The Cookie Monster (and other web security exploits)

MONSTER
COOKIE
the
(and other web security exploits)

View Slide

@itscooperful

View Slide

ethical hacking
penetration testing

View Slide

end users and developers
know about prevention and
defence
but knowing why we do
these things provides
reinforcement

View Slide

miss piggy’s pc

View Slide

the vulnerable app

View Slide

the cookie monster’s pc

View Slide

cookies?
om-nom-nom-nom

View Slide

session cookies
muppetdb.com
?

View Slide

session cookies
muppetdb.com
phpsessid=
abc001

View Slide

session cookies
muppetdb.com
phpsessid=
abc001
phpsessid=
abc002

View Slide

session cookies
muppetdb.com
phpsessid=
abc001
phpsessid=
abc002
phpsessid=
abc001

View Slide

cross-site
scripting

View Slide

the
muppet
database
go
http://muppetdb.com/?message=hello
message: he!o
go

View Slide

the
muppet
database
go
http://muppetdb.com/?message=xss
message: xss
go
the
muppet
database

View Slide

message:
the
muppet
database
go
go
the
muppet
database
x
OK
xss
?message=alert(‘xss’)

View Slide

?message=... cross-site scripting muppetdb.com 

View Slide

?message=... x OK xss cross-site scripting muppetdb.com 

View Slide

cross-site scripting
muppetdb.com

View Slide

email
muppetdb.com

View Slide

email
?message=... muppetdb.com 

View Slide

email
?message=... x OK xss muppetdb.com 

View Slide

identifying cross-site scripting

View Slide

sending a phishing email

View Slide

waiting for miss piggy to fo!ow the link...

View Slide

miss piggy receives the email...

View Slide

...and is enticed to fo!ow the link

View Slide

sending the session cookie to the a"acker

View Slide

the cookie monster copies the session token...

View Slide

...hijacking miss piggy’s session

View Slide

end users
dodgy links:
- trusted domains
- browse to sites
directly
- be aware of
social
engineering
developers
- validate input
- sanitise input
- sanitise output
- check untrusted
data in js, css,
json, urls, db
(EVERYWHERE)
- h"ponly
- when in doubt,
OWASP

View Slide

SQL
injection

View Slide

go
SELECT * FROM data
WHERE uid = ‘$uid’
ORDER BY name
http://muppetdb.com/?uid=fozzie

View Slide

go
SELECT * FROM data
WHERE uid = ‘fozzie’
ORDER BY name
http://muppetdb.com/?uid=fozzie go

View Slide

go
SELECT * FROM data
WHERE uid = ‘fozzie’’
ORDER BY name
http://muppetdb.com/?uid=fozzie’ go
mysql syntax error!

View Slide

go
go
SELECT * FROM data
WHERE uid = ‘fozzie’ OR
1=1#’ ORDER BY name
://muppetdb.com/?uid=fozzie’ OR 1=1#

View Slide

identifying sql injection

View Slide

injecting a single quote

View Slide

viewing the raw h"p request...

View Slide

...and response

View Slide

sql injection to retrieve table values

View Slide

ge"ing the database version

View Slide

ge"ing kermit’s password hash

View Slide

viewing the same response in the browser

View Slide

end users
passwords:
- random
(memorable =
easy to crack)
- long (9+ for
users, 15+ for
admins)
- complex
- unique
developers
- prepared
statements
- or stored
procedures
- or validate and
sanitise input
- least privilege
db user

View Slide

let’s crack some
passwords!
the grand ﬁnale...

View Slide

cryptographic hash
password
5f4dcc3b5aa765d61d8327deb882cf99

View Slide

password hashes

View Slide

dictionary a"ack

View Slide

testing a cracked password

View Slide

just when you think this show is
terrible something wonderful happens.
{
}
what?
{it ends.

View Slide

@itscooperful
a"ribution:
h"p://chunkysmurf.deviantart.com/
h"p://nygraﬃt1.deviantart.com/
Font: Fredoka One (Google Web Fonts)

View Slide

The Cookie Monster (and other web security exploits)

The Cookie Monster (and other web security exploits)

Chris Cooper

More Decks by Chris Cooper

Other Decks in Technology

Featured

Transcript