6. Active Reconaissance
Active reconnaissance is a type of reconnaissance in which an
attacker engages with the targeted person/corporate to
gather information.
DNS
Whois
Netcraft
Archives
Search Engine
Social Media
7. Passive Reconnaissance
Passive reconnaissance is an attempt to gain
information about targeted person/corporate without
actively engaging with the systems.
Go to Target Office
Interview with target
Read from newspaper
Etc
8. Useful Information
Names (administrative, technical, billing contacts) for social
engineering attack
Telephone numbers
Email addresses
Format of email addresses eg. First.last@abc.com
Family (Wife/Husband, Childre, etc)
Places
Birthday
11. What is XSS
Cross-Site Scripting (XSS) attacks are a type of
injection, in which malicious scripts are injected into
trusted web sites. XSS attacks occur when an attacker
uses a web application to send malicious code,
generally in the form of a browser side script, to a
different end user.
12. XSS Type
Reflected XSS
Triggers off of a link
Interactive
Example : victim.com/{vulnerable_here}
Stored XSS
Persistent
Triggers when the exploited page is viewed
Example : Comment forms
13. XSS Attack
XSS attack works this way:
The attacker identifies a web site that has one or more XSS bugs (for example
echoing data input, or lacking data input validation)
The attacker crafts a special URL that includes a malformed and malicious
querystring containing HTML and script
The attacker finds a victim and gets him to click the link
The victim clicks the link and the victim’s browser makes a request to the
vulnerable server, passing the malicious querystring. And cookies.
The vulnerable server echoes malicious input, including the script, back to the
victim’s browser
The victim’s browser executes the malicious script, which may be crafted to pass
data from the victim to the attacker, or other actions
14. Cross-Site Scripting Attack in Action
1. The attacker sends a victim a link
containing a malicious payload.
2. The victim, tricked into clicking the
link, sends a request (and the
payload) to the vulnerable
application interface.
3. The interface (i.e. a user registration form) accepts the request
(and payload), and responds with a confirmation screen.
Embedded in the confirmation screen is the malicious code, which
has been formatted in such a way that a browser will interpret it as
if it were any other JavaScript code.
4. When the victim receives the response, the browser executes the
payload, which could send cookie values (including session
identifiers) and other sensitive data to the attacker.
15. Attack Vectors
Forms that are filled out where values are later presented to
the user
Web message boards that allow users to post their own
messages
19. What is CSRF
Cross-site request forgery, also known as one-click
attack or session riding is a type of malicious exploit
of a website where unauthorized commands are
transmitted from a user that the website trusts. CSRF
exploits the trust that a site has in a user's browser.
21. Threat Models
Client
Injects content onto trusted site
Unauthorized Application Request
Web Attacker
Owns https://www.attacker.com
user visit
22. Example
Bank Website Request
http://bank.com/transfer.do?acct=budi&amount=1000
00
Attacker create link
<a
href="http://bank.com/transfer.do?acct=hacker&amo
unt=100000">View my Pictures!</a>
24. What is SQL Injection
SQL Injection is vulnerability in web application which
using this method hackers able to inject SQL
commands into the database through input form.
25. 25
How common is it?
It is probably the most common Website vulnerability today!
It is a flaw in "web application" development,
it is not a DB or web server problem
Most programmers are still not aware of this problem
A lot of the php tutorials & php demo are vulnerable
Even worse, a lot of solutions posted on the Internet are not good enough
26. 26
Vulnerable Applications
Almost all SQL databases and
programming languages are potentially
vulnerable
MS SQL Server, Oracle, MySQL, Postgres,
DB2, MS Access, Sybase, Informix, etc
PHP, ASP, etc
27. 27
How does SQL Injection work?
Common vulnerable login query
SELECT * FROM users
WHERE username = 'ahmad'
AND password = 'rahasia'
28. 28
Injecting through Strings
$username = ' or ‘1’=‘1’ – –
$password = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or ‘1’=‘1’ – – AND password =
'anything'
29. 29
If it were numeric?
SELECT * FROM clients
WHERE account = 12345678
AND pin = 1111
PHP/MySQL login syntax
$sql = "SELECT * FROM clients WHERE " .
"account = $formacct AND " .
"pin = $formpin";
30. 30
Injecting Numeric Fields
$formacct = 1 or 1=1 #
$formpin = 1111
Final query would look like this:
SELECT * FROM clients
WHERE account = 1 or 1=1 -- AND pin = 1111