�ݺ�ߣ

Web Application Security pitfalls

Introduction & Some BAD Stories
1 billion accounts
has been hacked twice , recently in 2016 Yahoo told that 1 billion
accounts info were stolen
notified/urged users to change their password (and I also got
that mail)
The problem is it happened all the way back in August 2013.
Hacker has had more than three years to exploit it, security
experts say
Hacker attempting to sell information on 200 million Yahoo
accounts.
$256 million or more
online retailer, Cyber criminals took more than 45 million credit
and debit card numbers
some of which were used later to buy millions of dollars in
electronics from Wal-Mart and elsewhere
$2 billion
- The Sony data breach, which exposed information from more
than 100 million user accounts in April 20, 2011
- Hackers obtained personal information, including credit, debit,
and bank account numbers in some instances
- while the site was down for a month.
$140 million
a payment processor was the victim of a major cyber attack in
2008
100 million credit and debit cards

Contents
Http Request /Response flow
1. How http request-response works
2. Anatomy of http request & response
3. Demonstrate using chrome inspector or Burp proxy
OWASP
1. What is OWASP
2. OWASP Top 10 attacks
SQL Injection
1. What it is ? & How attack happens
2. Practical Demo using DVWA web app
3. Lab tool : sqlmap to detect & exploit using SQL Injection
4. Mitigations and guarding
Data Validation & Distrust all data

OWASP Introduction
OWASP Top 10 attacks:
? List of most critical web application security flaws.
? These error occur frequently and allow attackers to steal data or take over application.
? Tells What is the issue, How to test it , How to fix .
Open Web Application Security Project (OWASP) is an online community
which creates freely-available articles methodologies, documentation, tools,
and technologies in the field of web application security.
OWASP Top 10
OWASP Top 10

Injection attacks
References
A1-Injection
Injection flaws , such as SQL, OS Injection, occur when untrusted data
is sent to app which can trick interpreter into executing unintended
commands.
�� SQL Injection
�� OS Injection
�� Shell uploading

How attack happens
Action time
Demo: SQL Injection (DVWA)
// Get input
$id = $_REQUEST[ 'id' ];
$db = new mysqli('localhost', 'username', 'password', 'storedb');
$sql = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = $db->query($sql);
Attack Vectors
�� OR 1=1 # $sql = "SELECT first_name, last_name FROM users WHERE user_id = '' OR 1=1 #'";
�� UNION SELECT database(), @@version
�� UNION SELECT table_schema,table_name FROM information_schema.tables
WHERE table_schema = ��storedb��

Automated SQL Injection using sqlmap Tool
Action time Usage
Demo: sqlmap db exploit
Sqlmap : Open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers.
Build in python & requires python installed on system.
Support to dump database tables entirely,
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM
DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management
systems.
Automatic recognition of password hash formats and support for cracking them using a
dictionary-based attack.

Defences against SQL Injection
�� Prepared statements (parameterized queries)
�� Escaping all User Supplied Input
�� Strict validation over input parameters
�� Use of stored-procedures
Site-sharing
Prevention CheatSheet

References
Special thanks to all the people who made and released
these awesome resources for free:
�� https://www.owasp.org/
�� http://sqlmap.org/

Thanks!
Any questions?
You can find me at:
deepak.chandani@thepsi.com

�ݺ�ߣ

Web App Security

More Related Content

Web App Security