Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Cookie Monster (and other web security expl...

Avatar for Chris Cooper Chris Cooper
November 01, 2012
Technology
3
380

The Cookie Monster (and other web security exploits)

A demonstration of how some common web application attacks are carried out, designed to help developers keep their apps secure, and enable end-users to spot potential attackers.

The original screencasts have been substituted with stills.

Presented at Create on the 1st Nov 2012 at the Fruitworks, Canterbury, UK.
http://fruitworks.co/create/november2012/

Also presented at Barcamp Canterbury on the 27th Apr 2013.
http://barcampcanterbury.com/
Avatar for Chris Cooper

Chris Cooper

November 01, 2012
Tweet

More Decks by Chris Cooper

See All by Chris Cooper
The Digital Hostage: Ransomware in the Workplace
Avatar for Chris Cooper itscooper
0
110
People Security and Social Engineering
Avatar for Chris Cooper itscooper
0
120
Keeping Your Data Secure: A Guide for Human Beings
Avatar for Chris Cooper itscooper
0
190
E-Safety: How technology can protect us from technology
Avatar for Chris Cooper itscooper
0
320
Social Engineering: How to Rob a Bank with a Phone
Avatar for Chris Cooper itscooper
0
220
Hacking the Box (Joseph Sheridan)
Avatar for Chris Cooper itscooper
1
290
Breaking Stuff: What Ethical Hacking Has Taught Me
Avatar for Chris Cooper itscooper
1
150

Other Decks in Technology

See All in Technology
インフラからSREへ
Avatar for Issei Naruta mirakui
20
7.8k
ホワイトボックス& SONiC アーキテクチャ(全体像) - SONiC Workshop Japan 2025
Avatar for ebiken ebiken
PRO
1
390
Google Cloud Next 2025 Recap アプリケーション開発を加速する機能アップデート / Application development-related features of Google Cloud
Avatar for turbofish ryokotmng
0
410
ゆるくはじめるSLI・SLO
Avatar for Mirai Yato (yato) yatoum
1
120
分解し、導き、託す ログラスにおける“技術でリードする” 実践の記録
Avatar for Hiroto Ryushima hryushm
1
550
SONiCで構築・運用する生成AI向けパブリッククラウドネットワーク
Avatar for SONiC Users Group Japan sonic
1
490
非同期処理でも分散トレーシングしたい!- OpenTelemetry × Pub/Sub -
Avatar for Tomonori Hayashi phaya72
1
110
地に足の付いた現実的な技術選定から魔力のある体験を得る『AIレシート読み取り機能』のケーススタディ / From Grounded Tech Choices to Magical UX: A Case Study of AI Receipt Scanning
Avatar for moznion moznion
5
2k
Platform Engineering for Private Cloud
Avatar for Coté cote
PRO
0
110
猫でもわかるS3 Tables【Apache Iceberg編】
Avatar for Hiroo Katoh kentapapa
2
270
事業と組織から目を逸らずに技術でリードする
Avatar for ogugu ogugu9
19
5.3k
10年もののアプリケーションを運用・開発するアプリケーションエンジニアのDatadog活用術
Avatar for miyamu miyamu
0
130

Featured

See All Featured
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
613
210k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Navigating Team Friction
Avatar for Lara Hogan lara
185
15k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
105
19k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
19k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
5
590
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
50k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
85
4.7k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
430
65k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
53
11k

Transcript

  1. MONSTER COOKIE the (and other web security exploits)

  2. @itscooperful

  3. ethical hacking penetration testing

  4. end users and developers know about prevention and defence but

    knowing why we do these things provides reinforcement

  5. miss piggy’s pc

  6. the vulnerable app

  7. the vulnerable app

  8. the vulnerable app

  9. the cookie monster’s pc

  10. cookies? om-nom-nom-nom

  11. session cookies muppetdb.com ?

  12. session cookies muppetdb.com phpsessid= abc001

  13. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  14. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002

  15. session cookies muppetdb.com phpsessid= abc001 phpsessid= abc002 phpsessid= abc001

  16. cross-site scripting

  17. the muppet database go http://muppetdb.com/?message=hello message: he!o go

  18. the muppet database go http://muppetdb.com/?message=xss message: xss go the muppet

    database

  19. message: the muppet database go go the muppet database x

    OK xss ?message=<script>alert(‘xss’)</script>

  20. ?message=<script>... cross-site scripting muppetdb.com

  21. ?message=<script>... x OK xss cross-site scripting muppetdb.com

  22. cross-site scripting muppetdb.com

  23. cross-site scripting email muppetdb.com

  24. cross-site scripting email ?message=<script>... muppetdb.com

  25. cross-site scripting email ?message=<script>... x OK xss muppetdb.com

  26. identifying cross-site scripting

  27. identifying cross-site scripting

  28. identifying cross-site scripting

  29. identifying cross-site scripting

  30. identifying cross-site scripting

  31. sending a phishing email

  32. waiting for miss piggy to fo!ow the link...

  33. miss piggy receives the email...

  34. ...and is enticed to fo!ow the link

  35. sending the session cookie to the a"acker

  36. the cookie monster copies the session token...

  37. ...hijacking miss piggy’s session

  38. end users dodgy links: - trusted domains - browse to

    sites directly - be aware of social engineering developers - validate input - sanitise input - sanitise output - check untrusted data in js, css, json, urls, db (EVERYWHERE) - h"ponly - when in doubt, OWASP

  39. SQL injection

  40. go SELECT * FROM data WHERE uid = ‘$uid’ ORDER

    BY name http://muppetdb.com/?uid=fozzie

  41. go SELECT * FROM data WHERE uid = ‘fozzie’ ORDER

    BY name http://muppetdb.com/?uid=fozzie go

  42. go SELECT * FROM data WHERE uid = ‘fozzie’’ ORDER

    BY name http://muppetdb.com/?uid=fozzie’ go mysql syntax error!

  43. go go SELECT * FROM data WHERE uid = ‘fozzie’

    OR 1=1#’ ORDER BY name ://muppetdb.com/?uid=fozzie’ OR 1=1#

  44. identifying sql injection

  45. injecting a single quote

  46. viewing the raw h"p request...

  47. ...and response

  48. sql injection to retrieve table values

  49. ge"ing the database version

  50. ge"ing the database version

  51. ge"ing kermit’s password hash

  52. ge"ing kermit’s password hash

  53. viewing the same response in the browser

  54. end users passwords: - random (memorable = easy to crack)

    - long (9+ for users, 15+ for admins) - complex - unique developers - prepared statements - or stored procedures - or validate and sanitise input - least privilege db user

  55. let’s crack some passwords! the grand finale...

  56. cryptographic hash password 5f4dcc3b5aa765d61d8327deb882cf99

  57. password hashes

  58. dictionary a"ack

  59. dictionary a"ack

  60. dictionary a"ack

  61. dictionary a"ack

  62. testing a cracked password

  63. testing a cracked password

  64. testing a cracked password

  65. just when you think this show is terrible something wonderful

    happens. { } what? {it ends.

  66. @itscooperful a"ribution: h"p://chunkysmurf.deviantart.com/ h"p://nygraffit1.deviantart.com/ Font: Fredoka One (Google Web Fonts)