18. Improper Input Validation can lead to security vulnerabilities when attackers can modify input in unexpected ways for the application
19. The only way to protect our applications is by understanding that all input can be maliciousCWE-20: Improper Input Validation 5 of 59
20.
21.
22. DNS based website blacklist can be bypassed by providing a forged request with a custom HTTP headerHttp request: GET / HTTP/1.1 X-DecoyHost: www.milw0rm.org Host: www.blocked.org CWE-20: Example 7 of 59
46. WebApp firewall and ESAPI/PHPIDS (you lazy developers :-))CWE-116: Mitigation 15 of 59
47.
48. This information is used in the Penetration Testing phase called “Reconnaissance”
49. Even these little secrets can greatly simplify a more concerted attack that yields much bigger rewardsCWE-209: Error Message Information Leak 16 of 59
50.
51. MySQL error when forging a malicious request altering the anno parameterGET /seminari/archivio.php?anno=2008%27 HTTP/1.1 Host: www.dm.unibo.it [...] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: dm=[...] CWE-209: www.dm.unibo.it 17 of 59
56. If we are the hacker riding the victim’s session, and the victim then logout from Uniwex, his session (and ours, because is the same) is invalidated.
57. If we invalidate a session and then we try to submit the previously “invalid” session token... MAGICALLY ...CWE-209: unibo.unibo.it 19 of 59
61. This revealed us that Tomcat is used as Application Server, and we’ve also obtained the specific version of a few frameworks on which the application was built:/home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/struts-1.1.jar /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/myfaces-api-1.1.4.jar CWE-209: unibo.unibo.it 21 of 59
62.
63. The most common storage solution is a Relational Database(Oracle, MySQL, Postgres, MS-SQL, Sybase)
64. If attackers can influence the SQL that you use to communicate with your database, then they can do nasty things for fun and profitCWE-89: SQL Injection 22 of 59
65. http://www.integratingweb.com http://antisnatchor.com CWE-89: SQL Injection Exploiting escape characters: "SELECT * FROM customers WHERE name= '" + customerName+ "';" IfcustomerName=marcus’ UNION SELECT 1,2,3,4 FROM admin_users; Then the final query becomes: SELECT * FROM customers WHERE name='marcus’ UNION SELECT 1,2,3,4 FROM admin_users; Exploiting type handling: "SELECT * FROM product_data WHERE product_id = " + productId + ";" IfproductId=10078;DROP TABLE admin_users Then the final query becomes: SELECT * FROM product_data WHERE product_id =10078;DROP TABLE admin_users; CWE-89: SQL Injection 23 of 59
66.
67. The previous example on www.dm.unibo.it demonstrates that input is not being escaped at all
68. After we discovered the SQL injection we can fire-up our favorite injection tool to retrieve useful informationCWE-89: SQL Injection 24 of 59
93. The page is then accessed by other users, whose browsers execute that malicious script as if it came from the legitimate user (the victim)
94. It always happen when a server-side script/servlet/whatever process the malicious data to generate a page without properly sanitizing the response (non-DOM-based XSS)CWE-79: The Plague of Cross Site Scripting 31 of 59
103. Do not create your own filters: you’ll probably miss some attack vectors or encodings
104. Use well known Encoding/Validation frameworks such as ESAPI,PHPIDS,Microsoft Anti-XSS (yes, Microsoft, don’t laugh please :-))CWE-79: Mitigation 37 of 59
105.
106. As we said many times before, we don’t recommend to write an anti-XSS filter from scratch
107. At CERN they usually develop application from scratch, like Indico (http://indico.cern.ch). Indico is the main solution used by the EGEE partners around Europe (many thousand of users)
108. We found a way to bypass a basic anti-XSS filter implemented in the application
109. Bracelets (< >) are correctly escaped with < and >, thus preventing almost all the attack vectors……CWE-79: Advanced concepts 38 of 59
110.
111. ….. We said almost because we can create attack vectors even without bracelets:http://indico.cern.ch/search.py?categId=0&p=cloud&f=title%22&collections=&startDate=&endDate=&sortOrder=d The rendered HTML after processing the request is the following: <form id="NextFormEvents" method="GET" action="http://indico.cern.ch/search.py"> <input type="hidden" name="startDate" value=""/> <input type="hidden" name="endDate" value=""/> <input type="hidden" name="p" value="cloud"/> <input type="hidden" name="f" value="title""/> <!-- <-- here is the problem --> <input type="hidden" name="collections" value="Events"/> <input type="hidden" name="categId" value="0" /> </form> CWE-79: Advanced concepts 39 of 59
112.
113. The following is working on Microsoft Internet Explorer 6 and 7:
115. The malicious code will add to the "input" element a "style" attribute: note that expression is understood only by IE.The rendered HTML after processing the request is the following: <form id="NextFormEvents" method="GET" action="http://indico.cern.ch/search.py"> <input type="hidden" name="startDate" value=""/> <input type="hidden" name="endDate" value=""/> <input type="hidden" name="p" value="cloud"/> <input type="hidden" name="f" value="title” style=“width: expression(alert('XSS'));”/> <input type="hidden" name="collections" value="Events"/> <input type="hidden" name="categId" value="0" /> </form> CWE-79: Advanced concepts 40 of 59
116.
117.
118.
119.
120. KonaKart is a free Java based web application to manage e-commerce websites (www.konakart.com)
162. 4. The hacker performs a lost-password request and receives a new passwordCWE-352: XSRF Concrete Consequences 52 of 59
163.
164. 3 The victim is now using your chosen DNS, where you probably altered her common used domains with your phishing ones CWE-352: XSRF Concrete Consequences 53 of 59
174. Implement AJAX functionalities with secure libraries such as DWR-2.0 (Direct Web Remoting) that automatically prevents XSRFCWE-352: XSRF Mitigation 57 of 59