SlideShare une entreprise Scribd logo

Secure Programming And Common Errors Part II

Michele Orru'
Michele Orru'

- Discuss other important attack vectors, not limited to Web Applications - Practical screen-casts that show how attackers exploit common flows - Understand the impact of these threats on your privacy, data and identity

Technologie
1  sur  25
Télécharger pour lire hors ligne
Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1

h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of http://antisnatchor.com security O advisory blog Who am I?   EE developer
 J 2 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Seminar outline (part II)   iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications   ractical screen-casts that show how P attackers exploit common flows   nderstand the impact of these threats U on your privacy, data and identity 3 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Path Traversal   Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation   If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Example! www.essedi.it   Credits: antisnatchor CWE-22: www.essedi.it   Path traversal vulnerability on ONERROR parameter   The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned files 6 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: www.essedi.it Screen-Cast! www.essedi.it 7 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

   SANS/MITRE: h$p://cwe.mitre.org/data/defini1ons/22.html
   OWASP: h$p://www.owasp.org/index.php/Path_Traversal
 CWE-22: Links   Good hacker: h$p://kuza55.blogspot.com/2008/07/cookie‐path‐ traversal.html
   PHP security guru: h$p://www.suspekt.org/2008/12/05/php‐527‐ and‐ziparchiveextrac$o/

 8 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit   Thanks to Bernardo for SQLmap   http://sqlmap.sourceforge.net   Open source, written in python   Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server   Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it     Confirmed unescaped numeric injection on GET parameter “anno” (patched from many months)   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: www.dm.unibo.it Screen-Cast! www.dm.unibo.it 11 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Database‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-89: Links   SQLmap author:  h$p://www.slideshare.net/inquis/sql‐injec1on‐not‐only‐and‐11
 12 of 25
CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Cross Site Scripting   When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts   Really difficult to create a powerful anti-XSS filter:   Multiple data encoding handling   Data truncation handling   New vectors (CSS, JSON, XUL) 13 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Example! 1. KonaKart   Credits: antisnatchor   KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (www.konakart.com)   Stored XSS has been found and verified in the backend   More info here: h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/

   Let see how we can exploit them 14 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Examples! 2. WMSmonitor   Credits: antisnatchor CWE-79: WMSmonitor   Internal Penetration Test at INFN (National Institute of Nuclear Physics)   Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor   Some serious flows have been identified   Unsecure handling of X.509 client certificates   Reflected XSS   TRACE method enabled   Let see how can we take full control of the victim browser 16 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Wade Alcorn’s works:   BeEF: h$p://www.bindshell.net/tools/beef/

   Inter-Protocol Exploitation: h$p://www.bindshell.net/papers/ipe
   The Advanced Cross-Site Scripting Virus: h$p:// www.bindshell.net/papers/axssv
   Rsnake works:   XSS cheat sheet: h$p://ha.ckers.org/xss.html
 CWE-79: Links   XSS worm context: h$p://ha.ckers.org/blog/20080106/diminu1ve‐ xss‐worm‐contest‐drama‐and‐status‐update/


   AntiSnatcOr works research:   Advisories on SecurityFocus: h$p://an1snatchor.com/2009/10/14/finally‐on‐bugtraq/
 18 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1

  h$p://www.amazon.com/XSS‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3


 CWE-79: Links 19 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)   But they have well known limitations and security flows   They all suffer from MITM attacks and network protocol manipulation   Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed 20 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Latest research of Moxie Marlinspike (http://www.thoughtcrime.org)   Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.   We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing   Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Old exploit method (still useful)   MITM and fake certificate injection   ARP spoofing   IP forwarding   Sniffing   webmitm   Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)   Press OK  … That’s FINE 22 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! Appendix: HTTPS insecurity Fake certificate injection 23 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Vimeo screencasts:  h$p://www.vimeo.com/6149119
  h$p://www.thoughtcrime.org/so]ware/sslstrip/video/sslstrip.mov

   Papers: Appendix: Links  OCSP: h$p://www.thoughtcrime.org/papers/ocsp‐a$ack.pdf
  Null-byte: h$p://www.thoughtcrime.org/papers/null‐prefix‐a$acks.pdf
  Fake-cert: h$p://an1snatchor.com/works/sniffing‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/
 24 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Thanks for your ! attention! Questions? 25 of 25

Recommandé

CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Alien tree removal service
Alien tree removal serviceAlien tree removal service
Alien tree removal serviceAbulQassim1
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Verona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaVerona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaStefano De Togni
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 
Dpho 2013 lampiran
Dpho 2013 lampiranDpho 2013 lampiran
Dpho 2013 lampiranFaiz Amri
 

Recommandé

CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Alien tree removal service
Alien tree removal serviceAlien tree removal service
Alien tree removal serviceAbulQassim1
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Verona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaVerona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaStefano De Togni
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 
Dpho 2013 lampiran
Dpho 2013 lampiranDpho 2013 lampiran
Dpho 2013 lampiranFaiz Amri
 
大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書env35
 
大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書env35
 
Nadia And Omega 3 Preso
Nadia And Omega 3 PresoNadia And Omega 3 Preso
Nadia And Omega 3 Presodrbianca
 
The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins Manu Srinath
 
The Student. My Personal Brand
The Student. My Personal BrandThe Student. My Personal Brand
The Student. My Personal Brandnmrogers
 
大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書env35
 
Sosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiSosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiFatih Guner
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
The Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesThe Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesAfterCollege
 
Eic laymen slides1
Eic laymen slides1Eic laymen slides1
Eic laymen slides1Faiz Amri
 
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...AfterCollege
 
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Faiz Amri
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesAndreas Grabner
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Channy Yun
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Fwdays
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)VMware Tanzu
 

Contenu connexe

En vedette

大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書env35
 
大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書env35
 
Nadia And Omega 3 Preso
Nadia And Omega 3 PresoNadia And Omega 3 Preso
Nadia And Omega 3 Presodrbianca
 
The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins Manu Srinath
 
The Student. My Personal Brand
The Student. My Personal BrandThe Student. My Personal Brand
The Student. My Personal Brandnmrogers
 
大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書env35
 
Sosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiSosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiFatih Guner
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
The Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesThe Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesAfterCollege
 
Eic laymen slides1
Eic laymen slides1Eic laymen slides1
Eic laymen slides1Faiz Amri
 
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...AfterCollege
 
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Faiz Amri
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 

En vedette (13)

大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書
 
大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書
 
Nadia And Omega 3 Preso
Nadia And Omega 3 PresoNadia And Omega 3 Preso
Nadia And Omega 3 Preso
 
The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins
 
The Student. My Personal Brand
The Student. My Personal BrandThe Student. My Personal Brand
The Student. My Personal Brand
 
大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書
 
Sosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiSosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital Akademi
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
The Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesThe Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter Pages
 
Eic laymen slides1
Eic laymen slides1Eic laymen slides1
Eic laymen slides1
 
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
 
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)
 

Similaire à Secure Programming And Common Errors Part II

Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesAndreas Grabner
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Channy Yun
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Fwdays
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)VMware Tanzu
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsPriyanka Aash
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De SouzaQA or the Highway
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 

Similaire à Secure Programming And Common Errors Part II (20)

Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
 
Concurrency patterns
Concurrency patternsConcurrency patterns
Concurrency patterns
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 

Dernier

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Secure Programming And Common Errors Part II

  • 1. Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1

  • 2. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of http://antisnatchor.com security O advisory blog Who am I?   EE developer
 J 2 of 25
  • 3. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Seminar outline (part II)   iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications   ractical screen-casts that show how P attackers exploit common flows   nderstand the impact of these threats U on your privacy, data and identity 3 of 25
  • 4. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25
  • 5. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Path Traversal   Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation   If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25
  • 6. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Example! www.essedi.it   Credits: antisnatchor CWE-22: www.essedi.it   Path traversal vulnerability on ONERROR parameter   The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned files 6 of 25
  • 7. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: www.essedi.it Screen-Cast! www.essedi.it 7 of 25
  • 8. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

   SANS/MITRE: h$p://cwe.mitre.org/data/defini1ons/22.html
   OWASP: h$p://www.owasp.org/index.php/Path_Traversal
 CWE-22: Links   Good hacker: h$p://kuza55.blogspot.com/2008/07/cookie‐path‐ traversal.html
   PHP security guru: h$p://www.suspekt.org/2008/12/05/php‐527‐ and‐ziparchiveextrac$o/

 8 of 25
  • 9. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit   Thanks to Bernardo for SQLmap   http://sqlmap.sourceforge.net   Open source, written in python   Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server   Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25
  • 10. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it     Confirmed unescaped numeric injection on GET parameter “anno” (patched from many months)   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25
  • 11. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: www.dm.unibo.it Screen-Cast! www.dm.unibo.it 11 of 25
  • 12. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Database‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-89: Links   SQLmap author:  h$p://www.slideshare.net/inquis/sql‐injec1on‐not‐only‐and‐11
 12 of 25
  • 13. CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Cross Site Scripting   When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts   Really difficult to create a powerful anti-XSS filter:   Multiple data encoding handling   Data truncation handling   New vectors (CSS, JSON, XUL) 13 of 25
  • 14. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Example! 1. KonaKart   Credits: antisnatchor   KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (www.konakart.com)   Stored XSS has been found and verified in the backend   More info here: h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/

   Let see how we can exploit them 14 of 25
  • 15. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25
  • 16. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Examples! 2. WMSmonitor   Credits: antisnatchor CWE-79: WMSmonitor   Internal Penetration Test at INFN (National Institute of Nuclear Physics)   Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor   Some serious flows have been identified   Unsecure handling of X.509 client certificates   Reflected XSS   TRACE method enabled   Let see how can we take full control of the victim browser 16 of 25
  • 17. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25
  • 18. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Wade Alcorn’s works:   BeEF: h$p://www.bindshell.net/tools/beef/

   Inter-Protocol Exploitation: h$p://www.bindshell.net/papers/ipe
   The Advanced Cross-Site Scripting Virus: h$p:// www.bindshell.net/papers/axssv
   Rsnake works:   XSS cheat sheet: h$p://ha.ckers.org/xss.html
 CWE-79: Links   XSS worm context: h$p://ha.ckers.org/blog/20080106/diminu1ve‐ xss‐worm‐contest‐drama‐and‐status‐update/


   AntiSnatcOr works research:   Advisories on SecurityFocus: h$p://an1snatchor.com/2009/10/14/finally‐on‐bugtraq/
 18 of 25
  • 19. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1

  h$p://www.amazon.com/XSS‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3


 CWE-79: Links 19 of 25
  • 20. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)   But they have well known limitations and security flows   They all suffer from MITM attacks and network protocol manipulation   Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed 20 of 25
  • 21. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Latest research of Moxie Marlinspike (http://www.thoughtcrime.org)   Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.   We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing   Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25
  • 22. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Old exploit method (still useful)   MITM and fake certificate injection   ARP spoofing   IP forwarding   Sniffing   webmitm   Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)   Press OK  … That’s FINE 22 of 25
  • 23. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! Appendix: HTTPS insecurity Fake certificate injection 23 of 25
  • 24. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Vimeo screencasts:  h$p://www.vimeo.com/6149119
  h$p://www.thoughtcrime.org/so]ware/sslstrip/video/sslstrip.mov

   Papers: Appendix: Links  OCSP: h$p://www.thoughtcrime.org/papers/ocsp‐a$ack.pdf
  Null-byte: h$p://www.thoughtcrime.org/papers/null‐prefix‐a$acks.pdf
  Fake-cert: h$p://an1snatchor.com/works/sniffing‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/
 24 of 25
  • 25. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Thanks for your ! attention! Questions? 25 of 25