4. DISCLAIMER
Do notuse anythingyou learn here withoutlegalauthorization
“with greatpower comes greatresponsibility” –also with great
Knowledge comes great
I'm copied text/images from internethere and there... it's not
posssible to mention allsource thanks all.
5. WHAT IS NOT WEB APPLICATION SECURITY?
NotNetwork Security
Network SecurityMostlyIgnores the Contents of HTTP
Traffic.
Firewalls, Intrusion Detection Systems.
6. TODAYS SCOPE
We willlearn basis
Notgoingtoo much details on developing/defense
Tryto show some automation
25. PENETRATION TESTING
Attemptto compromise securitybyusingthe same techniques
of the attacker
If I was an attacker, how far would I be able to go?
How easyis itto compromise this computer |network |
application | system?
31. WEB BROWSER SECURITY MODELS
The same origin policy
The cookies securitymode
The Flash securitymodel/SandBox (Class 5 RIA)
32. SAME ORIGIN POLICY
The same origin policyprevents documentor scriptloaded from
one origin, from gettingor settingproperties from aof a
documentfrom adifferentorigin.
An origin is defined as the combination of
hostname, protocol, and portnumber;
33. URL ANATOMY
Globalidentifiers of network-retrievable documents
Specialcharacters are encoded as hex:
%0A= newline
%20 = space, %2Bmean +
34.
35.
36.
37.
38. EXCEPTIONS TO THE SAME ORIGIN POLICY
Browsers can be instructed to allow limited exceptions to the same origin policy
by setting JavaScript’s document. Domain variable on the requested page.
Ifhttp://www.foo.com/bar/baz.htmlhadthefollowinginitspage,
<script>
document.domain="foo.com";
</script>
thenhttp://xyz.foo.com/anywhere.htmlcansendanHTTPrequestto
http://www.foo.com/bar/baz.htmlandreaditscontents.
39. BUT BUT BUT ….
You cannot put any domain in document.domain.
The document.domainmust be the superdomain of the domain
from which the page originated, such as foo.com from
.
<iframesrc="http://www.foo.com/bar/baz.html"
onload="frames[0].document.body.innerHTML+=’<
imgsrc=xonerror=alert(1)’“></iframe>
www.foo.com
45. WHAT CAN AN ATTACKER DO WITH XSS
HistoryStealing
IntranetHacking
XSS Defacements
DNS pinning
HackingJSON
Cookie stealing
Clipboard stealing
Even more?Whatelse you need?
55. BLIND WEB SERVER FINGERPRINTING
ApacheWebServer
/icons/apache_pb.gif
HPPrinter
/hp/device/hp_invent_logo.gif
<'imgsrc="http://intranet_ip/unique_image_url">
69. RFI(REMOTE FILE INCLUSION)
Remote File Inclusion (RFI) is atype of vulnerabilitymostoften
found on websites, itallows an attacker to include aremote file
usuallythrough ascripton the web server
79. SCENARIO #1:
The application has apage called “redirect.jsp” which takes a
single parameter named “url”. The attacker crafts amalicious
URL thatredirects users to amalicious site thatperforms
phishingand installs malware.
http://www.example.com/redirect.jsp?url=evil.com
80. SCENARIO #2:
The application uses forward to route requests between
differentparts of the site. To facilitate this, some pages use a
parameter to indicate where the user should be sentif a
transaction is successful. In this case, the attacker crafts aURL
thatwillpass the application’s access controlcheck and then
forward the attacker to an administrative function thatshe
would notnormallybe able to access.
http://www.example.com/boring.jsp?fwd=admin.jsp
88. COOKIE SECURITY POLICY
Path attribute:domain securitymodel
http://x.y.z.com/a/WebApp setacookie with path /a;
then the cookie would be sentto allrequests to
http://x.y.z.com/a/*only.
The cookie would notbe sentto http://x.y.z.com/index.htmlor
http://x.y.z.com/a/b/index.html.