$30 off During Our Annual Pro Sale. View Details »

The Cookie Monster (and other web security exploits)

Chris Cooper
November 01, 2012

The Cookie Monster (and other web security exploits)

A demonstration of how some common web application attacks are carried out, designed to help developers keep their apps secure, and enable end-users to spot potential attackers.

The original screencasts have been substituted with stills.

Presented at Create on the 1st Nov 2012 at the Fruitworks, Canterbury, UK.
http://fruitworks.co/create/november2012/

Also presented at Barcamp Canterbury on the 27th Apr 2013.
http://barcampcanterbury.com/

Chris Cooper

November 01, 2012
Tweet

More Decks by Chris Cooper

Other Decks in Technology

Transcript

  1. MONSTER
    COOKIE
    the
    (and other web security exploits)

    View Slide

  2. @itscooperful

    View Slide

  3. ethical hacking
    penetration testing

    View Slide

  4. end users and developers
    know about prevention and
    defence
    but knowing why we do
    these things provides
    reinforcement

    View Slide

  5. miss piggy’s pc

    View Slide

  6. the vulnerable app

    View Slide

  7. the vulnerable app

    View Slide

  8. the vulnerable app

    View Slide

  9. the cookie monster’s pc

    View Slide

  10. cookies?
    om-nom-nom-nom

    View Slide

  11. session cookies
    muppetdb.com
    ?

    View Slide

  12. session cookies
    muppetdb.com
    phpsessid=
    abc001

    View Slide

  13. session cookies
    muppetdb.com
    phpsessid=
    abc001
    phpsessid=
    abc002

    View Slide

  14. session cookies
    muppetdb.com
    phpsessid=
    abc001
    phpsessid=
    abc002

    View Slide

  15. session cookies
    muppetdb.com
    phpsessid=
    abc001
    phpsessid=
    abc002
    phpsessid=
    abc001

    View Slide

  16. cross-site
    scripting

    View Slide

  17. the
    muppet
    database
    go
    http://muppetdb.com/?message=hello
    message: he!o
    go

    View Slide

  18. the
    muppet
    database
    go
    http://muppetdb.com/?message=xss
    message: xss
    go
    the
    muppet
    database

    View Slide

  19. message:
    the
    muppet
    database
    go
    go
    the
    muppet
    database
    x
    OK
    xss
    ?message=alert(‘xss’)

    View Slide

  20. ?message=...<br/>cross-site scripting<br/>muppetdb.com<br/>

    View Slide

  21. ?message=...<br/>x<br/>OK<br/>xss<br/>cross-site scripting<br/>muppetdb.com<br/>

    View Slide

  22. cross-site scripting
    muppetdb.com

    View Slide

  23. cross-site scripting
    email
    muppetdb.com

    View Slide

  24. cross-site scripting
    email
    ?message=...<br/>muppetdb.com<br/>

    View Slide

  25. cross-site scripting
    email
    ?message=...<br/>x<br/>OK<br/>xss<br/>muppetdb.com<br/>

    View Slide

  26. identifying cross-site scripting

    View Slide

  27. identifying cross-site scripting

    View Slide

  28. identifying cross-site scripting

    View Slide

  29. identifying cross-site scripting

    View Slide

  30. identifying cross-site scripting

    View Slide

  31. sending a phishing email

    View Slide

  32. waiting for miss piggy to fo!ow the link...

    View Slide

  33. miss piggy receives the email...

    View Slide

  34. ...and is enticed to fo!ow the link

    View Slide

  35. sending the session cookie to the a"acker

    View Slide

  36. the cookie monster copies the session token...

    View Slide

  37. ...hijacking miss piggy’s session

    View Slide

  38. end users
    dodgy links:
    - trusted domains
    - browse to sites
    directly
    - be aware of
    social
    engineering
    developers
    - validate input
    - sanitise input
    - sanitise output
    - check untrusted
    data in js, css,
    json, urls, db
    (EVERYWHERE)
    - h"ponly
    - when in doubt,
    OWASP

    View Slide

  39. SQL
    injection

    View Slide

  40. go
    SELECT * FROM data
    WHERE uid = ‘$uid’
    ORDER BY name
    http://muppetdb.com/?uid=fozzie

    View Slide

  41. go
    SELECT * FROM data
    WHERE uid = ‘fozzie’
    ORDER BY name
    http://muppetdb.com/?uid=fozzie go

    View Slide

  42. go
    SELECT * FROM data
    WHERE uid = ‘fozzie’’
    ORDER BY name
    http://muppetdb.com/?uid=fozzie’ go
    mysql syntax error!

    View Slide

  43. go
    go
    SELECT * FROM data
    WHERE uid = ‘fozzie’ OR
    1=1#’ ORDER BY name
    ://muppetdb.com/?uid=fozzie’ OR 1=1#

    View Slide

  44. identifying sql injection

    View Slide

  45. injecting a single quote

    View Slide

  46. viewing the raw h"p request...

    View Slide

  47. ...and response

    View Slide

  48. sql injection to retrieve table values

    View Slide

  49. ge"ing the database version

    View Slide

  50. ge"ing the database version

    View Slide

  51. ge"ing kermit’s password hash

    View Slide

  52. ge"ing kermit’s password hash

    View Slide

  53. viewing the same response in the browser

    View Slide

  54. end users
    passwords:
    - random
    (memorable =
    easy to crack)
    - long (9+ for
    users, 15+ for
    admins)
    - complex
    - unique
    developers
    - prepared
    statements
    - or stored
    procedures
    - or validate and
    sanitise input
    - least privilege
    db user

    View Slide

  55. let’s crack some
    passwords!
    the grand finale...

    View Slide

  56. cryptographic hash
    password
    5f4dcc3b5aa765d61d8327deb882cf99

    View Slide

  57. password hashes

    View Slide

  58. dictionary a"ack

    View Slide

  59. dictionary a"ack

    View Slide

  60. dictionary a"ack

    View Slide

  61. dictionary a"ack

    View Slide

  62. testing a cracked password

    View Slide

  63. testing a cracked password

    View Slide

  64. testing a cracked password

    View Slide

  65. just when you think this show is
    terrible something wonderful happens.
    {
    }
    what?
    {it ends.

    View Slide

  66. @itscooperful
    a"ribution:
    h"p://chunkysmurf.deviantart.com/
    h"p://nygraffit1.deviantart.com/
    Font: Fredoka One (Google Web Fonts)

    View Slide