure) SiteHoster – Disable XSS & SQL Injection by Abhishek Kumar
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection
Similar to nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection (20)
More from n|u - The Open Security Community
More from n|u - The Open Security Community (20)
Recently uploaded
Recently uploaded (20)
nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection
- 1. http://nullcon.net NEW CONCEPTS DEFEATING WEB ATTACKS (secure) SiteHoster
- 2. Family Named: AbhishekKr Friends Call: ABK g33k Handle: aBionic IndependentSecurity Enthusiast/Researcher Also a Member of „EvilFingers‟ (other than ‘NULL’) Application-Developer in ThoughtWorks Inc. OpenSource Lover http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
- 3. Other than expanding to (secure)SiteHoster A Fresh A Lab (s)SH Approach RAT http://sourceforge.net/projects/sitehoster http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
- 4. http://null.co.in http://nullcon.net It‟s The Same Old Problem aBionic@ twitter,linkedin,FB
- 5. http://null.co.in http://nullcon.net Same Old Problem With A New Perspective To Solve It aBionic@ twitter,linkedin,FB
- 6. http://null.co.in http://nullcon.net offensive security to secure aBionic@ ATTACK THE ATTACKER twitter,linkedin,FB
- 7. http://null.co.in http://nullcon.net Major Threats for Web Applications Stats are not same (of 2009) … aBionic@ twitter,linkedin,FB But t h r e a t s are
- 8. XSS Defeating Concept always aim the strongest opponent first, makes you win battle easily http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
- 9. IT IS JUST A PIECE OF CODE aBionic@twitter,linkedin,FB
- 10. <TAGS/> R GooD aBionic@twitter,linkedin,FB
- 11. And if it’s Code… aBionic@twitter,linkedin,FB
- 12. http://null.co.in http://nullcon.net !dea is to aBionic@ BUG twitter,linkedin,FB
- 13. http://null.co.in http://nullcon.net 3 Major XSS Attack Patterns All Effect From Options of User Input, a Web2.0 Gift aBionic@ twitter,linkedin,FB
- 14. + Karthik calling Karthik… http://null.co.in + User (tricked) Input… http://nullcon.net Included or injected <script/> What You See Is (*NOT*) What You Get aBionic@ twitter,linkedin,FB
- 15. http://null.co.in http://nullcon.net Who calls, or who injects What finally happens is unwanted <script/> aBionic@ twitter,linkedin,FB
- 16. http://null.co.in http://nullcon.net Disarm <script/> Take away all its POWER!!!!! aBionic@ twitter,linkedin,FB
- 17. http://null.co.in http://nullcon.net Dis-Infect Entire Body To kill all unwanted „Creepy-Living‟ Beings aBionic@ twitter,linkedin,FB
- 18. Generated HyperText <html> <head><script>function h(){alert(“some dev-script in HEAD Tag”);}</script></head> <body> <script DEFER>heavy_stuff=true;</script> name: <div id=”fromDB” onMouseOver=”h();”> <script>alert(„attacker injected it, could do anything‟);</script> </div> </body> </html> aBionic@twitter,linkedin,FB
- 19. Server Patched View <html> <head> <script> function h(){alert(“this is dev-scripts in HEAD Tag”);}</script> </head> <BD> <BODY > <script DEFER>heavy_stuff=true;</script> <script type='text/javascript'> x=document.getElementsByTagName("BODY"); x[0].innerHTML = "name:<div id="fromDB" onclick="h();"> <script>alert('attacker injected it, could do anything');</script></div>“; </script> </BODY> </BD> </html> aBionic@twitter,linkedin,FB
- 20. http://null.co.in http://nullcon.net But… still …other two monkeys got a chance aBionic@ twitter,linkedin,FB
- 21. http://null.co.in http://nullcon.net „javascript:‟ may effect as aBionic@ twitter,linkedin,FB
- 22. http://null.co.in http://nullcon.net So „javascript:<bugMe/>‟ aBionic@ twitter,linkedin,FB
- 23. http://null.co.in http://nullcon.net 1 Monkey can wreck havoc 2 are pwn3d… but 3rd is powerful enough aBionic@ twitter,linkedin,FB
- 24. http://null.co.in http://nullcon.net „Be Kind‟ on Entropy -says „JS-Events‟ aBionic@ twitter,linkedin,FB
- 25. http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
- 26. Ninja Parse User Input aBionic@twitter,linkedin,FB
- 27. Bug-it-su pwn JS-Events aBionic@twitter,linkedin,FB
- 28. hardcore ‘js-events’ pwnage aBionic@twitter,linkedin,FB
- 29. http://null.co.in http://nullcon.net XSS Attack gets bugged <TAGS/> go Green aBionic@ twitter,linkedin,FB
- 30. http://null.co.in http://nullcon.net Innocence Is Saved Normal User Input Matching Attack aint Filtered aBionic@ twitter,linkedin,FB
- 31. http://null.co.in http://nullcon.net All Monkeys Defeated And so are Script-Junkies aBionic@ twitter,linkedin,FB
- 32. CURRENTLY JUST DEV PERSPECTIVE aBionic@twitter,linkedin,FB
- 33. For Un-Privileged AXNs aBionic@twitter,linkedin,FB
- 34. Old Wine, Why Not Always Used DB all boss Read on Read,write.* Table T1 Read,Write on Table t2 User- Web-App Mapper aBionic@twitter,linkedin,FB
- 35. http://null.co.in http://nullcon.net & For Condition Match An A Apple Hash A An Day Input Keeps The Doctor Attacker Away aBionic@ twitter,linkedin,FB
- 36. I Tweet Tech: http://www.twitter.com/aBionic I Blog Tech: http://abhishekkr.wordpress.com/ I OpenSource GitHub: https://github.com/abhishekkr SourceForge: http://sourceforge.net/users/abhishekkr I Socialize: http://www.facebook.com/aBionic I Techalize: http://in.linkedin.com/in/abionic I Deviantize: http://abhishekkr.deviantart.com/ http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB