nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection

1,006 views

Published on

(secure) SiteHoster – Disable XSS & SQL Injection by Abhishek Kumar

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,006
On SlideShare
0
From Embeds
0
Number of Embeds
69
Actions
Shares
0
Downloads
31
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection

  1. 1. http://nullcon.net NEW CONCEPTS DEFEATING WEB ATTACKS(secure) SiteHoster
  2. 2.  Family Named: AbhishekKr Friends Call: ABK g33k Handle: aBionic IndependentSecurity Enthusiast/Researcher Also a Member of „EvilFingers‟ (other than ‘NULL’) Application-Developer in ThoughtWorks Inc. OpenSource Lover http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
  3. 3.  Other than expanding to (secure)SiteHoster A Fresh A Lab (s)SH Approach RAT http://sourceforge.net/projects/sitehoster http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
  4. 4. http://null.co.inhttp://nullcon.net It‟s The Same Old ProblemaBionic@twitter,linkedin,FB
  5. 5. http://null.co.inhttp://nullcon.net Same Old Problem With A New Perspective To Solve ItaBionic@twitter,linkedin,FB
  6. 6. http://null.co.inhttp://nullcon.net offensive security to secureaBionic@ ATTACK THE ATTACKERtwitter,linkedin,FB
  7. 7. http://null.co.inhttp://nullcon.net Major Threats for Web Applications Stats are not same (of 2009) …aBionic@twitter,linkedin,FB But t h r e a t s are
  8. 8. XSS Defeating Concept always aim the strongest opponent first, makes you win battle easilyhttp://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
  9. 9. IT IS JUST A PIECE OF CODE aBionic@twitter,linkedin,FB
  10. 10. <TAGS/> R GooD aBionic@twitter,linkedin,FB
  11. 11. And if it’s Code… aBionic@twitter,linkedin,FB
  12. 12. http://null.co.inhttp://nullcon.net !dea is toaBionic@ BUGtwitter,linkedin,FB
  13. 13. http://null.co.inhttp://nullcon.net 3 Major XSS Attack Patterns All Effect From Options of User Input, a Web2.0 GiftaBionic@twitter,linkedin,FB
  14. 14. + Karthik calling Karthik…http://null.co.in + User (tricked) Input…http://nullcon.net Included or injected <script/> What You See Is (*NOT*) What You GetaBionic@twitter,linkedin,FB
  15. 15. http://null.co.inhttp://nullcon.net Who calls, or who injects What finally happens is unwanted <script/>aBionic@twitter,linkedin,FB
  16. 16. http://null.co.inhttp://nullcon.net Disarm <script/> Take away all its POWER!!!!!aBionic@twitter,linkedin,FB
  17. 17. http://null.co.inhttp://nullcon.net Dis-Infect Entire Body To kill all unwanted „Creepy-Living‟ BeingsaBionic@twitter,linkedin,FB
  18. 18. Generated HyperText <html> <head><script>function h(){alert(“some dev-script in HEAD Tag”);}</script></head> <body> <script DEFER>heavy_stuff=true;</script> name: <div id=”fromDB” onMouseOver=”h();”><script>alert(„attacker injected it, could do anything‟);</script> </div> </body> </html> aBionic@twitter,linkedin,FB
  19. 19. Server Patched View<html><head><script> function h(){alert(“this is dev-scripts in HEAD Tag”);}</script></head><BD><BODY ><script DEFER>heavy_stuff=true;</script><script type=text/javascript>x=document.getElementsByTagName("BODY");x[0].innerHTML = "name:<div id="fromDB" onclick="h();"><script>alert(attacker injected it, could do anything);</script></div>“;</script></BODY></BD></html> aBionic@twitter,linkedin,FB
  20. 20. http://null.co.inhttp://nullcon.net But… still  …other two monkeys got a chanceaBionic@twitter,linkedin,FB
  21. 21. http://null.co.inhttp://nullcon.net „javascript:‟ may effect asaBionic@twitter,linkedin,FB
  22. 22. http://null.co.inhttp://nullcon.net So „javascript:<bugMe/>‟aBionic@twitter,linkedin,FB
  23. 23. http://null.co.inhttp://nullcon.net 1 Monkey can wreck havoc 2 are pwn3d… but 3rd is powerful enoughaBionic@twitter,linkedin,FB
  24. 24. http://null.co.inhttp://nullcon.net „Be Kind‟ on Entropy -says „JS-Events‟aBionic@twitter,linkedin,FB
  25. 25. http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
  26. 26. Ninja Parse User Input aBionic@twitter,linkedin,FB
  27. 27. Bug-it-su pwn JS-Events aBionic@twitter,linkedin,FB
  28. 28. hardcore ‘js-events’ pwnage aBionic@twitter,linkedin,FB
  29. 29. http://null.co.inhttp://nullcon.net XSS Attack gets bugged <TAGS/> go GreenaBionic@twitter,linkedin,FB
  30. 30. http://null.co.inhttp://nullcon.net Innocence Is Saved Normal User Input Matching Attack aint FilteredaBionic@twitter,linkedin,FB
  31. 31. http://null.co.inhttp://nullcon.net All Monkeys Defeated And so are Script-JunkiesaBionic@twitter,linkedin,FB
  32. 32. CURRENTLY JUST DEV PERSPECTIVE aBionic@twitter,linkedin,FB
  33. 33. For Un-Privileged AXNs aBionic@twitter,linkedin,FB
  34. 34. Old Wine, Why Not Always Used DB all boss Read on Read,write.* Table T1 Read,Write on Table t2 User- Web-App Mapper aBionic@twitter,linkedin,FB
  35. 35. http://null.co.inhttp://nullcon.net & For Condition Match An A Apple Hash A An Day Input Keeps The Doctor Attacker AwayaBionic@twitter,linkedin,FB
  36. 36.  I Tweet Tech: http://www.twitter.com/aBionic I Blog Tech: http://abhishekkr.wordpress.com/ I OpenSource  GitHub: https://github.com/abhishekkr  SourceForge: http://sourceforge.net/users/abhishekkr I Socialize: http://www.facebook.com/aBionic I Techalize: http://in.linkedin.com/in/abionic I Deviantize: http://abhishekkr.deviantart.com/ http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB

×