Your SlideShare is downloading. ×
  • Like
nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection


(secure) SiteHoster – Disable XSS & SQL Injection by Abhishek Kumar

(secure) SiteHoster – Disable XSS & SQL Injection by Abhishek Kumar

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 2.  Family Named: AbhishekKr Friends Call: ABK g33k Handle: aBionic IndependentSecurity Enthusiast/Researcher Also a Member of „EvilFingers‟ (other than ‘NULL’) Application-Developer in ThoughtWorks Inc. OpenSource Lover aBionic@twitter,linkedin,FB
  • 3.  Other than expanding to (secure)SiteHoster A Fresh A Lab (s)SH Approach RAT aBionic@twitter,linkedin,FB
  • 4. It‟s The Same Old ProblemaBionic@twitter,linkedin,FB
  • 5. Same Old Problem With A New Perspective To Solve ItaBionic@twitter,linkedin,FB
  • 6. offensive security to secureaBionic@ ATTACK THE ATTACKERtwitter,linkedin,FB
  • 7. Major Threats for Web Applications Stats are not same (of 2009) …aBionic@twitter,linkedin,FB But t h r e a t s are
  • 8. XSS Defeating Concept always aim the strongest opponent first, makes you win battle easily aBionic@twitter,linkedin,FB
  • 9. IT IS JUST A PIECE OF CODE aBionic@twitter,linkedin,FB
  • 10. <TAGS/> R GooD aBionic@twitter,linkedin,FB
  • 11. And if it’s Code… aBionic@twitter,linkedin,FB
  • 12. !dea is toaBionic@ BUGtwitter,linkedin,FB
  • 13. 3 Major XSS Attack Patterns All Effect From Options of User Input, a Web2.0 GiftaBionic@twitter,linkedin,FB
  • 14. + Karthik calling Karthik… + User (tricked) Input… Included or injected <script/> What You See Is (*NOT*) What You GetaBionic@twitter,linkedin,FB
  • 15. Who calls, or who injects What finally happens is unwanted <script/>aBionic@twitter,linkedin,FB
  • 16. Disarm <script/> Take away all its POWER!!!!!aBionic@twitter,linkedin,FB
  • 17. Dis-Infect Entire Body To kill all unwanted „Creepy-Living‟ BeingsaBionic@twitter,linkedin,FB
  • 18. Generated HyperText <html> <head><script>function h(){alert(“some dev-script in HEAD Tag”);}</script></head> <body> <script DEFER>heavy_stuff=true;</script> name: <div id=”fromDB” onMouseOver=”h();”><script>alert(„attacker injected it, could do anything‟);</script> </div> </body> </html> aBionic@twitter,linkedin,FB
  • 19. Server Patched View<html><head><script> function h(){alert(“this is dev-scripts in HEAD Tag”);}</script></head><BD><BODY ><script DEFER>heavy_stuff=true;</script><script type=text/javascript>x=document.getElementsByTagName("BODY");x[0].innerHTML = "name:<div id="fromDB" onclick="h();"><script>alert(attacker injected it, could do anything);</script></div>“;</script></BODY></BD></html> aBionic@twitter,linkedin,FB
  • 20. But… still  …other two monkeys got a chanceaBionic@twitter,linkedin,FB
  • 21. „javascript:‟ may effect asaBionic@twitter,linkedin,FB
  • 22. So „javascript:<bugMe/>‟aBionic@twitter,linkedin,FB
  • 23. 1 Monkey can wreck havoc 2 are pwn3d… but 3rd is powerful enoughaBionic@twitter,linkedin,FB
  • 24. „Be Kind‟ on Entropy -says „JS-Events‟aBionic@twitter,linkedin,FB
  • 25. aBionic@twitter,linkedin,FB
  • 26. Ninja Parse User Input aBionic@twitter,linkedin,FB
  • 27. Bug-it-su pwn JS-Events aBionic@twitter,linkedin,FB
  • 28. hardcore ‘js-events’ pwnage aBionic@twitter,linkedin,FB
  • 29. XSS Attack gets bugged <TAGS/> go GreenaBionic@twitter,linkedin,FB
  • 30. Innocence Is Saved Normal User Input Matching Attack aint FilteredaBionic@twitter,linkedin,FB
  • 31. All Monkeys Defeated And so are Script-JunkiesaBionic@twitter,linkedin,FB
  • 32. CURRENTLY JUST DEV PERSPECTIVE aBionic@twitter,linkedin,FB
  • 33. For Un-Privileged AXNs aBionic@twitter,linkedin,FB
  • 34. Old Wine, Why Not Always Used DB all boss Read on Read,write.* Table T1 Read,Write on Table t2 User- Web-App Mapper aBionic@twitter,linkedin,FB
  • 35. & For Condition Match An A Apple Hash A An Day Input Keeps The Doctor Attacker AwayaBionic@twitter,linkedin,FB
  • 36.  I Tweet Tech: I Blog Tech: I OpenSource  GitHub:  SourceForge: I Socialize: I Techalize: I Deviantize: aBionic@twitter,linkedin,FB