1. Online Banking Vulnerable System Web
Application
Umesh Kumar
Computer Science and Cyber Security
Police University, Jodhpur
June 1, 2015
Guide:-
Mr.Pankaj Sharma
(Scientist,CERT-In)
Umesh Kumar (SPUP) VAPT June 1, 2015 1 / 17
2. Content
1 Motivation
2 About my work
3 About Vulnerabilities
4 Technical Architecture
5 Home
6 Sql Injection(SQLI)
7 SQLI
8 Cross-Site Scripting
9 Cross Site Request Forgery(CSRF)
10 Session Fixation
11 TRACE Method enabled
12 Using Components with Known Vulnerabilities
13 Result
14 Conclusion
15 Thank You
Umesh Kumar (SPUP) VAPT June 1, 2015 2 / 17
3. Motivation
Today in India insecure web application is increasing exponentially so
that Making secure web applications is the best interest of all
organizations and keep a safe economy of the India.
Umesh Kumar (SPUP) VAPT June 1, 2015 3 / 17
4. About my work
We have design a vulnerable web application and exploit each
vulnerabilities by performing the attacks in our project.Then we are
update the patches related flaws or weakness based on the OWASP
techniques. OBVS web application main goal is provide the concept
for research student, faculties enhanced his own knowledge and
penetration tester test is own skills.
Umesh Kumar (SPUP) VAPT June 1, 2015 4 / 17
5. About Vulnerabilities
Sql Injection
Cross Site Scripting(XSS)
Cross Site Request Forgery(CSRF)
Session Fixation
TRACE Method enabled
Using Components with Known Vulnerabilities
Umesh Kumar (SPUP) VAPT June 1, 2015 5 / 17
6. Technical Architecture
1 Web Functionality
1 Server-Side Functionality:- PHP
2 Client-Side Functionality:- HTML, jQuery, CSS, JavaScript,
Hyperlinks
2 Backend MySQL database
3 Hosted on Windows Apache
4 Supported on WAMP or XAMPP
5 Acunetix Web Vulnerability Scanner
Umesh Kumar (SPUP) VAPT June 1, 2015 6 / 17
8. Sql Injection
Sql Injection Attack(SQLIA) Types
1 Tautologies
1 1=1– used with a WHERE conditional in a query.
2 SELECT * FROM registration WHERE email = ’ ’ or 1=1– and
password = ’ ’.
2 Illegal/Logically Incorrect Queries
1 Attacker gather information about the Version & Structure of
the back-end database of the web application.
2 Then web application return the default error page that reveal
the vulnerable parameter to attacker.
3 Consequences:- Database finger printing.
Umesh Kumar (SPUP) VAPT June 1, 2015 8 / 17
9. SQLI
SQLI Prevention
1 Use mysqli real escape string( mysqli $link , string $escapestr):-
function escapes special characters in a string for use in an SQL
statement and must be used to make data safe before sending a
query to mySQLi.
2 Use Prepared Statements with mySQLi:-
Means that the SQL and the variables are sent separately and
the variables are just interpreted as strings, not part of the SQL
statement.
Umesh Kumar (SPUP) VAPT June 1, 2015 9 / 17
10. Cross-Site Scripting
XSS characteristics:- Attacker takes the advantage of the trust
that a user has for a certain website.
XSS Main Payload
1 HTML & CSS(cascading style sheet)
2 JavaScript
XSS Prevention
1 filter var($var $filter $options)
2 http only cookies
3 stripslashes
4 htmlspecialchars
Umesh Kumar (SPUP) VAPT June 1, 2015 10 / 17
11. Cross Site Request Forgery(CSRF)
Attacker use the cookies of the victim browser so that it’s also
called the session riding.
CSRF characteristics:- Attacker takes the advantage of a website
trust for a certain browser.
CSRF Prevention
1 CAPTCHA verification in forms.
2 Unpredictable Synchronizer Token Pattern with user session
3 session.cookie httponly = 1 (True):- This setting prevents
cookies stolen by JavaScript injection and its also called the
CSRF protection key.
Umesh Kumar (SPUP) VAPT June 1, 2015 11 / 17
12. Session Fixation
Attacker already has access to a valid session and tries to force
the victim to use this particular SessionID.
Characteristics:-
1 SessionID in URL
2 SessionID in Cookies
Prevention
1 session.use trans sid = 0(false) in your php.ini file. Otherwise it
will be passed SessionID in url as a GET variable.
2 session.use only cookies = 1(True) in your php.ini file. It will
only use cookies to store the session id on the client side and
prevent attacks involved passing session ids in URLs.
Umesh Kumar (SPUP) VAPT June 1, 2015 12 / 17
13. TRACE Method enabled
TRACE response include the cookies which is sent by the client
TRACE request.
HTTP TRACE Method + XSS = XST(Cross-Site Tracing)
Impact variable
1 cookies
2 authentication data
Prevention
1 Use the Apache mod rewrite module to deny HTTP TRACE
requests.
2 TraceEnable off causes Apache to return a 403 FORBIDDEN
error to the client.
Umesh Kumar (SPUP) VAPT June 1, 2015 13 / 17
14. Using Components with Known Vulnerabilities
Apache Server-Info Enabled:- display the information about your
Apache configuration.
Prevention:
Disable the mod info.so line in httpd.conf file.
Apache-Server-Status-Enabled:- display the information about
your Apache status.
Prevention:
Disable mod status.so
Directory Listing:
Apache server is configuration to display the list of files
contained in this category and they are normally exposed
through links on the website. Prevention:
Disable mod auto index.so
Umesh Kumar (SPUP) VAPT June 1, 2015 14 / 17
16. Conclusion
In OBVS introducing the key issues of web application real life
vulnerabilities and updates the patches regarding weakness or flaws to
a certain degree. These are the current challenge of the organisation
and industry, require the relevant professional qualify experts.
Umesh Kumar (SPUP) VAPT June 1, 2015 16 / 17