Slide 1

Common ExploitsAaron CureCypress Data DefenseSQL InjectionSQL InjectionWhat is it?The inclusion of portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g.,dump the database contents to the attacker)SQL Injection ToolsHow do we attack it?SqlMaphttp://sqlmap.orgsqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SQL Injection ToolsBSQL Hackerhttp://labs.portcullis.co.uk/application/bsql-hacker/BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.SQL Injection Demosqlmap.py -u http://localhost:55612/Product.aspx?id=3sqlmap identified the following injection points with a total of 59 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3 AND 1640=1640

Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=3 AND (SELECT 1157 FROM(SELECT COUNT(*),CONCAT(0x3a796c6a3a,(SELECT (CASE WHEN (1157=1157) THEN 1 ELSE 0 END)),0x3a7a76743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=3 UNION ALL SELECT NULL,CONCAT(0x3a796c6a3a,0x6f6a6c61786d494f6a74,0x3a7a76743a),NULL ---web server operating system: Windows 2012web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0back-end DBMS: MySQL 5.0SQL Injection MitigationHow do we prevent it?Dont concatenate untrusted dataUse parameterized queriesUse a frameworknHibernateEntity FrameworkEtc.

Session hiJACKINGSession HijackingWhat is it?Occurs when authentication tokens are stolen from an authenticated user. This vulnerability commonly occurs when session tokens are sent in cleartext between a web server and a clients browser. Other examples include tokens being stolen via cross-site scripting and man-in-the-middle attacks. Allows an attacker to assume the identity of another user gain unauthorized access to applications and functionality.Session Hijacking ToolsHow do we attack it?FiresheepIntercepts browser cookies used by many sites, including Facebook and Twitter, to identify users and allows anyone running the program to log in as the legitimate user and do anything that user can do on a particular website.Cross Site Scripting (XSS)Hamster/FerretMan in the Middle (MITM)Session Hijacking DemoHTTP Header Injection of hijacked cookieGrab the existing cookie value (XSS, MITM, etc)Create a new request, adding the captured value in the header.Session Hijacking MitigationHow do we prevent it?Use SSLSet HTTPOnly and Secure on all cookiesNo http links (secure only)Set the HTTP Strict-Transport-Security (HSTS) header

Cross Site request forgery (CSRF)Cross Site Request ForgeryWhat is it?While a user is authenticated into the target website (i.e. a banking website), the user visits another website (injection website) that is under the control of an attacker or a site (including the target site) that contains a vulnerability that the attacker can exploit.CSRF ToolsHow can we attack it?Pinata.pyhttp://code.google.com/p/pinata-csrf-tool/Assists with the explanation of Cross Site Request Forgery and how a vulnerable application can be exploited.CSRF Toolhttp://homakov.github.io/

CSRF Demohttp://www.youtube.com/watch?v=uycmHQM_h64

CSRF MitigationHow can we prevent it?Use a random token on every post.Server-side must check it before processing the request.If any POST endpoint lacks it something is clearly wrongSession FixationSession FixationPermits an attacker to hijack a valid user session. When authenticating a user, the web application doesnt assign a new session ID, making it possible to use an existing session ID.

Session Fixation ToolsHow do we attack it?XSSMITMBlackSheepFireSheepSession Fixation DemoPerform a GET of the siteLoginEnsure that the Session ID changesSession Fixation MitigationHow do we prevent it?Clear the session on login/logoutGenerate a new session ID on login/logoutRemove the session cookie on logoutLog the user outCross-Site Scripting (XSS)Cross-Site Scripting (XSS)What is it?Cross-Site Scripting attacks occur when malicious scripts are injected into the otherwise benign and trusted web sites. An attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. XSS ToolsHow can we attack it?XSSerhttp://xsser.sourceforge.net/Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.XSS Me (ff)XSS-Proxyhttp://xss-proxy.sourceforge.net/XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.XSS Demohttp://homakov.github.io/stealpass.htmljavascript:alert(pass.value)XSS MitigationHow do we prevent it?Validate the user inputRemove or encode special charactersEncode it before it is displayedUse an Anti-XSS libraryQuestions?