33
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12

Into the Mind of the Hacker: Hands-On Web Application Hacking

  • Upload
    denali

  • View
    48

  • Download
    1

Embed Size (px)

DESCRIPTION

Into the Mind of the Hacker: Hands-On Web Application Hacking. Adam Doupé University of California, Santa Barbara 4 / 23 / 12. Overview. Think like a hacker SQL injection Cross-site scripting (XSS). Me. 7 years as UCSB student 2 nd year PhD student - PowerPoint PPT Presentation

Citation preview

Page 1: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Into the Mind of the Hacker: Hands-On Web Application Hacking

Adam Doupé

University of California, Santa Barbara

4/23/12

Page 2: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Overview

• Think like a hacker

• SQL injection

• Cross-site scripting (XSS)

Page 3: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Me

• 7 years as UCSB student– 2nd year PhD student

• ~ 1 year at Microsoft as Software Dev

• Research securing web applications

• Professional pentester

Page 4: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Web Hacks

• LulzSec – 2011– Hacked into Arizona law enforcement

• UCLA – 2006– 800,000 identities stolen

• University of Texas, Austin – 2006– 197,000 student records stolen

Page 6: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Definitions

• Security

• Vulnerability

• Exploit

• Hacker

Page 7: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Ethics

• Only hack into sites you own– Or you have permission

• You will get caught

Page 8: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Hacker Mindset

• Motivation– Fame– Money– Lulz

• Understand the application– Build mental model

• Only need to find one flaw

Page 9: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Injection Vectors

• User input to the application• Web application

– Query parameters– POST parameters– Cookies– Referer header– Files

Page 10: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Burp Proxy

• Intercepts traffic between you and website– Can manipulate the request directly

• Industry quality– I use the full version professionally

• Demo

Page 11: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

WackoPicko

• Background

• Added functionality– Reset

• Self-guided exploration

Page 12: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection

• Allows attacker to alter semantics of SQL query

• Consequences– Steal database– Alter database– Bypass login

Page 13: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Example

“select * from `users` where `id` =‘” + $id + “’;”

$id = “10”

select * from `users` where `id` = ‘10’;

Page 14: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Example

“select * from `users` where `id` =‘” + $id + “’;”

$id = “-1 or 1=1”

select * from `users` where `id` = ‘-1 or 1=1’;

Page 15: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Example

“select * from `users` where `id` =‘” + $id + “’;”

$id = “-1’ or 1=1”

select * from `users` where `id` = ‘-1’ or 1=1’;

Page 16: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Example

“select * from `users` where `id` =‘” + $id + “’;”

$id = “-1’ or 1=1; #”

select * from `users` where `id` = ‘-1’ or 1=1; #’;

Page 17: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Example

“select * from `users` where `id` =‘” + $id + “’;”

$id = “-1’; drop table `users`;#”

select * from `users` where `id` = ‘-1’; drop table `users`;#’;

Page 18: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Examples

“select * from `users` where `id` =‘” + $id + “’;”

$id = “-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#”

select * from `users` where `id` = ‘-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#’;

Page 19: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Detection

• Passive – Look for success– 1+2– (select 2)

• Active – Look for errors– O’Malley– < 10

Page 20: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – WackoPicko

• Where is it possible?– Imagine how the application works

• Guided exploration

Page 21: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – WackoPicko

• login.php– What is the error message?– What does the query look like?

• Guided attacking

• Demo!

Page 22: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

SQL Injection – Prevention

• Prepared statements– Specify structure of query then provide arguments

• Prepared statements – example$stmt = $db->prepare(“select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;”); $stmt->bindParam(':name', $name);$stmt->bindParam(':pass', $pass);

• Sanitize inputs

Page 23: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS

• Malicious JavaScript running in the context of your web application

• Consequences – Steal cookies– Perform actions as the user– Present fake login form

Page 24: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – Examples

<html><body>

<p>Hello <?= $name ?></p></body>

</html>

Page 25: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – Examples

$name = “adam”;<html>

<body><p>Hello adam</p>

</body></html>

Page 26: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – Examples

$name = “<script>alert(‘xss’); </script>”;

<html><body><p>Hello <script>alert(‘xss’);

</script></p></body>

</html>

Page 27: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – Detection

• Understand how input is used in HTML source

• Input “forbidden” characters– < >– ‘ “ ; /

• Understand what sanitized is performed

Page 28: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – WackoPicko

• Where might there be a XSS?

• Guided exploration

Page 29: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – WackoPicko

• search.php

• Self-guided attacking– Can you get alert box to appear?

• Demo – Fake login form

Page 30: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

XSS – Prevention

• Sanitize all user inputs using known sanitization routine

• Depends on context– < and > necessary in HTML– Only need ‘ in JavaScript

Page 31: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Review

• Hacker mindset– Understand the application– Build a mental model– Break the mental model

• Generalize to your applications

Page 32: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Tools

• Wireshark• Burp Proxy• SQLMap• WackoPicko• OWASP Broken Web Apps Project• Google Gruyere

Page 33: Into the Mind of the Hacker:  Hands-On Web Application Hacking

Doupé - 4/23/12

Questions?

Go forth and hack!

(ethically, of course)

[email protected]