Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Cookie Monster (and other web security exploits)

Chris Cooper
November 01, 2012
Technology
2
320

The Cookie Monster (and other web security exploits)

A demonstration of how some common web application attacks are carried out, designed to help developers keep their apps secure, and enable end-users to spot potential attackers.

The original screencasts have been substituted with stills.

Presented at Create on the 1st Nov 2012 at the Fruitworks, Canterbury, UK.
http://fruitworks.co/create/november2012/

Also presented at Barcamp Canterbury on the 27th Apr 2013.
http://barcampcanterbury.com/

Chris Cooper

November 01, 2012
Tweet

More Decks by Chris Cooper

See All by Chris Cooper
The Digital Hostage: Ransomware in the Workplace
itscooper
0
100
People Security and Social Engineering
itscooper
0
110
Keeping Your Data Secure: A Guide for Human Beings
itscooper
0
180
E-Safety: How technology can protect us from technology
itscooper
0
310
Social Engineering: How to Rob a Bank with a Phone
itscooper
0
190
Hacking the Box (Joseph Sheridan)
itscooper
1
270
Breaking Stuff: What Ethical Hacking Has Taught Me
itscooper
1
140

Other Decks in Technology

See All in Technology
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
600
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
MapLibreとAmazon Location Service
dayjournal
1
150
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
190
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
130
本当のAWS基礎
toru_kubota
0
520
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
390
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
1
230
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
3
110
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
560

Featured

See All Featured
Statistics for Hackers
jakevdp
789
220k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Rails Girls Zürich Keynote
gr2m
91
13k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Ruby is Unlike a Banana
tanoku
96
10k
Code Review Best Practice
trishagee
55
15k
Thoughts on Productivity
jonyablonski
58
3.8k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
What's new in Ruby 2.0
geeforr
337
31k

Transcript

  1. MONSTER COOKIE the (and other web security exploits)

  2. @itscooperful

  3. ethical hacking penetration testing

  4. end users and developers know about prevention and defence but

    knowing why we do these things provides reinforcement

  5. miss piggy’s pc

  6. the vulnerable app

  7. the vulnerable app

  8. the vulnerable app

  9. the cookie monster’s pc

  10. cookies? om-nom-nom-nom

  11. session cookies muppetdb.com ?

  12. session cookies muppetdb.com phpsessid= abc001

  13. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  14. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  15. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002 phpsessid= abc001

  16. cross-site scripting

  17. the muppet database go http://muppetdb.com/?message=hello message: he!o go

  18. the muppet database go http://muppetdb.com/?message=xss message: xss go the muppet

    database

  19. message: the muppet database go go the muppet database x

    OK xss ?message=<script>alert(‘xss’)</script>

  20. ?message=<script>... cross-site scripting muppetdb.com

  21. ?message=<script>... x OK xss cross-site scripting muppetdb.com

  22. cross-site scripting muppetdb.com

  23. cross-site scripting email muppetdb.com

  24. cross-site scripting email ?message=<script>... muppetdb.com

  25. cross-site scripting email ?message=<script>... x OK xss muppetdb.com

  26. identifying cross-site scripting

  27. identifying cross-site scripting

  28. identifying cross-site scripting

  29. identifying cross-site scripting

  30. identifying cross-site scripting

  31. sending a phishing email

  32. waiting for miss piggy to fo!ow the link...

  33. miss piggy receives the email...

  34. ...and is enticed to fo!ow the link

  35. sending the session cookie to the a"acker

  36. the cookie monster copies the session token...

  37. ...hijacking miss piggy’s session

  38. end users dodgy links: - trusted domains - browse to

    sites directly - be aware of social engineering developers - validate input - sanitise input - sanitise output - check untrusted data in js, css, json, urls, db (EVERYWHERE) - h"ponly - when in doubt, OWASP

  39. SQL injection

  40. go SELECT * FROM data WHERE uid = ‘$uid’ ORDER

    BY name http://muppetdb.com/?uid=fozzie

  41. go SELECT * FROM data WHERE uid = ‘fozzie’ ORDER

    BY name http://muppetdb.com/?uid=fozzie go

  42. go SELECT * FROM data WHERE uid = ‘fozzie’’ ORDER

    BY name http://muppetdb.com/?uid=fozzie’ go mysql syntax error!

  43. go go SELECT * FROM data WHERE uid = ‘fozzie’

    OR 1=1#’ ORDER BY name ://muppetdb.com/?uid=fozzie’ OR 1=1#

  44. identifying sql injection

  45. injecting a single quote

  46. viewing the raw h"p request...

  47. ...and response

  48. sql injection to retrieve table values

  49. ge"ing the database version

  50. ge"ing the database version

  51. ge"ing kermit’s password hash

  52. ge"ing kermit’s password hash

  53. viewing the same response in the browser

  54. end users passwords: - random (memorable = easy to crack)

    - long (9+ for users, 15+ for admins) - complex - unique developers - prepared statements - or stored procedures - or validate and sanitise input - least privilege db user

  55. let’s crack some passwords! the grand finale...

  56. cryptographic hash password 5f4dcc3b5aa765d61d8327deb882cf99

  57. password hashes

  58. dictionary a"ack

  59. dictionary a"ack

  60. dictionary a"ack

  61. dictionary a"ack

  62. testing a cracked password

  63. testing a cracked password

  64. testing a cracked password

  65. just when you think this show is terrible something wonderful

    happens. { } what? {it ends.

  66. @itscooperful a"ribution: h"p://chunkysmurf.deviantart.com/ h"p://nygraffit1.deviantart.com/ Font: Fredoka One (Google Web Fonts)