Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Cookie Monster (and other web security expl...

Chris Cooper
November 01, 2012
Technology
3
360

The Cookie Monster (and other web security exploits)

A demonstration of how some common web application attacks are carried out, designed to help developers keep their apps secure, and enable end-users to spot potential attackers.

The original screencasts have been substituted with stills.

Presented at Create on the 1st Nov 2012 at the Fruitworks, Canterbury, UK.
http://fruitworks.co/create/november2012/

Also presented at Barcamp Canterbury on the 27th Apr 2013.
http://barcampcanterbury.com/

Chris Cooper

November 01, 2012
Tweet

More Decks by Chris Cooper

See All by Chris Cooper
The Digital Hostage: Ransomware in the Workplace
itscooper
0
110
People Security and Social Engineering
itscooper
0
120
Keeping Your Data Secure: A Guide for Human Beings
itscooper
0
190
E-Safety: How technology can protect us from technology
itscooper
0
310
Social Engineering: How to Rob a Bank with a Phone
itscooper
0
210
Hacking the Box (Joseph Sheridan)
itscooper
1
280
Breaking Stuff: What Ethical Hacking Has Taught Me
itscooper
1
150

Other Decks in Technology

See All in Technology
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
180
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
いざ、BSC討伐の旅
nikinusu
2
780
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
【若手エンジニア応援LT会】ソフトウェアを学んできた私がインフラエンジニアを目指した理由
kazushi_ohata
0
150

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
How to Ace a Technical Interview
jacobian
276
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Navigating Team Friction
lara
183
14k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
88
How to train your dragon (web standard)
notwaldorf
88
5.7k
Rails Girls Zürich Keynote
gr2m
94
13k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Adopting Sorbet at Scale
ufuk
73
9.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k

Transcript

  1. MONSTER COOKIE the (and other web security exploits)

  2. @itscooperful

  3. ethical hacking penetration testing

  4. end users and developers know about prevention and defence but

    knowing why we do these things provides reinforcement

  5. miss piggy’s pc

  6. the vulnerable app

  7. the vulnerable app

  8. the vulnerable app

  9. the cookie monster’s pc

  10. cookies? om-nom-nom-nom

  11. session cookies muppetdb.com ?

  12. session cookies muppetdb.com phpsessid= abc001

  13. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  14. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  15. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002 phpsessid= abc001

  16. cross-site scripting

  17. the muppet database go http://muppetdb.com/?message=hello message: he!o go

  18. the muppet database go http://muppetdb.com/?message=xss message: xss go the muppet

    database

  19. message: the muppet database go go the muppet database x

    OK xss ?message=<script>alert(‘xss’)</script>

  20. ?message=<script>... cross-site scripting muppetdb.com

  21. ?message=<script>... x OK xss cross-site scripting muppetdb.com

  22. cross-site scripting muppetdb.com

  23. cross-site scripting email muppetdb.com

  24. cross-site scripting email ?message=<script>... muppetdb.com

  25. cross-site scripting email ?message=<script>... x OK xss muppetdb.com

  26. identifying cross-site scripting

  27. identifying cross-site scripting

  28. identifying cross-site scripting

  29. identifying cross-site scripting

  30. identifying cross-site scripting

  31. sending a phishing email

  32. waiting for miss piggy to fo!ow the link...

  33. miss piggy receives the email...

  34. ...and is enticed to fo!ow the link

  35. sending the session cookie to the a"acker

  36. the cookie monster copies the session token...

  37. ...hijacking miss piggy’s session

  38. end users dodgy links: - trusted domains - browse to

    sites directly - be aware of social engineering developers - validate input - sanitise input - sanitise output - check untrusted data in js, css, json, urls, db (EVERYWHERE) - h"ponly - when in doubt, OWASP

  39. SQL injection

  40. go SELECT * FROM data WHERE uid = ‘$uid’ ORDER

    BY name http://muppetdb.com/?uid=fozzie

  41. go SELECT * FROM data WHERE uid = ‘fozzie’ ORDER

    BY name http://muppetdb.com/?uid=fozzie go

  42. go SELECT * FROM data WHERE uid = ‘fozzie’’ ORDER

    BY name http://muppetdb.com/?uid=fozzie’ go mysql syntax error!

  43. go go SELECT * FROM data WHERE uid = ‘fozzie’

    OR 1=1#’ ORDER BY name ://muppetdb.com/?uid=fozzie’ OR 1=1#

  44. identifying sql injection

  45. injecting a single quote

  46. viewing the raw h"p request...

  47. ...and response

  48. sql injection to retrieve table values

  49. ge"ing the database version

  50. ge"ing the database version

  51. ge"ing kermit’s password hash

  52. ge"ing kermit’s password hash

  53. viewing the same response in the browser

  54. end users passwords: - random (memorable = easy to crack)

    - long (9+ for users, 15+ for admins) - complex - unique developers - prepared statements - or stored procedures - or validate and sanitise input - least privilege db user

  55. let’s crack some passwords! the grand finale...

  56. cryptographic hash password 5f4dcc3b5aa765d61d8327deb882cf99

  57. password hashes

  58. dictionary a"ack

  59. dictionary a"ack

  60. dictionary a"ack

  61. dictionary a"ack

  62. testing a cracked password

  63. testing a cracked password

  64. testing a cracked password

  65. just when you think this show is terrible something wonderful

    happens. { } what? {it ends.

  66. @itscooperful a"ribution: h"p://chunkysmurf.deviantart.com/ h"p://nygraffit1.deviantart.com/ Font: Fredoka One (Google Web Fonts)