logging in or signing up AppSec2005DC Matt Fisher Google Hacking and Worms Barbara Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 284 Category: Product Traini.. License: All Rights Reserved Like it (1) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... By: mohit332 (15 month(s) ago) please send the ppt to mohitshankalay332@yahoo.com Saving..... Post Reply Close Saving..... Edit Comment Close By: fsdfsda (33 month(s) ago) [url=http://www.ppt-video-converter.com] PPT video converter [/url] is designed specially for the people who want to convert PPT to video. With it, you can easily and fast convert ppt various formats , no matter you are a novice or professional, this ppt video converter can help you out. Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Google Hacking and Web Application Worms: Google Hacking and Web Application Worms OWASP 2005 Matt Fisher, Sr. Engineer SPI Dynamics Happy Anniversary !: Happy Anniversary ! Search Engine Hacking Almost Ten Years Old First solid documentation: SimpleNomad, 1996, AltaVista textfiles.com Web Hacking: Pick a site, find the vulnerability Google Hacking : Pick a vulnerability, find the site. Don’t Be A Target of Opportunity Just the beginning …: Just the beginning … Non-Public Systems Intranets, access-restricted extranets, web services Not all internet systems crawled Have to request a crawl Extranets, customer portals Google: very limited crawl Robots.txt, forms, javascript Linked content only ! Exposure has to be hard-linked No tampering The Perfect Drug: The Perfect Drug Warning ! Search engine hacking can be highly addictive Focus on what to look for, not on the search engine. A Few of my Favorite Things Source code galore: Need a code sample ? Grab a code sample ! File traversals : full system read access Command Execution : Executing shell commands through a browser, basically port 80 telnet. File Uploads: Don’t like the content ? Make your own ! Basic Google Hacking - Using File Types: Basic Google Hacking - Using File Types Works for many other file types: Works for many other file types Curioser and Curioser: Curioser and Curioser Googling for a Recent Exploit – Using Constraints: Googling for a Recent Exploit – Using Constraints Site frames content Content can be external Frame source specified on client side website.com/showframe.asp?src=fakesite.com/fakelogin.html Cross – Site Framing INURL: INURL Restricts search terms to URL itself (buggy) Want the source to be specified in the client Want the source to be external; not on the same site Further qualifier Client-Sided Frame Source: Client-Sided Frame Source Framed. : Framed. Directory Traversals ! : Directory Traversals ! SPAM ENGINES: SPAM ENGINES Source Code : Source Code Database queries. They’re source code. Hooray Source Code ! The Fun Never Stops: The Fun Never Stops If you can read source code, what do source code do you read ? Depends on what you’re interested in ! How about some database connection strings ! The Proverbial Post-It On the Monitor : The Proverbial Post-It On the Monitor Yes, those are real live database connection strings Yes, they contain real live usernames and passwords No, Special Agent, I didn’t try them out. Web App Hacking’s Cool. Google Hacking’s Cool.: Web App Hacking’s Cool. Google Hacking’s Cool. Everyone Thought We Were Crazy …. Then Santy Climbed Down the Chimney: Then Santy Climbed Down the Chimney Used a WEB APPLICATION VULNERABILITY in a common freeware PHP application Used GOOGLE to ID new targets Multiple improved variants already out December 20th 2004 Code Review of the Vuln App: Code Review of the Vuln App URLDecode the input before removing special characters MagicQuotes in PHP: MagicQuotes in PHP Escapes single quotes Turns ‘ into \’ Functional : prevents O’Malley and O’Brian from O’Crashing your query. MagicQuotes are magically functional, but not a security feature, and were never meant to be Rasmus Lerdof says …: Rasmus Lerdof says … 'You always have to escape quotes before you can insert a string into a database. If you don't, you get an ugly SQL error and your application doesn't work. After explaining this simple fact to people for the 50th time one day I finally got fed up and had PHP do the escaping on the fly. This way the applications would work and the worst that would happen is that someone would see an extra \ on the screen when they output the data directly instead of sticking it into the database.' Source: SitePoint.com, Interview - PHP's Creator, Rasmus Lerdorf, http://www.sitepoint.com/article/phps-creator-rasmus-lerdorf/3 Attack of the Worms: How it works: Attack of the Worms: How it works URLEncoded characters PHP Fwrite command PHP Fopen command Decoding the attack: Decoding the attack Decode once and compare %27%2E is not a single quote MagicQuotes recognizes plain and encoded single quotes Back to the Code: Back to the Code Turned the remaining %27%2E into ‘. Making the injection work. Application decoded again in the code Basic Google: Basic Google Viewtopic.php with random numbers as a parameter ( 1414414=5858583) Numbers NOT evasion – ensure different websites in each result Unimaginative and easily signatured …. Google shutdown the query …: Google shutdown the query … And gave me spyware advice …? Google Evasion: Google Evasion Bonus :Spot the Google bug. Hmm …. Does Google recognize Blank Spaces ? Viewtopic by itself could be anything. Add phpBB’s footer and it’s more accurate Viewtopic.php is not the same as viewtopic and php Or Just “Switch”: Or Just 'Switch' 4 Variants in JUST DAYS. There’s more than one engine to search the web Prologue: Prologue New Version of phpBoard released Remedial Action suggested to immediate users of the software was to remove the 'URLDECODE' Prevents the second decode: ‘ remains as %27 Still not rock solid input validation Why Web Application Risks Occur: Security Professionals Don’t Know The Applications 'As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to build security into my web applications.' The Web Application Security Gap 'As a Network Security Professional, I don’t know how my company’s web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.' Application Developers and QA Professionals Don’t Know Security Why Web Application Risks Occur The Old Paradigm: The Old Paradigm Customer performs acceptance testing Program goes live Development builds Application QA performs functional testing Security tests server patches and configuration Functional defects are found and fixed App is declared ready for UAT Security applies any missing patches or tweaks configuration Deployment begins Security Cannot Fix Application Issues: Security Cannot Fix Application Issues Customer performs acceptance testing Program goes live Development builds Application QA performs functional testing Security discovers application vulnerabilities App is declared ready for UAT Application either goes back to square one, or goes live with known vulnerabilities Deployment begins Security Testing To The Application Lifecycle: Audit Development QA Production Security Operations and Auditors Developers QA and Developers Security Testing To The Application Lifecycle Auditors, Dev, Compliance, and Business Subject Matter Experts (SME) My Contact Info: My Contact Info Matt Fisher mfisher@spidynamics.com 240.463.9030 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
AppSec2005DC Matt Fisher Google Hacking and Worms Barbara Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 284 Category: Product Traini.. License: All Rights Reserved Like it (1) Dislike it (0) Added: August 30, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... By: mohit332 (15 month(s) ago) please send the ppt to mohitshankalay332@yahoo.com Saving..... Post Reply Close Saving..... Edit Comment Close By: fsdfsda (33 month(s) ago) [url=http://www.ppt-video-converter.com] PPT video converter [/url] is designed specially for the people who want to convert PPT to video. With it, you can easily and fast convert ppt various formats , no matter you are a novice or professional, this ppt video converter can help you out. Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Google Hacking and Web Application Worms: Google Hacking and Web Application Worms OWASP 2005 Matt Fisher, Sr. Engineer SPI Dynamics Happy Anniversary !: Happy Anniversary ! Search Engine Hacking Almost Ten Years Old First solid documentation: SimpleNomad, 1996, AltaVista textfiles.com Web Hacking: Pick a site, find the vulnerability Google Hacking : Pick a vulnerability, find the site. Don’t Be A Target of Opportunity Just the beginning …: Just the beginning … Non-Public Systems Intranets, access-restricted extranets, web services Not all internet systems crawled Have to request a crawl Extranets, customer portals Google: very limited crawl Robots.txt, forms, javascript Linked content only ! Exposure has to be hard-linked No tampering The Perfect Drug: The Perfect Drug Warning ! Search engine hacking can be highly addictive Focus on what to look for, not on the search engine. A Few of my Favorite Things Source code galore: Need a code sample ? Grab a code sample ! File traversals : full system read access Command Execution : Executing shell commands through a browser, basically port 80 telnet. File Uploads: Don’t like the content ? Make your own ! Basic Google Hacking - Using File Types: Basic Google Hacking - Using File Types Works for many other file types: Works for many other file types Curioser and Curioser: Curioser and Curioser Googling for a Recent Exploit – Using Constraints: Googling for a Recent Exploit – Using Constraints Site frames content Content can be external Frame source specified on client side website.com/showframe.asp?src=fakesite.com/fakelogin.html Cross – Site Framing INURL: INURL Restricts search terms to URL itself (buggy) Want the source to be specified in the client Want the source to be external; not on the same site Further qualifier Client-Sided Frame Source: Client-Sided Frame Source Framed. : Framed. Directory Traversals ! : Directory Traversals ! SPAM ENGINES: SPAM ENGINES Source Code : Source Code Database queries. They’re source code. Hooray Source Code ! The Fun Never Stops: The Fun Never Stops If you can read source code, what do source code do you read ? Depends on what you’re interested in ! How about some database connection strings ! The Proverbial Post-It On the Monitor : The Proverbial Post-It On the Monitor Yes, those are real live database connection strings Yes, they contain real live usernames and passwords No, Special Agent, I didn’t try them out. Web App Hacking’s Cool. Google Hacking’s Cool.: Web App Hacking’s Cool. Google Hacking’s Cool. Everyone Thought We Were Crazy …. Then Santy Climbed Down the Chimney: Then Santy Climbed Down the Chimney Used a WEB APPLICATION VULNERABILITY in a common freeware PHP application Used GOOGLE to ID new targets Multiple improved variants already out December 20th 2004 Code Review of the Vuln App: Code Review of the Vuln App URLDecode the input before removing special characters MagicQuotes in PHP: MagicQuotes in PHP Escapes single quotes Turns ‘ into \’ Functional : prevents O’Malley and O’Brian from O’Crashing your query. MagicQuotes are magically functional, but not a security feature, and were never meant to be Rasmus Lerdof says …: Rasmus Lerdof says … 'You always have to escape quotes before you can insert a string into a database. If you don't, you get an ugly SQL error and your application doesn't work. After explaining this simple fact to people for the 50th time one day I finally got fed up and had PHP do the escaping on the fly. This way the applications would work and the worst that would happen is that someone would see an extra \ on the screen when they output the data directly instead of sticking it into the database.' Source: SitePoint.com, Interview - PHP's Creator, Rasmus Lerdorf, http://www.sitepoint.com/article/phps-creator-rasmus-lerdorf/3 Attack of the Worms: How it works: Attack of the Worms: How it works URLEncoded characters PHP Fwrite command PHP Fopen command Decoding the attack: Decoding the attack Decode once and compare %27%2E is not a single quote MagicQuotes recognizes plain and encoded single quotes Back to the Code: Back to the Code Turned the remaining %27%2E into ‘. Making the injection work. Application decoded again in the code Basic Google: Basic Google Viewtopic.php with random numbers as a parameter ( 1414414=5858583) Numbers NOT evasion – ensure different websites in each result Unimaginative and easily signatured …. Google shutdown the query …: Google shutdown the query … And gave me spyware advice …? Google Evasion: Google Evasion Bonus :Spot the Google bug. Hmm …. Does Google recognize Blank Spaces ? Viewtopic by itself could be anything. Add phpBB’s footer and it’s more accurate Viewtopic.php is not the same as viewtopic and php Or Just “Switch”: Or Just 'Switch' 4 Variants in JUST DAYS. There’s more than one engine to search the web Prologue: Prologue New Version of phpBoard released Remedial Action suggested to immediate users of the software was to remove the 'URLDECODE' Prevents the second decode: ‘ remains as %27 Still not rock solid input validation Why Web Application Risks Occur: Security Professionals Don’t Know The Applications 'As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to build security into my web applications.' The Web Application Security Gap 'As a Network Security Professional, I don’t know how my company’s web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.' Application Developers and QA Professionals Don’t Know Security Why Web Application Risks Occur The Old Paradigm: The Old Paradigm Customer performs acceptance testing Program goes live Development builds Application QA performs functional testing Security tests server patches and configuration Functional defects are found and fixed App is declared ready for UAT Security applies any missing patches or tweaks configuration Deployment begins Security Cannot Fix Application Issues: Security Cannot Fix Application Issues Customer performs acceptance testing Program goes live Development builds Application QA performs functional testing Security discovers application vulnerabilities App is declared ready for UAT Application either goes back to square one, or goes live with known vulnerabilities Deployment begins Security Testing To The Application Lifecycle: Audit Development QA Production Security Operations and Auditors Developers QA and Developers Security Testing To The Application Lifecycle Auditors, Dev, Compliance, and Business Subject Matter Experts (SME) My Contact Info: My Contact Info Matt Fisher mfisher@spidynamics.com 240.463.9030