nullcon 2011 - (secure) sitehoster – disable xss & sql injection
DESCRIPTION
(secure) SiteHoster – Disable XSS & SQL Injection by Abhishek KumarTRANSCRIPT
NEW CONCEPTS
DEFEATING
WEB ATTACKS
( s e c u r e ) S i t e H o s t e r
http://nullcon.net
http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
Family Named: AbhishekKr
Friends Call: ABK
g33k Handle: aBionic
Independent Security Enthusiast/Researcher
Also a Member of „EvilFingers‟ (other than ‘NULL’)
Application-Developer in ThoughtWorks Inc.
OpenSource Lover
http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
Other than expanding to (secure)SiteHoster
A Fresh Approach
A Lab RAT
(s)SH
http://sourceforge.net/projects/sitehoster
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
It‟s The Same Old Problem
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
With A New Perspective To Solve It
Same Old Problem
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
ATTACK THE ATTACKER
offensive security to secure
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
Stats are not same (of 2009) …
But t h r e a t s are
Major Threats for Web Applications
http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
always aim the strongest opponent first,
makes you win battle easily
XSS Defeating Concept
aBionic@twitter,linkedin,FB
IT IS JUST A PIECE OF CODE
aBionic@twitter,linkedin,FB
<TAGS/> R GooD
aBionic@twitter,linkedin,FB
And if it’s Code…
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
BUG
!dea is to
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
All Effect From Options of User Input, a Web2.0 Gift
3 Major XSS Attack Patterns
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
What You See Is (*NOT*) What You Get
Included or injected <script/>
+ Karthik calling Karthik…
+ User (tricked) Input…
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
What finally happens is unwanted <script/>
Who calls, or who injects
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
Take away all its POWER!!!!!
Disarm <script/>
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
To kill all unwanted „Creepy-Living‟ Beings
Dis-Infect Entire Body
aBionic@twitter,linkedin,FB
Generated HyperText
<html>
<head><script>function h(){alert(“some dev-script in HEAD
Tag”);}</script></head>
<body>
<script DEFER>heavy_stuff=true;</script>
name: <div id=”fromDB” onMouseOver=”h();”>
<script>alert(„attacker injected it, could do anything‟);</script>
</div>
</body>
</html>
aBionic@twitter,linkedin,FB
Server Patched View
<html>
<head>
<script> function h(){alert(“this is dev-scripts in HEAD Tag”);}</script>
</head>
<BD>
<BODY >
<script DEFER>heavy_stuff=true;</script>
<script type='text/javascript'>
x=document.getElementsByTagName("BODY");
x[0].innerHTML = "name:<div id=\"fromDB\" onclick=\"h();\">
<script>alert(\'attacker injected it, could do anything\');<\/script><\/div>“;
</script>
</BODY>
</BD>
</html>
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
…other two monkeys got a chance
But… still
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
„javascript:‟ may effect as
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
So „javascript:<bugMe/>‟
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
2 are pwn3d… but 3rd is powerful enough
1 Monkey can wreck havoc
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
-says „JS-Events‟
„Be Kind‟ on Entropy
http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
aBionic@twitter,linkedin,FB
Ninja Parse User Input
aBionic@twitter,linkedin,FB
Bug-it-su pwn JS-Events
aBionic@twitter,linkedin,FB
hardcore ‘js-events’ pwnage
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
<TAGS/> go Green
XSS Attack gets bugged
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
Normal User Input Matching Attack aint Filtered
Innocence Is Saved
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
And so are Script-Junkies
All Monkeys Defeated
aBionic@twitter,linkedin,FB
CURRENTLY JUST DEV PERSPECTIVE
aBionic@twitter,linkedin,FB
For Un-Privileged AXNs
aBionic@twitter,linkedin,FB
Old Wine, Why Not Always Used
DB
Web-App User-
Mapper
Read on Table T1
Read,Write on Table t2
all Read,write.*
boss
http://null.co.in
http://nullcon.net
aBionic@
twitter,linkedin,FB
A n A A p p l e H a s h A A n D a y I n p u t
Ke e p s T h e D o c t o r A t t a c k e r Aw a y
& For Condition Match
http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB
I Tweet Tech: http://www.twitter.com/aBionic
I Blog Tech: http://abhishekkr.wordpress.com/
I OpenSource
GitHub: https://github.com/abhishekkr
SourceForge: http://sourceforge.net/users/abhishekkr
I Socialize: http://www.facebook.com/aBionic
I Techalize: http://in.linkedin.com/in/abionic
I Deviantize: http://abhishekkr.deviantart.com/