The Cookie Monster (and other web security exploits)

295de4550871dd9a2fbdb7b8539b7797?s=47 Chris Cooper
November 01, 2012

The Cookie Monster (and other web security exploits)

A demonstration of how some common web application attacks are carried out, designed to help developers keep their apps secure, and enable end-users to spot potential attackers.

The original screencasts have been substituted with stills.

Presented at Create on the 1st Nov 2012 at the Fruitworks, Canterbury, UK.
http://fruitworks.co/create/november2012/

Also presented at Barcamp Canterbury on the 27th Apr 2013.
http://barcampcanterbury.com/

295de4550871dd9a2fbdb7b8539b7797?s=128

Chris Cooper

November 01, 2012
Tweet

Transcript

  1. MONSTER COOKIE the (and other web security exploits)

  2. @itscooperful

  3. ethical hacking penetration testing

  4. end users and developers know about prevention and defence but

    knowing why we do these things provides reinforcement
  5. miss piggy’s pc

  6. the vulnerable app

  7. the vulnerable app

  8. the vulnerable app

  9. the cookie monster’s pc

  10. cookies? om-nom-nom-nom

  11. session cookies muppetdb.com ?

  12. session cookies muppetdb.com phpsessid= abc001

  13. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  14. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  15. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002 phpsessid= abc001

  16. cross-site scripting

  17. the muppet database go http://muppetdb.com/?message=hello message: he!o go

  18. the muppet database go http://muppetdb.com/?message=xss message: xss go the muppet

    database
  19. message: the muppet database go go the muppet database x

    OK xss ?message=<script>alert(‘xss’)</script>
  20. ?message=<script>... cross-site scripting muppetdb.com

  21. ?message=<script>... x OK xss cross-site scripting muppetdb.com

  22. cross-site scripting muppetdb.com

  23. cross-site scripting email muppetdb.com

  24. cross-site scripting email ?message=<script>... muppetdb.com

  25. cross-site scripting email ?message=<script>... x OK xss muppetdb.com

  26. identifying cross-site scripting

  27. identifying cross-site scripting

  28. identifying cross-site scripting

  29. identifying cross-site scripting

  30. identifying cross-site scripting

  31. sending a phishing email

  32. waiting for miss piggy to fo!ow the link...

  33. miss piggy receives the email...

  34. ...and is enticed to fo!ow the link

  35. sending the session cookie to the a"acker

  36. the cookie monster copies the session token...

  37. ...hijacking miss piggy’s session

  38. end users dodgy links: - trusted domains - browse to

    sites directly - be aware of social engineering developers - validate input - sanitise input - sanitise output - check untrusted data in js, css, json, urls, db (EVERYWHERE) - h"ponly - when in doubt, OWASP
  39. SQL injection

  40. go SELECT * FROM data WHERE uid = ‘$uid’ ORDER

    BY name http://muppetdb.com/?uid=fozzie
  41. go SELECT * FROM data WHERE uid = ‘fozzie’ ORDER

    BY name http://muppetdb.com/?uid=fozzie go
  42. go SELECT * FROM data WHERE uid = ‘fozzie’’ ORDER

    BY name http://muppetdb.com/?uid=fozzie’ go mysql syntax error!
  43. go go SELECT * FROM data WHERE uid = ‘fozzie’

    OR 1=1#’ ORDER BY name ://muppetdb.com/?uid=fozzie’ OR 1=1#
  44. identifying sql injection

  45. injecting a single quote

  46. viewing the raw h"p request...

  47. ...and response

  48. sql injection to retrieve table values

  49. ge"ing the database version

  50. ge"ing the database version

  51. ge"ing kermit’s password hash

  52. ge"ing kermit’s password hash

  53. viewing the same response in the browser

  54. end users passwords: - random (memorable = easy to crack)

    - long (9+ for users, 15+ for admins) - complex - unique developers - prepared statements - or stored procedures - or validate and sanitise input - least privilege db user
  55. let’s crack some passwords! the grand finale...

  56. cryptographic hash password 5f4dcc3b5aa765d61d8327deb882cf99

  57. password hashes

  58. dictionary a"ack

  59. dictionary a"ack

  60. dictionary a"ack

  61. dictionary a"ack

  62. testing a cracked password

  63. testing a cracked password

  64. testing a cracked password

  65. just when you think this show is terrible something wonderful

    happens. { } what? {it ends.
  66. @itscooperful a"ribution: h"p://chunkysmurf.deviantart.com/ h"p://nygraffit1.deviantart.com/ Font: Fredoka One (Google Web Fonts)