Skip to main content

Web Security in few lines

 
 Insufficient Transport Layer Protection 
  • Authenticating over non-­‐SSL.
    • Obviously bad
  • Sending session IDs over non-­‐SSL
    • Session hijacking
    • Firesheep
  • Not sending everything over SSL
    • JavaScript injection

Insecure Cryptographic Storage
  • Obviously bad 
    • Storing passwords in plaintext. 
  • Still bad 
    • Using unsalted hashes.
    • Using raw hash function (MD5,SHA1,etc).
  • Better but not great 
    • Using a keyed hash function (HMAC-SHA1).
  • Best
    • Using a slow function (PBKDF2,bcrypt,scrypt).
 Cross-Site Request Forgery
  •  Confused deputy problem.
  •  Classic example
    •  Filelocker doesn’t have any CSRF protection.
    • Joe is a Filelocker admin.
    • I get Joe to visit a specially crafted form.
    • Joe’s browser submits form along with his cookies.
    • I not have admin
 <form method="POST" action="[path to filelocker]/admin_interface/grant_user_permission?format=json">
<input type="hidden" name="userId" value="tester" />
<input type="hidden" name="permissionId" value="admin" />
</form>
Cross-Site Scripting (XSS)
Can I inject JavaScript into your site?
  • Steal cookies –like session IDs.
  • Redirect user.
  • Abuse their permissions.
  • Users have out of date software
    • Adobe Reader? Load a PDF virus.
    • Java? Load an applet virus.
    •  Media codecs? Load a MP3 virus.
Injection 
  • Shell injection
    •  system(“$clamscan_exec $file”)
  • File injection
    •  http://example.com/index.php?page=blah
  • SQL injection
    • SELECT * FROM accounts WHERE custID=‘#{id}’
    • id “’ or ‘1’=‘1”
  • JSON injection
    • Recent popularity of NoSQL DBs.
  • LDAP injection.
Labels:

Comments

Post a Comment

Popular posts from this blog

The Difference between DB and DB_EXTENDED

When doing Audit on any table on the the database , the default auditing is DB. SQL > show parameters audit_trail NAME                                 TYPE        VALUE ------------------------------------ ----------- ------------------------------ audit_trail                          string      DB in this case , when you do audit on some table. SQL> audit all on scott.emp by access; Audit succeeded SQL> update emp set sal=sal*0.95 where job='MANAGER'; 3 rows updated. if you want to know the statement made these changes, you will receive nothing on the sql_text field while you are selecting the audit_trial table.
Post a Comment
Read more

Web Application Security Scanner : Sandcat

Sandcat is multi-process remote web application security scanner. It maps the entire web site structure ( all links , forms , XHR requests and other entry points) and tries to find custom,unique vulnerabilities by simulating a wide range of attacks/sending thousands of requests (mostly GET and POST).  It also tests for SQL Inection, XSS, File inclusion and many other web application vulnerability classes.  Sandcat's code scanning functionality automates the process of reviewing the web application's code .  Source : CEH Lectures ...
Post a Comment
Read more