Just for you: FREE 60-day trial to the world’s largest digital library.
The SlideShare family just got bigger. Enjoy access to millions of ebooks, audiobooks, magazines, and more from Scribd.
Cancel anytime.More Related Content
Related Books
Free with a 14 day trial from Scribd
“Can we deface your Web in 10 mins?” - Edu 3.4
- 1. Knownsec Hong Kong Can we deface your Web in 10 mins?
- 2. News Ref: http://hk.on.cc/hk/bkn/cnt/news/20150708/bkn-20150708133226995-0708_00822_001.html
- 3. News Ref: http://abcnews.go.com/US/ny-high-school-students-accused-hacking-computer-system/story?id=34617530
- 4. News Ref: http://www.appledaily.com.tw/realtimenews/article/new/20151024/718116/
- 5. Some Common Hacking Incidents • Defacement • Changing the look of the website – e.g. hackers break into into the web server and modify the content • Stealing Information • Getting some sensitive information (e.g. exam paper) because they are not properly protected Ref: https://www.pinoyhacknews.com/web-hacking-terms-what-is- website-defacedefacement
- 6. • Modifying Information • E.g. Hackers break into the server / through websites vulnerability to modify the database content, like school grades • Upload Trojan / Shell • Hackers upload a backdoor to control the webserver, they can change website content, spread virus, make webserver as zombie, etc… • Etc… Ref: http://vanish.org/t/images/bot1.jpg
- 7. Some Common Vulnerabilities • SQL Injection • A website vulnerability that allow hackers to input gain access to database or even execute commands, e.g. dump database, modify content, upload files • Vulnerable Components • Using some vulnerable software like outdated CMS, vuln version of Wordpress plugin, old web servers (e.g. webdav exploit)… Ref: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
- 8. • Sensitive Files • Important files are not properly protected, e.g. simply putting them to be internet accessible • Weak Passwords • Using weak password like 000000 and no brute force protection
- 9. Demo – Can we deface your Web in 10mins? • There is a sample Educational Website
- 10. Can we deface your Web in 10mins? • Hacking in progress… • Browsing the website • Finding vulnerabilities • Uploading a shell… • Defacing the homepage…
- 11. Can we deface your Web in 10mins? – Yes!!
- 12. What did the hacker do? • Browsing the website • Got interesting directories: /intranet • Have to login? • Got an interesting page: /intranet/fck.php using FKCEditor? • Finding vulnerabilities • Bypass login by SQL Injection… • Misconfigured FCKEditor, a vulnerable component J • Uploading a shell… • A file that can control the website • Defacing the homepage… • Mission completed
- 13. Tips • Do security assessment on your websites • Websites vulnerabilities • Servers configuration • Apply countermeasures if necessary • Improve security awareness • Be aware of the news about the technology that the school is using • Education
- 14. Contact • Alan Ho • alanho@knownsec.com
- 15. Thank you!