Presentation to expose web hacking techniques attack and defense. Look into OWASP Top 10 and perform some demos in real world and in a managed vulnerable web commerce. XSS, SQLi, LFI and upload webshell were some cool demos :)

1. Web Security
● Jose Mato Mariño

2. 3/5/15 - 12:52:45 AM
Who am I?
● Web Developer
● Web security as hobby
● http://josemato.name
● @security4dev

3. 3/5/15 - 12:52:46 AM
Is mandatory know web security to do a web?
● YES, If someone hacks your your server... you,
developer, are screwed
– Read logs, …, a lot of logs
– Sometimes is difficult know what was happening
– Web security is easier than computer forensic
● Your client
– Angry
– Lost branding and reputation

4. 3/5/15 - 12:52:46 AM
Why cybercriminals want
my server ???
● SPAM
● BitCoins
● Phishing
● Botnet
● Ransomware
● Data theft

5. 3/5/15 - 12:52:46 AM
● Online community dedicated to web application security
● Guide practices and recommendations to be considered
secure application development
● OWASP TOP 10

6. 3/5/15 - 12:52:46 AM
OWASP TOP 10 – From 2010 to 2013

7. 3/5/15 - 12:52:46 AM
A3 – Cross Site Scripting (XSS)
● Problem: User injects code ( ActiveX, Java, VBScript,
Flash, HTML but typically javascript) into webpage
● Attacks:
– Access user session (session hijacking)
– Redirect user to exploit kit (blackhole)
– Defacement. Phishing.
– Network ip + ports scanner
● We have 5 contexts to exploit XSS
● There are two types of XSS

8. 3/5/15 - 12:52:46 AM
A3 – XSS Context
● Context (by Ashar Javed @soaj1664ashar):
"Context is an environment where user supplied input or input
from other application(s) eventually ends-up or start living"
● Type of contexts:
– HTML context (<title>XXS</title>)
– Attribute context (input value=”XSS”)
– Script context (<script>var a = “<?php echo XSS ?>”</script>)
– URL context (write server variable to src, href, data flash, etc)
– Style context (div style=”XSS” => custom editors)

9. 3/5/15 - 12:52:46 AM
● Reflective
– Code is not store on any database or database repo
– Payload must be on get parameter (discussion)
– User needs to click on a malicious link
● Persistent
– Code is store on a persistent store (database)
– When user enter on a hacked page, he will exec the
xploit
A3 – XSS Types

10. 3/5/15 - 12:52:46 AM
● http://www.elmundo.es/elmundo/2010/01/04/union_europea/1262
610678.html
A3 – Famous XSS
“Mr. Bean 'se cuela' en la web oficial de la presidencia
española”

11. 3/5/15 - 12:52:47 AM
XSS DEMO I
● Check if there is
some XSS
● Get access to user
account

12. 3/5/15 - 12:52:47 AM
● Never trust on user input (inbound & outbound)
● Sanitize all inputs
● Enable flag httpOnly on cookies
● Content Security Policy (CSP)
A3 – XSS Mitigation

13. 3/5/15 - 12:52:47 AM
● Access to not allowed resources
● Application fail to check if user is authorized to access to
the resource
● Common scenario:
– http://websecurity-demo.local/transcript.php?student=1536
● Attacker see a parameter and know that “1536” is his
student id
● Attacker change this student id and get the content of
another student
● This parameter could be anywhere (get, post, cookie, …)
A4 – Insecure Direct Object References

14. 3/5/15 - 12:52:47 AM
● Technique to alter
queries into engine
store through
vulnerable
application
● Mysql, MSQL,
Postgres, LDAP,
Access, Oracle, …
● We are going to
focus on SQLi in this
talk
● Many kind of SQLi
A1 – Injection

15. 3/5/15 - 12:52:47 AM
● Access personal data. Dump database
● Dump local users (/etc/passwd)
● Access organization CMS
● Site infection
– malware propagation
– Click abuse
A1 – SQL Injection Goals

16. 3/5/15 - 12:52:47 AM
● Lilupophilupop SQL Injection Attack Tops 1 Million
Infected URLs
– Search SQL Injection on ASP or ColdFusion pages
with Microsoft SQL Server
– More than one million url infected
– the attackers used XSS Persistent to redirect users to
pages showing fake computer issues to buy a fake
AV
● http://threatpost.com/lilupophilupop-sql-injection-attack
-tops-1-million-infected-urls-010412/76054
A1 – Famous SQL Injection I

17. 3/5/15 - 12:52:47 AM
● Barr’s claims that he would unmask and extinguish Anonymous
proved to be the proverbial last straw on the camel’s back.
● Anonymous find a SQL Injection:
– http://www.hbgaryfederal.com/pages.php?pageNav=2&page=
27
● Passwords were hashed but Aaron just used lower case and
numbers.
● Access CMS. Social engineer to reset email password and
access SSH. (Aaron used same password for many services!)
● http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the
-inside-story-of-the-hbgary-hack/
A1 – Famous SQL Injection II

18. 3/5/15 - 12:52:47 AM
● SQL Injection
● Blind SQLi
– We only can use queries that retrieve a boolean value
(true or false).
– It's very slow
– Binary search to enhance performance
● Time based SQLi
– Based on heavy queries (sleep)
– Very slow
A1 – SQL Injection Types

19. 3/5/15 - 12:52:47 AM
● Database engine has a metadata, catalog, schema or
something like that
● This catalog stores all database metainformation (table
relations, database exists, columns names with length +
datatype, …)
● Is mandatory know the catalog of the vulnerable app to
perform a pentesting
A1 – SQL Injection Walkthrough I

20. 3/5/15 - 12:52:47 AM
● Search vulnerability (test app request and check
params)
– Number of columns
– Database names
● table names
– Column names
● Dump or insert data
● Download files
● Upload webshell
A1 – SQL Injection Walkthrough II

21. 3/5/15 - 12:52:47 AM
● MySQL Catalog
– Retrieve databases: SELECT schema_name FROM
information_schema.SCHEMATA;
– Retrieve tables from specific database: SELECT
table_schema, table_name FROM
information_schema.TABLES WHERE table_schema =
'DATABASE';
– Retrieve columns from specific table: SELECT
column_name, column_type FROM
information_schema.columns WHERE table_name =
'TABLE' AND table_schema = 'DATABASE';
A1 – SQL Injection Walkthrough III

22. 3/5/15 - 12:52:47 AM
A1 – SQL Injection Hacking Time :)

23. 3/5/15 - 12:52:47 AM
Some Question??
THANKS!!
● Jose Mato
– http://josemato.name
– @security4dev
– https://github.com/josemato/
– https://www.linkedin.com/in/josematomarino