Securty 101
-
Upload
navneet-kumar -
Category
Software
-
view
51 -
download
1
Transcript of Securty 101
SeCURITY 101
Navneet Kumar
AGENDA✘ SQLi
○ Auth Bypass○ Blind SQLi
✘ CSRF✘ XSS✘ Session Management✘ Attack Chaining
SQL InJECTION
Injection of a SQL query via input data plane To modify/query
sensitive data from database
SQL InJECTION
statement = "SELECT * FROM users WHERE name = '" +
userName + "';"
SELECT * FROM users WHERE name = '' OR '1'='1';
' OR '1'='1' --
' OR '1'='1' ({
' OR '1'='1' /*
UserName =
BliND SQL InJECTION
SQLi where attacker is Blind to SQL error response and uses true/false
response to exploit
https://www.facebook.com?id=1008 AND substring(@@version, 1, 1)=5
DEMO
Cross Site REQUEST FORGERY (CSRF)
Attacker executes request on vulnerable domain with victim’s
authenticated context to perform state changing actions
SAME ORIGIN POLICY
Origin = Scheme + Hostname + Port
http://www.example.com:81/dir/page2.html
CSRF Exploit
<form action="http://bank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="Navneet"/>
<input type="hidden" name="amount" value="1000$"/>
<input type="submit" value="Win An iPad"/>
</form>
Browser sends the session cookies automatically
CSRF PreventION
<input type="hidden" name="csrfmiddlewaretoken" value="KbyUmh" /> Token Pattern
Set-Cookie: Csrf-token=i8XNjC; expires=23-Jul-2015 Max-Age=31449600; Path=/
X-Csrf-Token: i8XNjC
Header Pattern
1
2
DEMO
Cross Site SCRIPTING (XSS)
Attacker injects malicious client side scripts to be executed in context of
vulnerable domain
Reflected
Persistent
DOM XSS
XSS type
http://facebook.com?q=<script>alert('xss')</script> Reflected
<script>
document.write("Site is at: " + document.location.href + ".");
</script>]
Dom XSS
$('div').html('welcome to' + username + 'Meeting')
//My username is saved as
userName = "<script>alert('xss')</script>"
Persistent
XSS reflectionAn alert is common XSS reflection
DEMO
Session MaNAGEMENT
HTTP is stateless protocol so a web session is created to maintain state
COOKIE Security
Attribute Value Meaning
Secure true Only send through https
http-only True Disable script access
Domain secure.example.com Send for that domain & subdomains
Expires 31-Jul-2016 13:45 Persist it till expiry date
Set-Cookie:SID=AYQEV;Domain=.gmail.com; Path=/; Expires=Wed, 13 Jan
2021 22:23:01 GMT;Secure;HttpOnly
Attack ChaiNING
CSRF XSS Cookie
DEMO
thanks!Any questions?