Web Security● Jose Mato Mariño

3/5/15 - 12:52:45 AM

Who am I?

● Web Developer

● Web security as hobby

● http://josemato.name

● @security4dev

3/5/15 - 12:52:46 AM

Is mandatory know web security to do a web?

● YES, If someone hacks your your server... you, developer, are screwed

– Read logs, …, a lot of logs

– Sometimes is difficult know what was happening

– Web security is easier than computer forensic● Your client

– Angry

– Lost branding and reputation

3/5/15 - 12:52:46 AM

Why cybercriminals want my server ???

● SPAM

● BitCoins

● Phishing

● Botnet

● Ransomware

● Data theft

3/5/15 - 12:52:46 AM

● Online community dedicated to web application security

● Guide practices and recommendations to be considered secure application development

● OWASP TOP 10

3/5/15 - 12:52:46 AM

OWASP TOP 10 – From 2010 to 2013

3/5/15 - 12:52:46 AM

A3 – Cross Site Scripting (XSS)

● Problem: User injects code ( ActiveX, Java, VBScript, Flash, HTML but typically javascript) into webpage

● Attacks:

– Access user session (session hijacking)

– Redirect user to exploit kit (blackhole)

– Defacement. Phishing.

– Network ip + ports scanner● We have 5 contexts to exploit XSS

● There are two types of XSS

3/5/15 - 12:52:46 AM

A3 – XSS Context

● Context (by Ashar Javed @soaj1664ashar):

"Context is an environment where user supplied input or input from other application(s) eventually ends-up or start living"

● Type of contexts:

– HTML context (<title>XXS</title>)

– Attribute context (input value=”XSS”)

– Script context (<script>var a = “<?php echo XSS ?>”</script>)

– URL context (write server variable to src, href, data flash, etc)

– Style context (div style=”XSS” => custom editors)

3/5/15 - 12:52:46 AM

● Reflective

– Code is not store on any database or database repo

– Payload must be on get parameter (discussion)

– User needs to click on a malicious link● Persistent

– Code is store on a persistent store (database)

– When user enter on a hacked page, he will exec the xploit

A3 – XSS Types

3/5/15 - 12:52:46 AM

● http://www.elmundo.es/elmundo/2010/01/04/union_europea/1262610678.html

A3 – Famous XSS “Mr. Bean 'se cuela' en la web oficial de la presidencia española”

3/5/15 - 12:52:47 AM

XSS DEMO I● Check if there is

some XSS

● Get access to user account

3/5/15 - 12:52:47 AM

● Never trust on user input (inbound & outbound)

● Sanitize all inputs

● Enable flag httpOnly on cookies

● Content Security Policy (CSP)

A3 – XSS Mitigation

3/5/15 - 12:52:47 AM

● Access to not allowed resources

● Application fail to check if user is authorized to access to the resource

● Common scenario:

– http://websecurity-demo.local/transcript.php?student=1536

● Attacker see a parameter and know that “1536” is his student id

● Attacker change this student id and get the content of another student

● This parameter could be anywhere (get, post, cookie, …)

A4 – Insecure Direct Object References

3/5/15 - 12:52:47 AM

● Technique to alter queries into engine store through vulnerable application

● Mysql, MSQL, Postgres, LDAP, Access, Oracle, …

● We are going to focus on SQLi in this talk

● Many kind of SQLi

A1 – Injection

3/5/15 - 12:52:47 AM

● Access personal data. Dump database

● Dump local users (/etc/passwd)

● Access organization CMS

● Site infection

– malware propagation

– Click abuse

A1 – SQL Injection Goals

3/5/15 - 12:52:47 AM

● Lilupophilupop SQL Injection Attack Tops 1 Million Infected URLs

– Search SQL Injection on ASP or ColdFusion pages with Microsoft SQL Server

– More than one million url infected

– the attackers used XSS Persistent to redirect users to pages showing fake computer issues to buy a fake AV

● http://threatpost.com/lilupophilupop-sql-injection-attack-tops-1-million-infected-urls-010412/76054

A1 – Famous SQL Injection I

3/5/15 - 12:52:47 AM

● Barr’s claims that he would unmask and extinguish Anonymous proved to be the proverbial last straw on the camel’s back.

● Anonymous find a SQL Injection:

– http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

● Passwords were hashed but Aaron just used lower case and numbers.

● Access CMS. Social engineer to reset email password and access SSH. (Aaron used same password for many services!)

● http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

A1 – Famous SQL Injection II

3/5/15 - 12:52:47 AM

● SQL Injection

● Blind SQLi

– We only can use queries that retrieve a boolean value (true or false).

– It's very slow

– Binary search to enhance performance● Time based SQLi

– Based on heavy queries (sleep)

– Very slow

A1 – SQL Injection Types

3/5/15 - 12:52:47 AM

● Database engine has a metadata, catalog, schema or something like that

● This catalog stores all database metainformation (table relations, database exists, columns names with length + datatype, …)

● Is mandatory know the catalog of the vulnerable app to perform a pentesting

A1 – SQL Injection Walkthrough I

3/5/15 - 12:52:47 AM

● Search vulnerability (test app request and check params)

– Number of columns

– Database names● table names

– Column names● Dump or insert data

● Download files

● Upload webshell

A1 – SQL Injection Walkthrough II

3/5/15 - 12:52:47 AM

● MySQL Catalog

– Retrieve databases: SELECT schema_name FROM information_schema.SCHEMATA;

– Retrieve tables from specific database: SELECT table_schema, table_name FROM information_schema.TABLES WHERE table_schema = 'DATABASE';

– Retrieve columns from specific table: SELECT column_name, column_type FROM information_schema.columns WHERE table_name = 'TABLE' AND table_schema = 'DATABASE';

A1 – SQL Injection Walkthrough III

3/5/15 - 12:52:47 AM

A1 – SQL Injection Hacking Time :)

3/5/15 - 12:52:47 AM

Some Question?? THANKS!!

● Jose Mato

– http://josemato.name

– @security4dev

– https://github.com/josemato/

– https://www.linkedin.com/in/josematomarino