2. This is a stand-alone environment.
Seeing attacks makes a difference!
Please don’t try any of this at home!
PS Adam is a 4th
year Ethical Hacking
student at Abertay.
5. Web
server
Web app
Web app
Web app
Web app
transport
DB
DB
App
server
(optional)
Web client:
IE, Firefox,
Opera, etc.
HTTP
response
(HTML,
JavaScript,
VBScript,
etc.)
HTTP
request
Clear-
text or
SSL
• Apache
• IIS
• Netscape
• etc.
• ColdFusion
• Oracle 9iAS
• GlassFish
• etc.
• Perl
• C++
• CGI
• Java
• ASP
• PHP
• etc.
• ADO
• ODBC
• JDBC
• etc.
• Oracle
• SQL
Server
• etc.
• AJP
• IIOP
• etc.
7. Entering Colin and test gives a SQL query similar to the
following: -
$query = "SELECT * FROM accounts WHERE username=‘Colin' AND
password=‘test’;
PROBLEM: - Often there is no filtering of input meaning that a
hacker can inject CODE.
Typical Code
$username = $_REQUEST["username"];
$password = $_REQUEST["password"];
$query = "SELECT * FROM accounts WHERE username='$username' AND
password='$password';
8. Entering blah ‘OR 1=1#
In MYSQL, “#” is a comment.
$query = SELECT * FROM accounts WHERE username= '$username' AND
password= '$password';
Gives
$query = SELECT * FROM accounts WHERE username= ‘blah' OR 1=1#
password= ''
Effectively
$query = SELECT * FROM accounts WHERE username= ‘blah' OR 1=1
9. HacmeBank has an SQL injection flaw.
Adam is currently trying to do as much as damage
as he can by exploiting this flaw....
“SQLMAP” tool as used by hacking groups.
15. Approximately 3 lines of code..
AWARENESS.
Only one of many Web flaws.
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4- Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards .
..etc
17. Relies on victim clicking on a link (e.g. E-Mail,
Google search .....etc).
Hackers success against a company can be
greatly increased using targeting users.
E.g. Might not be easy to get an accountant to
click on any old link....but...
18.
19. Get user to visit a page...
Issue commands from the menu.
20. This is many
users view of
what a trojan is...
This is many
users view of
what a trojan is...
21. Install...
◦ Visit the wrong web page/install the wrong
software/Someone gets on your PC.
Anti-virus can be evaded relatively easily.
The ultimate hack.
22.
23. Unpatched /
Downloaded..
How dangerous?
Unpatched /
Downloaded..
How dangerous?
• This demo applies to “out of date”
software or packages downloaded
from the Internet.
• If a flaw isn’t fixed then this is what
can happen.
24. Technical controls can help greatly but
Developers/Networking staff/IT Staff/User
awareness is a major mitigation.
Most modern hacking attacks require user “help”.
25. Awareness training @ Abertay Uni...
◦ Pen Testing & Vulnerability Assessment (2 days)
◦ Security awareness for users (1/2 day)
◦ Web Security testing (2 days)
◦ Security Awareness for Managers (1/2 day)
◦ Secure Coding (1 day)
◦ Wireless security (1 day)
◦ Intro to Digital Forensics (2 days)
◦ Network Forensics (2 days).
In our Ethical Hacking lab or in your company.