into the mind of the hacker: hands-on web application hacking
DESCRIPTION
Into the Mind of the Hacker: Hands-On Web Application Hacking. Adam Doupé University of California, Santa Barbara 4 / 23 / 12. Overview. Think like a hacker SQL injection Cross-site scripting (XSS). Me. 7 years as UCSB student 2 nd year PhD student - PowerPoint PPT PresentationTRANSCRIPT
Into the Mind of the Hacker: Hands-On Web Application Hacking
Adam Doupé
University of California, Santa Barbara
4/23/12
Doupé - 4/23/12
Overview
• Think like a hacker
• SQL injection
• Cross-site scripting (XSS)
Doupé - 4/23/12
Me
• 7 years as UCSB student– 2nd year PhD student
• ~ 1 year at Microsoft as Software Dev
• Research securing web applications
• Professional pentester
Doupé - 4/23/12
Web Hacks
• LulzSec – 2011– Hacked into Arizona law enforcement
• UCLA – 2006– 800,000 identities stolen
• University of Texas, Austin – 2006– 197,000 student records stolen
Doupé - 4/23/12
UCSB Hacks
• 2005– http://www.dailynexus.com/2005-03-30/altere
d-grades-lead-to-students-arrest/
• 2000– http://news.bbc.co.uk
/2/hi/business/640087.stm
Doupé - 4/23/12
Definitions
• Security
• Vulnerability
• Exploit
• Hacker
Doupé - 4/23/12
Ethics
• Only hack into sites you own– Or you have permission
• You will get caught
Doupé - 4/23/12
Hacker Mindset
• Motivation– Fame– Money– Lulz
• Understand the application– Build mental model
• Only need to find one flaw
Doupé - 4/23/12
Injection Vectors
• User input to the application• Web application
– Query parameters– POST parameters– Cookies– Referer header– Files
Doupé - 4/23/12
Burp Proxy
• Intercepts traffic between you and website– Can manipulate the request directly
• Industry quality– I use the full version professionally
• Demo
Doupé - 4/23/12
WackoPicko
• Background
• Added functionality– Reset
• Self-guided exploration
Doupé - 4/23/12
SQL Injection
• Allows attacker to alter semantics of SQL query
• Consequences– Steal database– Alter database– Bypass login
Doupé - 4/23/12
SQL Injection – Example
“select * from `users` where `id` =‘” + $id + “’;”
$id = “10”
select * from `users` where `id` = ‘10’;
Doupé - 4/23/12
SQL Injection – Example
“select * from `users` where `id` =‘” + $id + “’;”
$id = “-1 or 1=1”
select * from `users` where `id` = ‘-1 or 1=1’;
Doupé - 4/23/12
SQL Injection – Example
“select * from `users` where `id` =‘” + $id + “’;”
$id = “-1’ or 1=1”
select * from `users` where `id` = ‘-1’ or 1=1’;
Doupé - 4/23/12
SQL Injection – Example
“select * from `users` where `id` =‘” + $id + “’;”
$id = “-1’ or 1=1; #”
select * from `users` where `id` = ‘-1’ or 1=1; #’;
Doupé - 4/23/12
SQL Injection – Example
“select * from `users` where `id` =‘” + $id + “’;”
$id = “-1’; drop table `users`;#”
select * from `users` where `id` = ‘-1’; drop table `users`;#’;
Doupé - 4/23/12
SQL Injection – Examples
“select * from `users` where `id` =‘” + $id + “’;”
$id = “-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#”
select * from `users` where `id` = ‘-1’; insert into `admin` (‘username’, ‘password’) values (‘adamd’, ‘pwned’);#’;
Doupé - 4/23/12
SQL Injection – Detection
• Passive – Look for success– 1+2– (select 2)
• Active – Look for errors– O’Malley– < 10
Doupé - 4/23/12
SQL Injection – WackoPicko
• Where is it possible?– Imagine how the application works
• Guided exploration
Doupé - 4/23/12
SQL Injection – WackoPicko
• login.php– What is the error message?– What does the query look like?
• Guided attacking
• Demo!
Doupé - 4/23/12
SQL Injection – Prevention
• Prepared statements– Specify structure of query then provide arguments
• Prepared statements – example$stmt = $db->prepare(“select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;”); $stmt->bindParam(':name', $name);$stmt->bindParam(':pass', $pass);
• Sanitize inputs
Doupé - 4/23/12
XSS
• Malicious JavaScript running in the context of your web application
• Consequences – Steal cookies– Perform actions as the user– Present fake login form
Doupé - 4/23/12
XSS – Examples
<html><body>
<p>Hello <?= $name ?></p></body>
</html>
Doupé - 4/23/12
XSS – Examples
$name = “adam”;<html>
<body><p>Hello adam</p>
</body></html>
Doupé - 4/23/12
XSS – Examples
$name = “<script>alert(‘xss’); </script>”;
<html><body><p>Hello <script>alert(‘xss’);
</script></p></body>
</html>
Doupé - 4/23/12
XSS – Detection
• Understand how input is used in HTML source
• Input “forbidden” characters– < >– ‘ “ ; /
• Understand what sanitized is performed
Doupé - 4/23/12
XSS – WackoPicko
• Where might there be a XSS?
• Guided exploration
Doupé - 4/23/12
XSS – WackoPicko
• search.php
• Self-guided attacking– Can you get alert box to appear?
• Demo – Fake login form
Doupé - 4/23/12
XSS – Prevention
• Sanitize all user inputs using known sanitization routine
• Depends on context– < and > necessary in HTML– Only need ‘ in JavaScript
Doupé - 4/23/12
Review
• Hacker mindset– Understand the application– Build a mental model– Break the mental model
• Generalize to your applications
Doupé - 4/23/12
Tools
• Wireshark• Burp Proxy• SQLMap• WackoPicko• OWASP Broken Web Apps Project• Google Gruyere