13 – hacking stuff ta: henrique pereira - calgary
TRANSCRIPT
▪ Open Web Application Security Project
▪ https://www.owasp.org
▪ OWASP Top 10
▪ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
▪ https://google-gruyere.appspot.com/start
▪ A codelab for learning how to find, exploit and stop security vulnerabilities.
▪ A web application that is “full of holes”
▪ Basic examples of most of the attacks in the OWASP Top10 List.
▪ You are authorized to “hack it”.
▪ Running in a protected Sandbox
▪ If anything goes wrong, just RESET the instance.
▪ Injecting code into the contents of a website that is not under the attacker’s control.
▪ Reflected
▪ The application includes unescaped user input that is part of the output.
▪ A successful attack lets the attacker execute arbitrary HTML/JS in the victim’s browser.
▪ Stored
▪ The application stores an unsanitized user input that is viewed at a later time by another user or admin.
▪ Stored XSS
▪ Lets save the script in one of our snippets.
▪ Obvious choice? <script>alert(“lol”)</script>
▪ Stored XSS
▪ Lets save the script in one of our snippets.
▪ Obvious choice? <script>alert(“lol”)</script>
▪ <script> seems to be blacklisted.
▪ But what happens if we put the JS inside an event of an HTML element?
▪ <a onmouseover=“alert(‘lol’)”>Click me</a>
▪ Guessing the admin URL
▪ /admin
▪ “Invalid request: /admin”
▪ Can we turn this into a reflected XSS?
▪ Obvious choice again.
▪ <script>alert(“lol”)</script>
▪ Another XSS vulnerability?
▪ Uploading HTML files with JS
▪ Easy to steal the cookies/session
▪ Easy to do Phishing
▪ https://gist.github.com/anonymous/4d1acc67897a8114e356473421de6519
▪ There are more XSS vulnerabilities in Gruyere, try to find them all.
▪ The authentication mechanism is not working properly.
▪ An user can get more privileges than he is supposed to.
▪ Cookies can be stolen and users inpersonated.
▪ Looking at the signup form
▪ Hidden field “is_author”
▪ What if we add another field called is_admin?
▪ $$$
▪ What if we have a weird username?
▪ a|admin|author
▪ One attacker can fake a request from a legitimate user by tricking the user to load or execute some resource on an external website.
▪ Cookies to the original site are always sent with requests to that site.
▪ Deleting Snippets
▪ …/deletesnippet?index=0
▪ Lets trick another user on calling that.
▪ Maybe an innocent JSFiddle example that contains the following: <imgsrc=“…/deletesnippet?index=0” />
▪ Web apps usually contain information that should not be made public
▪ User and passwords
▪ Private data
▪ Financial data
▪ ...
▪ + lots of vulnerabilities
▪ The full list of vulnerabilities and exploits with detailed explanations and fixes is available at the project’s website.
▪ https://google-gruyere.appspot.com/part1