SlideShare une entreprise Scribd logo

Secure Programming And Common Errors Part II

Michele Orru'
Michele Orru'

- Discuss other important attack vectors, not limited to Web Applications - Practical screen-casts that show how attackers exploit common flows - Understand the impact of these threats on your privacy, data and identity

Technologie
1  sur  25
Télécharger pour lire hors ligne
Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1

h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of http://antisnatchor.com security O advisory blog Who am I?   EE developer
 J 2 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Seminar outline (part II)   iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications   ractical screen-casts that show how P attackers exploit common flows   nderstand the impact of these threats U on your privacy, data and identity 3 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Path Traversal   Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation   If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Example! www.essedi.it   Credits: antisnatchor CWE-22: www.essedi.it   Path traversal vulnerability on ONERROR parameter   The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned files 6 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: www.essedi.it Screen-Cast! www.essedi.it 7 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

   SANS/MITRE: h$p://cwe.mitre.org/data/defini1ons/22.html
   OWASP: h$p://www.owasp.org/index.php/Path_Traversal
 CWE-22: Links   Good hacker: h$p://kuza55.blogspot.com/2008/07/cookie‐path‐ traversal.html
   PHP security guru: h$p://www.suspekt.org/2008/12/05/php‐527‐ and‐ziparchiveextrac$o/

 8 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit   Thanks to Bernardo for SQLmap   http://sqlmap.sourceforge.net   Open source, written in python   Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server   Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it     Confirmed unescaped numeric injection on GET parameter “anno” (patched from many months)   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: www.dm.unibo.it Screen-Cast! www.dm.unibo.it 11 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Database‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-89: Links   SQLmap author:  h$p://www.slideshare.net/inquis/sql‐injec1on‐not‐only‐and‐11
 12 of 25
CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Cross Site Scripting   When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts   Really difficult to create a powerful anti-XSS filter:   Multiple data encoding handling   Data truncation handling   New vectors (CSS, JSON, XUL) 13 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Example! 1. KonaKart   Credits: antisnatchor   KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (www.konakart.com)   Stored XSS has been found and verified in the backend   More info here: h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/

   Let see how we can exploit them 14 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Examples! 2. WMSmonitor   Credits: antisnatchor CWE-79: WMSmonitor   Internal Penetration Test at INFN (National Institute of Nuclear Physics)   Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor   Some serious flows have been identified   Unsecure handling of X.509 client certificates   Reflected XSS   TRACE method enabled   Let see how can we take full control of the victim browser 16 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Wade Alcorn’s works:   BeEF: h$p://www.bindshell.net/tools/beef/

   Inter-Protocol Exploitation: h$p://www.bindshell.net/papers/ipe
   The Advanced Cross-Site Scripting Virus: h$p:// www.bindshell.net/papers/axssv
   Rsnake works:   XSS cheat sheet: h$p://ha.ckers.org/xss.html
 CWE-79: Links   XSS worm context: h$p://ha.ckers.org/blog/20080106/diminu1ve‐ xss‐worm‐contest‐drama‐and‐status‐update/


   AntiSnatcOr works research:   Advisories on SecurityFocus: h$p://an1snatchor.com/2009/10/14/finally‐on‐bugtraq/
 18 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1

  h$p://www.amazon.com/XSS‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3


 CWE-79: Links 19 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)   But they have well known limitations and security flows   They all suffer from MITM attacks and network protocol manipulation   Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed 20 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Latest research of Moxie Marlinspike (http://www.thoughtcrime.org)   Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.   We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing   Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Old exploit method (still useful)   MITM and fake certificate injection   ARP spoofing   IP forwarding   Sniffing   webmitm   Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)   Press OK  … That’s FINE 22 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! Appendix: HTTPS insecurity Fake certificate injection 23 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Vimeo screencasts:  h$p://www.vimeo.com/6149119
  h$p://www.thoughtcrime.org/so]ware/sslstrip/video/sslstrip.mov

   Papers: Appendix: Links  OCSP: h$p://www.thoughtcrime.org/papers/ocsp‐a$ack.pdf
  Null-byte: h$p://www.thoughtcrime.org/papers/null‐prefix‐a$acks.pdf
  Fake-cert: h$p://an1snatchor.com/works/sniffing‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/
 24 of 25
h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Thanks for your ! attention! Questions? 25 of 25

Recommandé

CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Alien tree removal service
Alien tree removal serviceAlien tree removal service
Alien tree removal serviceAbulQassim1
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Verona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaVerona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaStefano De Togni
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 
Dpho 2013 lampiran
Dpho 2013 lampiranDpho 2013 lampiran
Dpho 2013 lampiranFaiz Amri
 

Recommandé

CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Alien tree removal service
Alien tree removal serviceAlien tree removal service
Alien tree removal serviceAbulQassim1
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Verona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaVerona col Cuore - Azionariato Popolare per Hellas Verona
Verona col Cuore - Azionariato Popolare per Hellas VeronaStefano De Togni
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 
Dpho 2013 lampiran
Dpho 2013 lampiranDpho 2013 lampiran
Dpho 2013 lampiranFaiz Amri
 
大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書env35
 
大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書env35
 
Nadia And Omega 3 Preso
Nadia And Omega 3 PresoNadia And Omega 3 Preso
Nadia And Omega 3 Presodrbianca
 
The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins Manu Srinath
 
The Student. My Personal Brand
The Student. My Personal BrandThe Student. My Personal Brand
The Student. My Personal Brandnmrogers
 
大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書env35
 
Sosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiSosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiFatih Guner
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
The Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesThe Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesAfterCollege
 
Eic laymen slides1
Eic laymen slides1Eic laymen slides1
Eic laymen slides1Faiz Amri
 
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...AfterCollege
 
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Faiz Amri
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesAndreas Grabner
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Channy Yun
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Fwdays
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)VMware Tanzu
 

Contenu connexe

En vedette

大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書env35
 
大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書env35
 
Nadia And Omega 3 Preso
Nadia And Omega 3 PresoNadia And Omega 3 Preso
Nadia And Omega 3 Presodrbianca
 
The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins Manu Srinath
 
The Student. My Personal Brand
The Student. My Personal BrandThe Student. My Personal Brand
The Student. My Personal Brandnmrogers
 
大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書env35
 
Sosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiSosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiFatih Guner
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
The Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesThe Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesAfterCollege
 
Eic laymen slides1
Eic laymen slides1Eic laymen slides1
Eic laymen slides1Faiz Amri
 
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...AfterCollege
 
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Faiz Amri
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Ruchi Goenka
 

En vedette (13)

大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書大阪教育大学平成21年環境報告書
大阪教育大学平成21年環境報告書
 
大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書大阪教育大学平成18年環境報告書
大阪教育大学平成18年環境報告書
 
Nadia And Omega 3 Preso
Nadia And Omega 3 PresoNadia And Omega 3 Preso
Nadia And Omega 3 Preso
 
The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins The Future of Alternate Energy in India: The World War-III Begins
The Future of Alternate Energy in India: The World War-III Begins
 
The Student. My Personal Brand
The Student. My Personal BrandThe Student. My Personal Brand
The Student. My Personal Brand
 
大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書大阪教育大学平成20年環境報告書
大阪教育大学平成20年環境報告書
 
Sosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital AkademiSosyal Medya Takibi - Dijital Akademi
Sosyal Medya Takibi - Dijital Akademi
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
The Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter PagesThe Top 5 University Recruiting Twitter Pages
The Top 5 University Recruiting Twitter Pages
 
Eic laymen slides1
Eic laymen slides1Eic laymen slides1
Eic laymen slides1
 
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
University Recruiting Essentials: Interns and Your Campus Brand - Part 3 - Ca...
 
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
Doen kepmenkes 312 2013 daftar obat esensial nasional 2013
 
Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)Plan Your Travel This Winter Holidays (Dec - Feb)
Plan Your Travel This Winter Holidays (Dec - Feb)
 

Similaire à Secure Programming And Common Errors Part II

Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesAndreas Grabner
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Channy Yun
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Fwdays
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)VMware Tanzu
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsPriyanka Aash
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De SouzaQA or the Highway
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 

Similaire à Secure Programming And Common Errors Part II (20)

Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
 
Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"Serhiy Kalinets "Building Service Mesh with .NET Core"
Serhiy Kalinets "Building Service Mesh with .NET Core"
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
 
Concurrency patterns
Concurrency patternsConcurrency patterns
Concurrency patterns
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Secure Programming And Common Errors Part II

  • 1. Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1

  • 2. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of http://antisnatchor.com security O advisory blog Who am I?   EE developer
 J 2 of 25
  • 3. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Seminar outline (part II)   iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications   ractical screen-casts that show how P attackers exploit common flows   nderstand the impact of these threats U on your privacy, data and identity 3 of 25
  • 4. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25
  • 5. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Path Traversal   Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation   If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25
  • 6. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Example! www.essedi.it   Credits: antisnatchor CWE-22: www.essedi.it   Path traversal vulnerability on ONERROR parameter   The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned files 6 of 25
  • 7. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: www.essedi.it Screen-Cast! www.essedi.it 7 of 25
  • 8. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

   SANS/MITRE: h$p://cwe.mitre.org/data/defini1ons/22.html
   OWASP: h$p://www.owasp.org/index.php/Path_Traversal
 CWE-22: Links   Good hacker: h$p://kuza55.blogspot.com/2008/07/cookie‐path‐ traversal.html
   PHP security guru: h$p://www.suspekt.org/2008/12/05/php‐527‐ and‐ziparchiveextrac$o/

 8 of 25
  • 9. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit   Thanks to Bernardo for SQLmap   http://sqlmap.sourceforge.net   Open source, written in python   Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server   Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25
  • 10. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it     Confirmed unescaped numeric injection on GET parameter “anno” (patched from many months)   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25
  • 11. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: www.dm.unibo.it Screen-Cast! www.dm.unibo.it 11 of 25
  • 12. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Database‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-89: Links   SQLmap author:  h$p://www.slideshare.net/inquis/sql‐injec1on‐not‐only‐and‐11
 12 of 25
  • 13. CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Cross Site Scripting   When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts   Really difficult to create a powerful anti-XSS filter:   Multiple data encoding handling   Data truncation handling   New vectors (CSS, JSON, XUL) 13 of 25
  • 14. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Example! 1. KonaKart   Credits: antisnatchor   KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (www.konakart.com)   Stored XSS has been found and verified in the backend   More info here: h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/

   Let see how we can exploit them 14 of 25
  • 15. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25
  • 16. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Examples! 2. WMSmonitor   Credits: antisnatchor CWE-79: WMSmonitor   Internal Penetration Test at INFN (National Institute of Nuclear Physics)   Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor   Some serious flows have been identified   Unsecure handling of X.509 client certificates   Reflected XSS   TRACE method enabled   Let see how can we take full control of the victim browser 16 of 25
  • 17. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25
  • 18. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Wade Alcorn’s works:   BeEF: h$p://www.bindshell.net/tools/beef/

   Inter-Protocol Exploitation: h$p://www.bindshell.net/papers/ipe
   The Advanced Cross-Site Scripting Virus: h$p:// www.bindshell.net/papers/axssv
   Rsnake works:   XSS cheat sheet: h$p://ha.ckers.org/xss.html
 CWE-79: Links   XSS worm context: h$p://ha.ckers.org/blog/20080106/diminu1ve‐ xss‐worm‐contest‐drama‐and‐status‐update/


   AntiSnatcOr works research:   Advisories on SecurityFocus: h$p://an1snatchor.com/2009/10/14/finally‐on‐bugtraq/
 18 of 25
  • 19. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1

  h$p://www.amazon.com/XSS‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3


 CWE-79: Links 19 of 25
  • 20. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)   But they have well known limitations and security flows   They all suffer from MITM attacks and network protocol manipulation   Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed 20 of 25
  • 21. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Latest research of Moxie Marlinspike (http://www.thoughtcrime.org)   Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.   We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing   Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25
  • 22. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Old exploit method (still useful)   MITM and fake certificate injection   ARP spoofing   IP forwarding   Sniffing   webmitm   Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)   Press OK  … That’s FINE 22 of 25
  • 23. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! Appendix: HTTPS insecurity Fake certificate injection 23 of 25
  • 24. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Vimeo screencasts:  h$p://www.vimeo.com/6149119
  h$p://www.thoughtcrime.org/so]ware/sslstrip/video/sslstrip.mov

   Papers: Appendix: Links  OCSP: h$p://www.thoughtcrime.org/papers/ocsp‐a$ack.pdf
  Null-byte: h$p://www.thoughtcrime.org/papers/null‐prefix‐a$acks.pdf
  Fake-cert: h$p://an1snatchor.com/works/sniffing‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/
 24 of 25
  • 25. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Thanks for your ! attention! Questions? 25 of 25