• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
 

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases

on

  • 4,174 views

A participant will acquire the following skills: detecting complex vulnerabilities in web applications, manually analyzing the results of scanning web application security, assessing efficiency of ...

A participant will acquire the following skills: detecting complex vulnerabilities in web applications, manually analyzing the results of scanning web application security, assessing efficiency of specialized means of protection, such as a web application firewall.

Statistics

Views

Total Views
4,174
Views on SlideShare
3,415
Embed Views
759

Actions

Likes
2
Downloads
71
Comments
0

7 Embeds 759

http://phdays.com 393
http://2011.phdays.com 296
http://www.phdays.com 53
http://phday.com 14
http://www.phday.com 1
http://www.phday.com 1
http://webcache.googleusercontent.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Картинку просить у автора
  • Request header name Value

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases Presentation Transcript

  • Vulnerabilities in Web – difficulties (masterclass)
  • Greetings
  • Questions to discuss
    • HTTP Verb Tampering
    • Fragmented SQL Injections
    • HTTP Parameter Pollution
    • Reversed encryption
  • HTTP Verb Tampering
    • HTTP Verb Tampering is an error in access control for HTTP methods.
      • Administration error
      • Particular case – vendor’s error
  • HTTP Verb Tampering
    • What’s the method ?
  • HTTP Verb Tampering
    • Why ?
  • HTTP Verb Tampering
    • Exploitation
      • Real-live example ( Jboss Auth Bypass )
  • HTTP Verb Tampering
    • Exploitation
      • Practical task http://stat.local/
      • .htaccess file Result of GET request
    Result of HACK request
  • Fragmented SQL Injections
    • SQL injection is an vulnerability caused by incorrect input data application processing . User data transferred via web applications are changed to modify SQL request used for exploitation .
      • Insufficient data filtering
  • Fragmented SQL Injections
    • What’s the method ?
    • Do not forget correct filtering !
    • Structure of a valid request ( MySQL database )
    • INSERT INTO table1 (c1,c2) VALUES (‘value1’ , ’value2’ );
    • Here is a valid request with injected SQL commands
    • INSERT INTO table1 (c1,c2) VALUES (‘a’ , ’ , user() ); -- 1’);
  • Fragmented SQL Injections
    • Why ?
    If there is no filtering for back slash ( “” ) , an attacker can screen the next symbol by a single or double quote in database request , that do not allow to interpret it as a line termination symbol . The following is required for vulnerability exploitation : the request should include more than one string variable . Remember: it’s necessary to filter not only user data, but also data received from databases .
  • Fragmented SQL Injections
    • Exploitation
      • Real-life example ( Coppermine Photo Gallery <= 1.4.19 )
    • GET,POST,REQUEST – “” symbol is not filtered .
    • You can specify “” in email parameter.
    • Exploitation is possible via a child request to database when you try to access system features after authorization .
  • Fragmented SQL Injections
    • Exploitation
      • Practical task
      • http://tracker.local/index.php
    « Bug tracking system for source code ».
  • Fragmented SQL Injections
    • Exploitation
      • Practical task
      • http://tracker.local/add.php
    Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query(&quot;INSERT INTO track (bug,fix) VALUES ('&quot;.$code.&quot;','&quot;.$fix.&quot;')&quot;); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 ’,’ value2 ’);
  • Fragmented SQL Injections
    • Exploitation
      • Practical task
      • http://tracker.local/add.php
    Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query(&quot;INSERT INTO track (bug,fix) VALUES ('&quot;.$code.&quot;','&quot;.$fix.&quot;')&quot;); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 ’, ’, user() ) – 1’);
  • Fragmented SQL Injections
    • Exploitation
      • Practical task
      • http://tracker.local/view.php
    Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query(&quot;INSERT INTO track (bug,fix) VALUES ('&quot;.$code.&quot;','&quot;.$fix.&quot;')&quot;); } As a result, fix column in track table contents a value that is user() function result.
  • HTTP Parameter Pollution
    • HTTP Parameter Pollution is a vulnerability caused by a situation that different platforms ( web server and web application language ) process sequence of HTTP request parameters with the same names differently .
  • HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array ['val1','val2'] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2
  • HTTP Parameter Pollution
    • According to PHP web application language .
    • An interesting variable variables_order in php.ini configuration file
    • ( establishes variable processing ) .
    • Why is it interesting ?
    • GET /? id=1
    • Cookie: id=2
    • В итоге:
    • $_GET[‘id’]= 1
    • $_REQUEST[‘id’]= 2
    • The frequent error in request processing:
    • $_GET is checked , but the value is assigned to from $_REQUEST.
  • HTTP Parameter Pollution
    • Exploitation
      • Real-life example ( www.blogger.com blog service )
      • Vulnerability as a part of « Rewarding web application security research » program
      • Error in input setting processing – the first suitable value is checked but result includes the last one .
      • Supposedly, vulnerability is in QUERY_STRING check and then in variable declaration made via array data received in the request .
  • HTTP Parameter Pollution
    • Exploitation
      • Practical task
      • http://blogger.local/index.php
  • HTTP Parameter Pollution
    • Exploitation
      • Practical task
      • http://blogger.local/register.php
  • HTTP Parameter Pollution
    • Exploitation
      • Practical task
      • http://blogger.local/invite.php
  • HTTP Parameter Pollution
    • Exploitation
      • Practical task
      • http://blogger.local/invite.php
  • HTTP Parameter Pollution
    • Exploitation
      • Practical task
      • http://blogger.local/invite.php
    gpc_order (php.ini) – “GPC”
  • HTTP Parameter Pollution
    • Exploitation
      • Practical task
      • http://blogger.local/add.php
  • Reversible Encryption
    • Reversible encryption in web applications is possibly insecure as it can be used by attackers in :
      • Exploitation of SQL Injection vulnerability ;
      • Information disclosure ( database dump );
      • Arbitrary file reading ;
      • and so on .
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/news.php
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/news.php
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/news.php
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/
      • http://portal.local/xor_tool/
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/
    FAILED.
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/
    • “ test” user with “ 123456789 1 0 qwerty” password
    2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
  • Reversible Encryption
    • Exploitation
      • Practical task
      • http://portal.local/
      • http://portal.local/xor_tool/
  • Instead of conclusions
      • What’s next?
      • Try to do practical tasks
      • Take part in competitions
  • Thank you for your attention ! Questions? [email_address]