How "·$% developers defeat the web vulnerability scanners
Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Sub
![Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to How "·$% developers defeat the web vulnerability scanners
Similar to How "·$% developers defeat the web vulnerability scanners (20)
More from Chema Alonso
More from Chema Alonso (20)
Recently uploaded
Recently uploaded (20)
How "·$% developers defeat the web vulnerability scanners
- 1. How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
- 4. SQL Injection is still here among us
- 5. Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
- 22. Acunetix & Homer
- 24. AppScan & Homer
- 26. Paros & Homer
- 27. Paros & Flanders
- 28. W3af & Homer
- 29. W3af & Flanders
- 30. Wapiti & Homer
- 33. Results Normal Inverted MySQL MS SQL Server MySQL MS SQL Server Numeric String Numeric String Numeric String Numeric String Paros AppScan Acunetix w3af wapiti Proxy Strike
- 36. 3.- Arithmetic
- 43. 4.-Time-based Blind SQL Injection using heavy queries
- 48. The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
- 49. The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
- 62. 5.- Conclusions
- 63. The real world has plenty kinds of developers…
- 65. Don´t complain about your job!!
- 66. Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] )