2. TOPICS LEARNT TILL NOW :-
• Basics of web and a little about networks.
• HTML injection.
• SQL injection to bypass authentication.
• Buffer overflow attack.
• XSS
4. TOPICS FOR TODAY:
• CSRF.
• IDOR.
• Unrestricted file upload.
• We will also have a small competition involving XSS
and SQLi at the end.
5. CROSS SITE REQUEST FORGERY(CSRF):
• It is a type of website exploit carried out by issuing
unauthorized commands from a trusted website user.
• Unlike XSS, which exploits the users trust for a
website, CSRF exploits website’s trust for a particular
user’s browser.
6. MORE ABOUT CSRF:
• It uses the “GET” parameter as the exploit point.
• HTML tags are used to inject commands into a specific
webpage.
• It is a target specific attack, i.e. the commands to be
injected usually change for different victims.
7. REQUIREMENTS FOR CSRF:
• Website should not check for referrer header or a plugin bug
which helps in spoofing referrer headers.
• The attacker must locate a form to update some content on the
target website.
• All the values in the form must be correct in order to execute the
attack.
• The attacker must inject malicious code into the webpage while
the victim is logged in to the website.
8. DEMO :
• Application used: DVWA
• Steps to reproduce the POC:
• Find out if the request generated is GET or POST.
• Find out all the necessary parameters to be passed.
• We will be using a sample html page with the same
form, with our values for the new password.
9. PREVENTION:
• Append random challenge tokens to each
request.
• This token has to be associated with the user
session.
• Keep a short expiry time for these tokens.
References: http://www.cgisecurity.com/csrf-faq.html
More techniques:
https://www.owasp.org/index.php/CrossSite_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
10. IDOR:
• This vulnerability occurs when a reference to an
internal implementation object such as files, database
key, URLs are exposed to external entities.
• Attackers can manipulate or use these references to
access unauthorized data.
• Open Redirects and Directory Traversal are two classic
examples of an insecure direct object reference
vulnerability.
11. WHAT IS AN OPEN REDIRECT?
• This is a feature where the web application has a
parameter that allows the website to redirect the user
somewhere else.
• If this parameter is not implemented properly using a white
list, attackers can use this in a phishing attack to lure
potential victims to a site of their choosing.
• Example: www.example.com/a?goto=example.com/user1
• The parameter passed to “goto” is said to be the redirect
URL.
12. WHAT IS DIRECTORY TRAVERSAL?
• This is a feature which allows for a file present on the server
to be rendered by a user.
• The web application should be verifying the files being
accessed by the user.
• If not, an attacker can request other files on the file system
and those will also be displayed.
• Example: www.example.com/file.jsp?file=report.txt
• An attacker can pass the file which has to be read as a
parameter to “file”.
13. DEMO:
• Application used: Mutillidae
• Steps to reproduce the POC:
• Find the point leaking file information/ URLs
• Try modifying the HTTP headers to obtain other possible
information.
• Search for database config files to obtain database login
credentials.
14. PREVENTION:
• Use only one user or session for indirect object references.
• Do not allow object references to untrusted sources.
• In the directory traversal example, determine what files the
user should access and only grant them privileges to those
files.
• If direct objects must be used, then the developers should
ensure thorough validation that the user is authorized to view
what they are attempting to access.
16. UNRESTRICTED FILE UPLOAD
• Many web application may ask a user to upload his/her
photo or documents of some kind.
• An attacker can take advantage of this and try
uploading a shell.
• The developer needs to carefully validate the type of
file being uploaded by the user.
17. DEMO:
• Application used: bWAPP
• Steps to reproduce POC:
• Search for a file upload page.
• Try uploading a php shell on the site.
• If the website is validating the extension, try uploading it as
phP or php3 etc.
• Also try .php.jpeg or .php.png
• Use exif tool to add the shell as a comment in the image.