-
Be the first to like this
Upcoming SlideShare
“Can we deface your Web in 10 mins?” - Edu 3.4
- 1. Knownsec Hong Kong Can we deface your Web in 10 mins?
- 2. News Ref: http://hk.on.cc/hk/bkn/cnt/news/20150708/bkn-20150708133226995-0708_00822_001.html
- 3. News Ref: http://abcnews.go.com/US/ny-high-school-students-accused-hacking-computer-system/story?id=34617530
- 4. News Ref: http://www.appledaily.com.tw/realtimenews/article/new/20151024/718116/
- 5. Some Common Hacking Incidents • Defacement • Changing the look of the website – e.g. hackers break into into the web server and modify the content • Stealing Information • Getting some sensitive information (e.g. exam paper) because they are not properly protected Ref: https://www.pinoyhacknews.com/web-hacking-terms-what-is- website-defacedefacement
- 6. • Modifying Information • E.g. Hackers break into the server / through websites vulnerability to modify the database content, like school grades • Upload Trojan / Shell • Hackers upload a backdoor to control the webserver, they can change website content, spread virus, make webserver as zombie, etc… • Etc… Ref: http://vanish.org/t/images/bot1.jpg
- 7. Some Common Vulnerabilities • SQL Injection • A website vulnerability that allow hackers to input gain access to database or even execute commands, e.g. dump database, modify content, upload files • Vulnerable Components • Using some vulnerable software like outdated CMS, vuln version of Wordpress plugin, old web servers (e.g. webdav exploit)… Ref: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
- 8. • Sensitive Files • Important files are not properly protected, e.g. simply putting them to be internet accessible • Weak Passwords • Using weak password like 000000 and no brute force protection
- 9. Demo – Can we deface your Web in 10mins? • There is a sample Educational Website
- 10. Can we deface your Web in 10mins? • Hacking in progress… • Browsing the website • Finding vulnerabilities • Uploading a shell… • Defacing the homepage…
- 11. Can we deface your Web in 10mins? – Yes!!
- 12. What did the hacker do? • Browsing the website • Got interesting directories: /intranet • Have to login? • Got an interesting page: /intranet/fck.php using FKCEditor? • Finding vulnerabilities • Bypass login by SQL Injection… • Misconfigured FCKEditor, a vulnerable component J • Uploading a shell… • A file that can control the website • Defacing the homepage… • Mission completed
- 13. Tips • Do security assessment on your websites • Websites vulnerabilities • Servers configuration • Apply countermeasures if necessary • Improve security awareness • Be aware of the news about the technology that the school is using • Education
- 14. Contact • Alan Ho • alanho@knownsec.com
- 15. Thank you!
Be the first to comment