Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
The Web You Thought You Knew
1. TThhee WWeebb yyoouu tthhoouugghhtt yyoouu
kknneeww
By Munir Njiru and Ruth Macharia
2. WWeebb SSeeccuurriittyy PPlleeaassee??
● Most people don't think its relevant , why?
– you either can't comprehend someone
attacking you.'
– you have no idea about attacks
3. OOWWAASSPP ttoopp 1100
● Glad I got your attention..
● There are guys that have tried to open
your eyes by creating awareness of this,
they are OWASP (Open Web Application
Security Project)
● They have ten categories for these attacks
but I will not bore you with all that talk so
get more info here:
https://www.owasp.org/index.php/Top_10_2013-Top_10
4. DDoonn’’tt bbee iilllluussiioonneedd!!!!
The web can’t be covered in a day , Bear with
this it’s a tip of the iceberg but relevant. If we
could cover it You’d feel this:
5. SSoo wwhhaatt’’ss tthhee wwoorrsstt??
Why should I care what could these breaches possibly
do you ask?
Well you could lose your webutation
You could lose cash
You could have your secrets exposed
And for admins you could involuntarily sign a power
sharing agreement, and we know you don't like that.
This list is not comprehensive if you are holding your
breath keep holding it :)
6. You shall see the worst and jumbled stuff on
screen when an attack is carried out but don’t
panic when you see all the technical jargon on
screen just look at the results from the jargon
and the answer to what was happening shall
come.
DDiissccllaaiimmeerr
7. II mmaaddee aa MMiissttaakkee HHooww??
Let us tell this as a story, you see how slowly
people fit in the OWASP Top 10, maybe not
everywhere but enough places to render you
done for:
8. II mmaaddee aa MMiissttaakkee HHooww??
So the IT Manager had a proposition of giving a
dynamic site with the technology of today and a
robust mail server for communication. Here are
his specifications :
Dynamic content management on a robust
platform (Joomla)
Backup system based on XCloner
Forum Based on Kunena to enable interaction
for staff and clients
Zimbra Server for Mail Handling
9. II mmaaddee aa MMiissttaakkee HHooww??
He missed however to check the security of the
proposed system and the version information
led to this sites demise.
Let me save you the headache of his version
information- recon was spoken of well it got us
this:
- Joomla 1.5.15
- Xcloner 2.1
- Kunena 1.6.1
- Zimbra 8.0.2
10. XXSSSS
Well this is the ability for an attacker to diss you
using your browser.
It’s basically the ability to add code to what you
see , and this code is not usually added in your
best interest.
11. YYoouurr BBrroowwsseerr DDiisssseedd YYoouu!!
Payload=> <script>alert("I said it was just an
XSS what's the worst that could happen? n
Then the hackers at Africahackon went straight
for my cookie jar and found all my secrets: nn"
);</script>
13. SSQQLL IInnjjeeccttiioonn
First of all you don’t need to go through a
medicine class to get this.
In layman what it is the ability to sweet talk your
database so that it can give it up !!!
14. II jjuusstt ssaaww mmyy NNaammee!!!!!!!!
Payload => %' and 1=2) union select 1,
concat(0x3a,username,0x3a,email,0x3a,0x3a,a
ctivation),concat(0x3a,username,0x3a,email,0x
3a,password,0x3a,activation),'Super
Administrator','email','2009-11-26
22:09:28','2009-11-26
22:09:28',62,1,1,0,0,0,1,15 from jos_users-- ;
23. SSeeee iitt iinn AAccttiioonn!!!!!!!!
To see this manually done without the
script check our video to get the gist of
the background:
http://www.youtube.com/watch?v=ahJLY
T8CLow
24. RRCCEE
Just when you thought we were done :D well you
were warned , the web is wide but we will be
winding up in a bit.
RCE - Its not "Regional Centers of Expertise", It's
Remote Code Execution
27. RReemmeeddiiaattiioonn
● This would all have been avoided if:
– Data was validated on the platform
– The technology was investigated before
being implemented.
28. QQuueessttiioonnss
● Don't be ashamed to scratch your head
after this; I would too its a lot of
information.