Simple web security

Simple Web Security
BambooFox & NCTUCSC

$$whoami
> fuyu0425 / a0919610611
> 傅裕夫
> 資工系大三
> NA of CSC
> TA of CSCC
> Full-stack Web Developer
> a0919610611@gmail.com / fuyu0425@cs.nctu.edu.tw
> Github ( https://github.com/a0919610611 )

Outline
● HTTP
● BurpSuite
● OWASP Top 10 Vulnerabilities
● XSS
● CSRF
● SQL Injection
● Google Hacking
● Practice Platform (bWapp and WebGoat)
● Next Step

HTTP - Introduction
HyperText Transfer Protocol
● Request
○ Method Ex: GET/POST/PUT/DELETE
● Response
● Header
● Body
● based on TCP
● stateless (important !!!)

So... How server know who you are?

HTTP - Cookie and Session
● Cookie
○ Stored in browser
○ Browser will auto send cookie to the server .
● Session
○ Stored in server side
○ Stored in database or cache
○ Server use session to identify user.

HTTP - Authentication Flow Chart
1. You type username and password at login page.
2. Server check and create a session stored in database.
3. Server use HTTP header : Set-Cookie to make browser store cookie and
value is the session id .
4. When you view protected page . Browser auto send the cookie .
5. Server check the session is in the database , and know who you are.
6. Check your permission and response right page for you.

Burpsuite
a proxy server that can intercept and modify request before sending to server

1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Broken Access Control
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Insufficient Attack Protection
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Underprotected APIs

XSS - Introduction
● Hacker ineject script (javscript) to make browser execute.
● Normal Content
○ <p> Hi~ </p>
● Malicious Content
○ <p> <script> { script content }</script></p>
○ hacker can use javscript to steal you cookie and sensitive information .

XSS - XSS types
● Reflected XSS
○ Not stored in database.
○ Need user to click URL with malicious parameter.
● Stored XSS
○ Stored malicious content in database
○ take message board for example , if hacker leave a message “<script>alert()</script>,
everyone will now be alerted .
● DOM-based XSS
○ with malicious payload to modify the DOM to trigger attack.

XSS - How to defend
replace <script> to $lt;script$gt; ...
Use HTML Entities

XSS - Some useful tips
● <a href=javascript:alert(1)> xss </a>
● <button onclick=”alert(1)”> click me !</button>
● <body onload=”alert(1);”> this is body </body>
● <p onmouseover=”alert(1);”> xss </p>
● <img src=x onerror=”alert(1);” />

XSS - Practice
● XSS Game ( https://xss-game.appspot.com )
● bwapp
● webgoat

XSS - XSS Game Level 1 (Reflected XSS)

XSS - XSS Game Level 2 ( Stored XSS)

XSS - XSS Game Level 3 - Analyze (1)

XSS - XSS Game Level 3 - Analyze (2)

XSS - XSS Game Level 3 - Injection
1. when page load , it will called window.onload
2. window.onload => choosetab (self.location.hash.substr(1))
○ google.com#1234 => self.location.hash = “#1234”
○ “#1234”.substr(1) = “1234”
3. then replace the content with "<img src='/static/level3/cloud" + num + ".jpg' />"
4. the num is what we can control !!
5. let’s injection
6. use img’s onerror hook

XSS - XSS Game Level 3 - Injection

XSS - WebGoat
Browser will ignore donwside form if we don’t close upside !
Make request using image

CSRF
Cross-site Request Forgery

CSRF - Introduction
1. Recall that , browser will auto send the cookie.
2. if we can inject malicious request to the website , we can fake the real user .
3. XSS can help hacker , but not neccesary.
<img src=”http://tranfer.com/?money=99999&to=hakcer>
<img src=”http://tranfer.com/confirm”>
<iframe src=”http://tranfer.com/?money=99999&to=hakcer>

CSRF - How to defend
● CSRF Token
○ generate special token for every request.
○ if hacker can’t steal token , then can’t fake the request.
● Origin Header
○ check the request is from the same website .
○ take last slide’s request for example , check origin header is “transfer.com”

SQL Injection - SQL
Structured Query Language
● SQL is used to communicate with a database.
● MySQL / MariaDB / PostgreSQL / MSSQL
● Use table to store data.
● Most used operation
○ SELECT
○ INSERT
○ UPDATE
○ DELETE
○ UNION

SQL Injection - SQL Example
● SELECT
○ SELECT Store_Name FROM Store_Information;
● INSERT
○ INSERT INTO Store_Information (Store_Name, Sales, Txn_Date)
VALUES ('Los Angeles', 900, 'Jan-10-1999');
● UPDATE
○ UPDATE Store_Information
SET Sales = 500
WHERE Store_Name = 'Los Angeles' AND Txn_Date = 'Jan-08-1999';
● DELETE
○ DELETE FROM Store_Information WHERE Store_Name = 'Los Angeles';
● Union
○ SELECT Txn_Date FROM Store_Information UNION
SELECT Txn_Date FROM Internet_Sales;

What if we can control the SQL statement ?

SQL Injection - Example
If we have a login page can type username and password , what will server do to
check the login is valid ?
if my username = fuyu0425 and password = 11111111 , then type it on login page.
SELECT * FROM users WHERE username = ‘fuyu0425’ and
password = ‘11111111’ ;
then check the result is not empty .

SQL Injection - Example (2)
Now hacker want to login my user without my password , how can he do ?
hacker can type username = fuyu0425 ‘ or 1=1 -- and password = XXXX
Now SQL statement becomes
SELECT * FROM users WHERE username = ‘fuyu0425’ or
1=1 -- ’ and password = ‘11111111’ ;
Now hacker can login without knowing my password
Because -- is used for comment in SQL ;

SQL Injection - Injection types
● Normal injection
○ Use UNION , useful when you know the database schema
● Blind injection
○ Ask True or False questions and determines the answer based on the application response.
● Error-based injection
● Time-based injection

SQL Injection - Normal injection
Use Union to query what you want
SELECT * FROM users
WHERE username = ‘fuyu0425’ or 1=1
UNION SELECT * FROM books
-- ’ and password = ‘11111111’ ;

SQL Injection - Blind injection
Use Boolean to determine it can be injected or not
1. http://newspaper.com/items.php?id=2
SELECT title, description, body FROM items WHERE ID = 2
1. http://newspaper.com/items.php?id=2 and 1=1
SELECT title, description, body FROM items WHERE ID = 2 and 1=1
1. http://newspaper.com/items.php?id=2 and 1=2
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
If 2’s result != 3’s result based on server response , we can suspect that it can be
injected.

SQL Injection - Practice
● AIS3 web 3
● SQL_Demo
● bwapp (http://www.itsecgames.com/)
● webgoat

Google Hacking
Google is your friend (weapon ?)

Google Hacking - Introduction
● Google will index website for search engine.
● Google search bar has some keyword we can use.
● keyword:
○ intile:nctu
○ inurl:google.com
○ site:google.com
○ ext:html
● Operator:
○ | : or
○ + : and
○ - : not

Google Hacking - Search
intitle:index.of /.git

Google Hacking - Search
intitle:"index of" passwd

Practice Platform
bWapp and WebGoat

bwapp - Install
● download the bee-box https://sourceforge.net/projects/bwapp/files/bee-box/
● and follow the INSTALL.txt

WebGoat - Install
● install java
○ apt-get install default-jre (kail pre-installed)
● wget or download
https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-
container-7.1-exec.jar
● java -jar webgoat-container-7.1-exec.jar
● go to localhost:8080/WebGoat/login.mvc (Case Sensitive !!)

Next Step
● CTF
● Penetration Test
● A good web developer with awareness with security

Reference
● Last years’ slides. https://bamboofox.github.io/tutorial/2016/09/27/106-club-
course.html
● https://dzone.com/articles/jwtjson-web-tokens-are-better-than-session-cookies
● https://www.w3schools.com/html/html_entities.asp
● http://www.lijyyh.com/2013/06/web-application-security-risks-and.html

Simple web security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Simple web security

Ähnlich wie Simple web security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Simple web security