Professional Documents
Culture Documents
Page Applications
Tale of the Tape
• Brief review of AppSec origins
• Brief intro on Mixed Martial Arts (MMA)
• Fighting styles vs Hacking styles
• Getting in the ring with a SPA
Our Introduction to Web Apps
HTTP Standard Format
item=Shirt&color=Blue
Our Introduction to App Sec
---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12
Ok, topic change again. Since we've hit on web service and database stuff,
let's roll with it. Onto ODBC and MS SQL server 6.5.
I worked with a fellow WT'er on this problem. He did the good thing and told
Microsoft, and their answer was, well, hilarious. According to them,
what you're about to read is not a problem, so don't worry about doing
anything to stop it.
SELECT * FROM table WHERE x=1 SELECT * FROM table WHERE y=5
Exactly like that, and it'll work. It will return two record sets, with each
set containing the results of the individual SELECT.
- WHAT'S THAT REALLY MEAN? People can possibly piggyback SQL commands into your statements.
Let's say you have:
http://myspace.com/login.php?username=admin’&password=abd123
Invalid User
Error 1064: You have an error in your SQL syntax near ‘” at line 1 of
SELECT * FROM tAccounts WHERE username=admin’ AND password=“abc123”
Fun with SQL Injection
http://myspace.com/login.php?username=admin’#&password=abd123
http://myspace.com/login.php?username=admin’&password=abc123
Welcome Admin
Savate vs Sumo
Which discipline is better?
Standing – up close
Reque
st
Respons
e
Reque
st
Respons
e
Applications getting more difficult
Then Now
“React abstracts away the DOM from you, giving you a simpler programming model and better
performance”
A rose by any other name
• Web Services
• RESTful API’s
• Web API’s
• or simply API’s
HTTP Standard Format
item=Shirt&color=Blue
AJAX & REST API Formats
Custom URL handlers GET /rest/search/item/Shirt/color/Blue
POST /rest/
XML format <search><item>Shirt</item><color>Blue</color></search>
POST /json/
JSON: JavaScript Object Notation {“search”: {“item”: Shirt ; “color”: Blue} }
POST /GWT/
GWT: Google Web Toolkit
Search|Shirt|Blue|
{ "products" : [
{ "shirt" : {
"colors" : [
"blue",
"red",
"yellow",
"green"
],
"price" : "19.99",
"sizes" : [
"small",
"medium",
"large", JSON supports
Nicely formatted
"xlarge"
],
"text" : “NTO"
nested data
} },
{ "hat" : {
just like XML
"colors" : [
"black",
"red"
],
"price" : "24.99",
"sizes" : [
"kids",
"adult"
],
"text" : “NTO"
}
}
]
}
Swing and a Miss
{"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large",
Original "xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]
}
request
{"products":[{"shirt’_OR_1=‘1":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large","xlarge"],"price":"
{"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","larg
Attack 19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]}
e","xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.
request 99"}}]}’ OR 1=‘1
Accomplished nothing
Landing the blow
{"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large",
Original "xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]
}
request
{"products":[{"shirt’ OR1=‘1“{"text":“NTO","colors":
["blue","red","yellow","green"],"sizes":["small","medium","large","xlarge"],"price":"19.99"}},{"hat":{"text":“N
Attack TO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]}
request
Successful delivery
{"products":[{"shirt":{"text":“NTO","colors":["blue","red’ OR 1=‘1",
Attack "yellow","green"],"sizes":["small","medium","large","xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":
["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]}
request
Documenting RESTful API’s
REACT Recap
• Very difficult to do discovery
• Very complex client-side code
• Relies heavily on REST API’s
Don’t forget Mobile!
REST WEB SERVICE
Web Service Authentication
Web Service Authentication
• Classic solutions
• HTTP Auth (Basic/NTLM/Digest)
• Custom HTTP Header
• Session Cookie
• Popular standardized solutions
• OAuth support
• Supports most installations with simple configuration settings
• Custom signing code
• User driven/macro solutions
Web Service Authentication Methods
• Classic solutions
• HTTP Auth (Basic/NTLM/Digest)
• Custom HTTP Header
• Session Cookie
• Popular standardized solutions
• OAuth support
• Supports most installations with simple configuration settings
• Custom signing code
• User driven/macro solutions
Custom Request Signing
Example Authenticated REST Request
GET /api/v1/lookup HTTP/1.1
Host: 127.0.0.1:8000
Accept: application/json
Content-type: application/json
Authorization: creds joe.user:RMEsPFo1AakM9YDtgVckJMIrk=
x-by-date: Thu, 31 Oct 2013 01:48:37 GMT
Cache-Control: no-cache
Sample Custom Signing Code
1.$username = ‘joe.user’;
2.$YouAPIKey = ‘1cd9b8b190ed02d1d0f2b9ff40c050604e7a2c7f’;
3.$exp_date = datetime.strftime(TimeUTC, "%a,%d %b %Y %H:%M:%S");
4.$StringToSign = HTTP-Verb + $exp_date + URL_WITHPARAMS;
5.$Signature = Base64(HMAC-SHA256($YourAPIKey, $StringToSign ) );
6.$AuthString = "Creds" + " " + $username + ":" + $Signature;
7.AddHTTPHeader(‘Authorization’, $AuthString);
8.AddHTTPHeader(‘x-by-date’, $exp_date);
Possible layers of an App