SeCURITY 101

Navneet Kumar

AGENDA✘ SQLi

○ Auth Bypass○ Blind SQLi

✘ CSRF✘ XSS✘ Session Management✘ Attack Chaining

SQL InJECTION

Injection of a SQL query via input data plane To modify/query

sensitive data from database

SQL InJECTION

statement = "SELECT * FROM users WHERE name = '" +

userName + "';"

SELECT * FROM users WHERE name = '' OR '1'='1';

' OR '1'='1' --

' OR '1'='1' ({

' OR '1'='1' /*

UserName =

BliND SQL InJECTION

SQLi where attacker is Blind to SQL error response and uses true/false

response to exploit

https://www.facebook.com?id=1008 AND substring(@@version, 1, 1)=5

DEMO

Cross Site REQUEST FORGERY (CSRF)

Attacker executes request on vulnerable domain with victim’s

authenticated context to perform state changing actions

SAME ORIGIN POLICY

Origin = Scheme + Hostname + Port

http://www.example.com:81/dir/page2.html

CSRF Exploit

<form action="http://bank.com/transfer.do" method="POST">

<input type="hidden" name="acct" value="Navneet"/>

<input type="hidden" name="amount" value="1000$"/>

<input type="submit" value="Win An iPad"/>

</form>

Browser sends the session cookies automatically

CSRF PreventION

<input type="hidden" name="csrfmiddlewaretoken" value="KbyUmh" /> Token Pattern

Set-Cookie: Csrf-token=i8XNjC; expires=23-Jul-2015 Max-Age=31449600; Path=/

X-Csrf-Token: i8XNjC

Header Pattern

1

2

DEMO

Cross Site SCRIPTING (XSS)

Attacker injects malicious client side scripts to be executed in context of

vulnerable domain

Reflected

Persistent

DOM XSS

XSS type

http://facebook.com?q=<script>alert('xss')</script> Reflected

<script>

document.write("Site is at: " + document.location.href + ".");

</script>]

Dom XSS

$('div').html('welcome to' + username + 'Meeting')

//My username is saved as

userName = "<script>alert('xss')</script>"

Persistent

XSS reflectionAn alert is common XSS reflection

DEMO

Session MaNAGEMENT

HTTP is stateless protocol so a web session is created to maintain state

COOKIE Security

Attribute Value Meaning

Secure true Only send through https

http-only True Disable script access

Domain secure.example.com Send for that domain & subdomains

Expires 31-Jul-2016 13:45 Persist it till expiry date

Set-Cookie:SID=AYQEV;Domain=.gmail.com; Path=/; Expires=Wed, 13 Jan

2021 22:23:01 GMT;Secure;HttpOnly

Attack ChaiNING

CSRF XSS Cookie

DEMO

thanks!Any questions?