Transcript OWASP Demo
Common Exploits
Aaron Cure
Cypress Data Defense
SQL Injection
What is it?
◦ The inclusion of portions of SQL statements in
an entry field in an attempt to get the website
to pass a newly formed rogue SQL command to
the database (e.g., dump the database
contents to the attacker)
SQL Injection
How do we attack it?
◦ SqlMap
http://sqlmap.org
sqlmap is an open source penetration testing tool that
automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers. It
comes with a powerful detection engine, many niche
features for the ultimate penetration tester and a
broad range of switches lasting from database
fingerprinting, over data fetching from the database, to
accessing the underlying file system and executing
commands on the operating system via out-of-band
connections.
SQL Injection Tools
◦ BSQL Hacker
http://labs.portcullis.co.uk/application/bsqlhacker/
BSQL (Blind SQL) Hacker is an automated SQL
Injection Framework / Tool designed to exploit
SQL injection vulnerabilities virtually in any
database.
SQL Injection Tools
sqlmap.py -u http://localhost:55612/Product.aspx?id=3
sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
--Place: GETParameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 1640=1640
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=3 AND (SELECT 1157 FROM(SELECT
COUNT(*),CONCAT(0x3a796c6a3a,(SELECT (CASE WHEN (1157=1157) THEN 1 ELSE 0
END)),0x3a7a76743a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=3 UNION ALL SELECT
NULL,CONCAT(0x3a796c6a3a,0x6f6a6c61786d494f6a74,0x3a7a76743a),NULL–
--web server operating system: Windows 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: MySQL 5.0
SQL Injection Demo
How do we prevent it?
◦ Don’t concatenate untrusted data
◦ Use parameterized queries
◦ Use a framework
nHibernate
Entity Framework
Etc.
SQL Injection Mitigation
Session hiJACKING
What is it?
◦ Occurs when authentication tokens are stolen
from an authenticated user. This vulnerability
commonly occurs when session tokens are sent
in cleartext between a web server and a client’s
browser. Other examples include tokens being
stolen via cross-site scripting and man-in-themiddle attacks. Allows an attacker to assume
the identity of another user gain unauthorized
access to applications and functionality.
Session Hijacking
How do we attack it?
◦ Firesheep
Intercepts browser cookies used by many sites,
including Facebook and Twitter, to identify users
and allows anyone running the program to log in
as the legitimate user and do anything that user
can do on a particular website.
◦ Cross Site Scripting (XSS)
◦ Hamster/Ferret
◦ Man in the Middle (MITM)
Session Hijacking Tools
HTTP Header Injection of hijacked cookie
◦ Grab the existing cookie value (XSS, MITM,
etc)
◦ Create a new request, adding the captured
value in the header.
Session Hijacking Demo
How do we prevent it?
◦
◦
◦
◦
Use SSL
Set HTTPOnly and Secure on all cookies
No http links (secure only)
Set the HTTP Strict-Transport-Security (HSTS)
header
Session Hijacking Mitigation
Cross Site request forgery (CSRF)
What is it?
◦ While a user is authenticated into the target
website (i.e. a banking website), the user visits
another website (injection website) that is
under the control of an attacker or a site
(including the target site) that contains a
vulnerability that the attacker can exploit.
Cross Site Request Forgery
How can we attack it?
◦ Pinata.py
http://code.google.com/p/pinata-csrf-tool/
Assists with the explanation of Cross Site Request
Forgery and how a vulnerable application can be
exploited.
◦ CSRF Tool
http://homakov.github.io/
CSRF Tools
http://www.youtube.com/watch?v=uycm
HQM_h64
CSRF Demo
How can we prevent it?
◦ Use a random token on every post.
◦ Server-side must check it before processing the
request.
◦ If any POST endpoint lacks it — something is
clearly wrong
CSRF Mitigation
Session Fixation
Permits an attacker to hijack a valid user
session. When authenticating a user, the
web application doesn’t assign a new
session ID, making it possible to use an
existing session ID.
Session Fixation
How do we attack it?
◦
◦
◦
◦
XSS
MITM
BlackSheep
FireSheep
Session Fixation Tools
Perform a GET of the site
Login
Ensure that the Session ID changes
Session Fixation Demo
How do we prevent it?
◦
◦
◦
◦
Clear the session on login/logout
Generate a new session ID on login/logout
Remove the session cookie on logout
Log the user out
Session Fixation Mitigation
Cross-Site Scripting (XSS)
What is it?
◦ Cross-Site Scripting attacks occur when
malicious scripts are injected into the otherwise
benign and trusted web sites. An attacker uses
a web application to send malicious code,
generally in the form of a browser side script,
to a different end user.
Cross-Site Scripting (XSS)
How can we attack it?
◦ XSSer
http://xsser.sourceforge.net/
Cross Site "Scripter" (aka XSSer) is an automatic -framework- to
detect, exploit and report XSS vulnerabilities in web-based
applications.
◦ XSS Me (ff)
◦ XSS-Proxy
http://xss-proxy.sourceforge.net/
XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool.
The documents, tools and other content on this site assume you
have a basic understanding of XSS issues and existing
exploitation methods. If you are not famliar with XSS, then I
recommend you check out the primer links/docs below to get a
better of idea of what XSS is and how to detect it, fix it, and
exploit it.
XSS Tools
http://homakov.github.io/stealpass.html
javascript:alert(pass.value)
XSS Demo
How do we prevent it?
◦
◦
◦
◦
Validate the user input
Remove or encode special characters
Encode it before it is displayed
Use an Anti-XSS library
XSS Mitigation
Questions?