1 / 33

Into the Mind of the Hacker: Hands-On Web Application Hacking

Into the Mind of the Hacker: Hands-On Web Application Hacking. Adam Doupé University of California, Santa Barbara 4 / 23 / 12. Overview. Think like a hacker SQL injection Cross-site scripting (XSS). Me. 7 years as UCSB student 2 nd year PhD student

denali
Download Presentation

Into the Mind of the Hacker: Hands-On Web Application Hacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12

  2. Overview Think like a hacker SQL injection Cross-site scripting (XSS) Doupé - 4/23/12

  3. Me • 7 years as UCSB student • 2nd year PhD student • ~ 1 year at Microsoft as Software Dev • Research securing web applications • Professional pentester Doupé - 4/23/12

  4. Web Hacks • LulzSec – 2011 • Hacked into Arizona law enforcement • UCLA – 2006 • 800,000 identities stolen • University of Texas, Austin – 2006 • 197,000 student records stolen Doupé - 4/23/12

  5. UCSB Hacks • 2005 • http://www.dailynexus.com/2005-03-30/altered-grades-lead-to-students-arrest/ • 2000 • http://news.bbc.co.uk/2/hi/business/640087.stm Doupé - 4/23/12

  6. Definitions Security Vulnerability Exploit Hacker Doupé - 4/23/12

  7. Ethics • Only hack into sites you own • Or you have permission • You will get caught Doupé - 4/23/12

  8. Hacker Mindset • Motivation • Fame • Money • Lulz • Understand the application • Build mental model • Only need to find one flaw Doupé - 4/23/12

  9. Injection Vectors • User input to the application • Web application • Query parameters • POST parameters • Cookies • Referer header • Files Doupé - 4/23/12

  10. Burp Proxy • Intercepts traffic between you and website • Can manipulate the request directly • Industry quality • I use the full version professionally • Demo Doupé - 4/23/12

  11. WackoPicko • Background • Added functionality • Reset • Self-guided exploration Doupé - 4/23/12

  12. SQL Injection • Allows attacker to alter semantics of SQL query • Consequences • Steal database • Alter database • Bypass login Doupé - 4/23/12

  13. SQL Injection – Example “select * from`users` where`id` =‘” + $id + “’;” $id = “10” select * from`users` where`id` = ‘10’; Doupé - 4/23/12

  14. SQL Injection – Example “select * from`users` where`id` =‘” + $id + “’;” $id = “-1 or 1=1” select * from`users` where`id` = ‘-1 or 1=1’; Doupé - 4/23/12

  15. SQL Injection – Example “select * from`users` where`id` =‘” + $id + “’;” $id = “-1’ or 1=1” select * from`users` where`id` = ‘-1’ or1=1’; Doupé - 4/23/12

  16. SQL Injection – Example “select * from`users` where`id` =‘” + $id + “’;” $id = “-1’ or 1=1; #” select * from`users` where`id` = ‘-1’ or1=1; #’; Doupé - 4/23/12

  17. SQL Injection – Example “select * from`users` where`id` =‘” + $id + “’;” $id = “-1’; drop table `users`;#” select * from`users` where`id` = ‘-1’; drop table `users`;#’; Doupé - 4/23/12

  18. SQL Injection – Examples “select * from`users` where`id` =‘” + $id + “’;” $id = “-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#” select * from`users` where`id` = ‘-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#’; Doupé - 4/23/12

  19. SQL Injection – Detection • Passive – Look for success • 1+2 • (select 2) • Active – Look for errors • O’Malley • < 10 Doupé - 4/23/12

  20. SQL Injection – WackoPicko • Where is it possible? • Imagine how the application works • Guided exploration Doupé - 4/23/12

  21. SQL Injection – WackoPicko • login.php • What is the error message? • What does the query look like? • Guided attacking • Demo! Doupé - 4/23/12

  22. SQL Injection – Prevention • Prepared statements • Specify structure of query then provide arguments • Prepared statements – example $stmt= $db->prepare(“select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;”); $stmt->bindParam(':name', $name); $stmt->bindParam(':pass', $pass); • Sanitize inputs Doupé - 4/23/12

  23. XSS • Malicious JavaScript running in the context of your web application • Consequences • Steal cookies • Perform actions as the user • Present fake login form Doupé - 4/23/12

  24. XSS – Examples <html> <body> <p>Hello <?= $name ?></p> </body> </html> Doupé - 4/23/12

  25. XSS – Examples $name = “adam”; <html> <body> <p>Hello adam</p> </body> </html> Doupé - 4/23/12

  26. XSS – Examples $name = “<script>alert(‘xss’); </script>”; <html> <body> <p>Hello <script>alert(‘xss’); </script></p> </body> </html> Doupé - 4/23/12

  27. XSS – Detection • Understand how input is used in HTML source • Input “forbidden” characters • < > • ‘ “ ; / • Understand what sanitized is performed Doupé - 4/23/12

  28. XSS – WackoPicko Where might there be a XSS? Guided exploration Doupé - 4/23/12

  29. XSS – WackoPicko • search.php • Self-guided attacking • Can you get alert box to appear? • Demo –Fake login form Doupé - 4/23/12

  30. XSS – Prevention • Sanitize all user inputs using known sanitization routine • Depends on context • < and > necessary in HTML • Only need ‘ in JavaScript Doupé - 4/23/12

  31. Review • Hacker mindset • Understand the application • Build a mental model • Break the mental model • Generalize to your applications Doupé - 4/23/12

  32. Tools Wireshark Burp Proxy SQLMap WackoPicko OWASP Broken Web Apps Project Google Gruyere Doupé - 4/23/12

  33. Questions? Go forth and hack! (ethically, of course) adoupe@cs.ucsb.edu Doupé - 4/23/12

More Related