1 / 14

Hacking websites for fun & profit

Hacking websites for fun & profit. Barry Dorrans Charteris plc http://idunno.org. Form Parameter Manipulation. “Important” data is for server side Hash or Checksum Duplicate validation. Cookie Manipulation. Hash or Checksum Validate. HTTP Headers. Easily Faked Validate.

miller
Download Presentation

Hacking websites for fun & profit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hacking websites for fun & profit Barry Dorrans Charteris plc http://idunno.org

  2. Form Parameter Manipulation “Important” data is for server sideHash or ChecksumDuplicate validation

  3. Cookie Manipulation Hash or ChecksumValidate

  4. HTTP Headers Easily Faked Validate

  5. Cross Site Scripting / XSS Beware < & >Never display raw inputDo not turn off validation site wide

  6. Cross Site Scripting / XSS There’s more to script than <script>HTML tags have eventsSession hijacks, cookie stealing, browser hijinks

  7. Character Encoding \ = %5C = %255C = %%35%63Server.*Encodehttp://ha.ckers.org/xss.html

  8. SQL Injection Manipulation of “raw” SQLStored ProceduresNamed Parameters

  9. SQL Injection SQL PermissionsCAS / Data Access AssembliesManaged Components

  10. Storing Secrets Hashing is not encryptingDictionary attacksSalt your data

  11. Leaking Information; Search Search Engines"# -FrontPage-" inurl:service.pwd http://johnny.ihackstuff.com/

  12. Leaking Information; Errors Exceptions<compilation debug="true" />

  13. Leaking Information; ViewState ViewState is not encrypted by defaultMAC lock • <system.web> <machineKeydecryptionKey="AutoGenerate,IsolateApps" decryption="3DES" ... /> <system.web/>

  14. Are you scared yet?

More Related