Judul: Hack using Mozilla FireFox Pembicara: Ahmad Prayitno Acara: Seminar Internasional Teknomatika Lokasi: Auditorium UNIS Tanggal: 23 Oktober 2016

1. Hack Using Firefox
Ahmad Prayitno,CEH
ahmad.prayitno@gmail.com

2.  Reconnaissance
 Cross Site Scripting (XSS)
 Cross Site Request Forgery (CSRF)
 SQL Injection
Agenda

3. Reconnaissance

4. What is Reconaissance
 Finding as much information about the
target as possible before launching the
first attack

5. Types Of Reconaissance
Active Reconaissance
Passive Reconaissance

6. Active Reconaissance
Active reconnaissance is a type of reconnaissance in which an
attacker engages with the targeted person/corporate to
gather information.
 DNS
 Whois
 Netcraft
 Archives
 Search Engine
 Social Media

7. Passive Reconnaissance
Passive reconnaissance is an attempt to gain
information about targeted person/corporate without
actively engaging with the systems.
 Go to Target Office
 Interview with target
 Read from newspaper
 Etc

8. Useful Information
 Names (administrative, technical, billing contacts) for social
engineering attack
 Telephone numbers
 Email addresses
 Format of email addresses eg. First.last@abc.com
 Family (Wife/Husband, Childre, etc)
 Places
 Birthday

9.  Wappalyzer
 WorldIP
 Site Information
Firefox Addon

10. XSS

11. What is XSS
 Cross-Site Scripting (XSS) attacks are a type of
injection, in which malicious scripts are injected into
trusted web sites. XSS attacks occur when an attacker
uses a web application to send malicious code,
generally in the form of a browser side script, to a
different end user.

12. XSS Type
 Reflected XSS
Triggers off of a link
Interactive
Example : victim.com/{vulnerable_here}
 Stored XSS
Persistent
Triggers when the exploited page is viewed
Example : Comment forms

13. XSS Attack
 XSS attack works this way:
 The attacker identifies a web site that has one or more XSS bugs (for example
echoing data input, or lacking data input validation)
 The attacker crafts a special URL that includes a malformed and malicious
querystring containing HTML and script
 The attacker finds a victim and gets him to click the link
 The victim clicks the link and the victim’s browser makes a request to the
vulnerable server, passing the malicious querystring. And cookies.
 The vulnerable server echoes malicious input, including the script, back to the
victim’s browser
 The victim’s browser executes the malicious script, which may be crafted to pass
data from the victim to the attacker, or other actions

14. Cross-Site Scripting Attack in Action
1. The attacker sends a victim a link
containing a malicious payload.
2. The victim, tricked into clicking the
link, sends a request (and the
payload) to the vulnerable
application interface.
3. The interface (i.e. a user registration form) accepts the request
(and payload), and responds with a confirmation screen.
Embedded in the confirmation screen is the malicious code, which
has been formatted in such a way that a browser will interpret it as
if it were any other JavaScript code.
4. When the victim receives the response, the browser executes the
payload, which could send cookie values (including session
identifiers) and other sensitive data to the attacker.

15. Attack Vectors
 Forms that are filled out where values are later presented to
the user
 Web message boards that allow users to post their own
messages

16. Why Cookies
 Because Cookies is a ticket !

17. Firefox Addon
 XSS Me
 Cookie Manager
 etc

18. CSRF

19. What is CSRF
 Cross-site request forgery, also known as one-click
attack or session riding is a type of malicious exploit
of a website where unauthorized commands are
transmitted from a user that the website trusts. CSRF
exploits the trust that a site has in a user's browser.

20. Cross-Site Request Forgery

21. Threat Models
 Client
 Injects content onto trusted site
 Unauthorized Application Request
 Web Attacker
 Owns https://www.attacker.com
 user visit

22. Example
 Bank Website Request
 http://bank.com/transfer.do?acct=budi&amount=1000
00
 Attacker create link
 <a
href="http://bank.com/transfer.do?acct=hacker&amo
unt=100000">View my Pictures!</a>

23. SQL Injection

24. What is SQL Injection
SQL Injection is vulnerability in web application which
using this method hackers able to inject SQL
commands into the database through input form.

25. 25
How common is it?
 It is probably the most common Website vulnerability today!
 It is a flaw in "web application" development,
it is not a DB or web server problem
 Most programmers are still not aware of this problem
 A lot of the php tutorials & php demo are vulnerable
 Even worse, a lot of solutions posted on the Internet are not good enough

26. 26
Vulnerable Applications
 Almost all SQL databases and
programming languages are potentially
vulnerable
 MS SQL Server, Oracle, MySQL, Postgres,
DB2, MS Access, Sybase, Informix, etc
 PHP, ASP, etc

27. 27
How does SQL Injection work?
Common vulnerable login query
SELECT * FROM users
WHERE username = 'ahmad'
AND password = 'rahasia'

28. 28
Injecting through Strings
$username = ' or ‘1’=‘1’ – –
$password = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or ‘1’=‘1’ – – AND password =
'anything'

29. 29
If it were numeric?
SELECT * FROM clients
WHERE account = 12345678
AND pin = 1111
PHP/MySQL login syntax
$sql = "SELECT * FROM clients WHERE " .
"account = $formacct AND " .
"pin = $formpin";

30. 30
Injecting Numeric Fields
$formacct = 1 or 1=1 #
$formpin = 1111
Final query would look like this:
SELECT * FROM clients
WHERE account = 1 or 1=1 -- AND pin = 1111

31.  Hack Bar
Firefox Addon