Friday, May 22, 2009

Web application hacking

Perimeter defenses (eg. firewalls) do little to protect vulnerable applications from compromise. IPSs may block attacks against your apps but it doesn't address the root problem... the flaws that reside in your apps. Web application firewalls are complex to configure and are currently not commonly deployed.
SQL injection is the use of SQL statements and logic to expose or steal sensitive information stored within the corporate DB. In the demo, I utilise SQL logic to log into the portal without needing to know the admin's password thus gaining full access as the administrator.
' or 1=1--
I was also able to dump usernames and their respective passwords stored in the DB using the following statement.
1/1/2010 union select userid, 'username: ' + username , 'password: ' + password,null from users--
The high res version of this demo can be downloaded here.

Cross Site Scripting (XSS) is the injection of malicious code into applications to compromise visitors to the website. I enter Javascript pop up code into the vulnerable search box. I am able to successfully inject the Javascript code though it is not persistent. However, hackers overcome this limitation using social engineering. They can trick their victims into clicking on links containing malicious XSS code sent via email or Instant Messenging.
The high res version of this demo can be downloaded here.

Filtering special characters at the server end will mitigate the threat posed by SQL injection and XSS. Do not implement client side filtering as this can easily be overcome with the use of web proxies!!!

No comments:

Post a Comment