I try to cover CSRF,IDOR and file upload vulnerabilities along with their prevention techniques in this presrentation

1. ~ Aditya Kamat
BMS College of Engineering
WEB HACKING SERIES PART-5

2. TOPICS LEARNT TILL NOW :-
• Basics of web and a little about networks.
• HTML injection.
• SQL injection to bypass authentication.
• Buffer overflow attack.
• XSS

3. CONT…
• Bypass Authentication Via Authentication Token
Manipulation.
• Session hijacking.
• Brute forcing login pages using burp.
• HTTP parameter pollution.
• SQL injection.

4. TOPICS FOR TODAY:
• CSRF.
• IDOR.
• Unrestricted file upload.
• We will also have a small competition involving XSS
and SQLi at the end.

5. CROSS SITE REQUEST FORGERY(CSRF):
• It is a type of website exploit carried out by issuing
unauthorized commands from a trusted website user.
• Unlike XSS, which exploits the users trust for a
website, CSRF exploits website’s trust for a particular
user’s browser.

6. MORE ABOUT CSRF:
• It uses the “GET” parameter as the exploit point.
• HTML tags are used to inject commands into a specific
webpage.
• It is a target specific attack, i.e. the commands to be
injected usually change for different victims.

7. REQUIREMENTS FOR CSRF:
• Website should not check for referrer header or a plugin bug
which helps in spoofing referrer headers.
• The attacker must locate a form to update some content on the
target website.
• All the values in the form must be correct in order to execute the
attack.
• The attacker must inject malicious code into the webpage while
the victim is logged in to the website.

8. DEMO :
• Application used: DVWA
• Steps to reproduce the POC:
• Find out if the request generated is GET or POST.
• Find out all the necessary parameters to be passed.
• We will be using a sample html page with the same
form, with our values for the new password.

9. PREVENTION:
• Append random challenge tokens to each
request.
• This token has to be associated with the user
session.
• Keep a short expiry time for these tokens.
References: http://www.cgisecurity.com/csrf-faq.html
More techniques:
https://www.owasp.org/index.php/CrossSite_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

10. IDOR:
• This vulnerability occurs when a reference to an
internal implementation object such as files, database
key, URLs are exposed to external entities.
• Attackers can manipulate or use these references to
access unauthorized data.
• Open Redirects and Directory Traversal are two classic
examples of an insecure direct object reference
vulnerability.

11. WHAT IS AN OPEN REDIRECT?
• This is a feature where the web application has a
parameter that allows the website to redirect the user
somewhere else.
• If this parameter is not implemented properly using a white
list, attackers can use this in a phishing attack to lure
potential victims to a site of their choosing.
• Example: www.example.com/a?goto=example.com/user1
• The parameter passed to “goto” is said to be the redirect
URL.

12. WHAT IS DIRECTORY TRAVERSAL?
• This is a feature which allows for a file present on the server
to be rendered by a user.
• The web application should be verifying the files being
accessed by the user.
• If not, an attacker can request other files on the file system
and those will also be displayed.
• Example: www.example.com/file.jsp?file=report.txt
• An attacker can pass the file which has to be read as a
parameter to “file”.

13. DEMO:
• Application used: Mutillidae
• Steps to reproduce the POC:
• Find the point leaking file information/ URLs
• Try modifying the HTTP headers to obtain other possible
information.
• Search for database config files to obtain database login
credentials.

14. PREVENTION:
• Use only one user or session for indirect object references.
• Do not allow object references to untrusted sources.
• In the directory traversal example, determine what files the
user should access and only grant them privileges to those
files.
• If direct objects must be used, then the developers should
ensure thorough validation that the user is authorized to view
what they are attempting to access.

15. References for IDOR
• https://www.owasp.org/index.php/Top_10_2013-A4-
Insecure_Direct_Object_References
• http://www.tutorialspoint.com/security_testing/insecure_
direct_object_reference.htm
• http://bretthard.in/post/insecure-direct-object-reference

16. UNRESTRICTED FILE UPLOAD
• Many web application may ask a user to upload his/her
photo or documents of some kind.
• An attacker can take advantage of this and try
uploading a shell.
• The developer needs to carefully validate the type of
file being uploaded by the user.

17. DEMO:
• Application used: bWAPP
• Steps to reproduce POC:
• Search for a file upload page.
• Try uploading a php shell on the site.
• If the website is validating the extension, try uploading it as
phP or php3 etc.
• Also try .php.jpeg or .php.png
• Use exif tool to add the shell as a comment in the image.

18. SOME ADVANCE BYPASS TECHNIQUES:
• http://hackers2devnull.blogspot.in/2013/05/how-to-
shell-server-via-image-upload.html
• https://www.idontplaydarts.com/2012/06/encoding-web-
shells-in-png-idat-chunks/
• http://securityidiots.com/Web-Pentest/hacking-website-
by-shell-uploading.html

19. REFERENCES:
• https://www.owasp.org/index.php/Unrestricted_File_Upl
oad
• http://www.hackingarticles.in/file-upload-exploitation-
bwapp-bypass-security/

20. THANK YOU