2010 MAD Security,LLCAll rightsreservedWeb Hacking Basics Social Media Webmail Ecommerce Online Banking Corporate Intranet sites Customer & Project Management Bug tracking Routers & Firewalls Printers Gaming Consoles Database Management Filesharing Clients Virtual Machine ManagementEverywherenmap -p http* 192.168.1.1-255Where Do We Find Web Apps?Rule #1Never trust the client, the server, or the network.All inputs must be validated.All interactions with other parties must be assumed to be malicious until proven otherwise.Rule #2Attackers have unpredictable motives, skills, and targets. Attackers are therefore unpredictable.Never assume that an attacker cannot find a target, cannot find a way to exploit it, or would choose not to attack a target.Attacker Motives Defacement Network Resources System Resources Locally Stored Data Source Code User Traffic User Accounts Administrator Privileges VulnerabilitiesFive Classes of Web HackingAttacks on the web serverAttacks on the web clientAttacks on the web applicationAttacks on the web userAttacks on the network Earliest form of web hacking Best understood attacks Most easily prevented attacks Still extremely common Requires careful programming, configuration and maintenance to prevent. Shell Command Injection File Inclusion SQL Injection Executable Uploads Information LeakageServer Attacks Malicious code is served up and executed on the client-side. Next logical step after server attacks. Compromises the system or web browser. Defenses are improving, but there is no reliable proactive defense. Keep patches up to date. Trojans, Malware Drive-By Download Parsing Flaws in media ActiveX PDF Flash Images MoviesClient AttacksNo Website Is TrustedThe old Dont browse untrusted sites mantra is meaningless. Goal-oriented Focused on abusing application logic, not compromising systems Session manipulation (prediction, spoofing, fixation) Incomplete access controls Some cryptographic attacksApplication Attacks Users are predictable and easily manipulated Forcing user action can circumvent controls Classic cons and scams can be easily repurposed for the web Clickjacking Password Guessing Phishing Social Engineering Cross-site Scripting and Cross-site Request Forgery are a unique combination of User, Browser, Server, and Application attacks.User Attacks Are not unique to web security Have unique consequences Traffic Sniffing DNS Poisoning ARP Poisoning SSL AttacksNetwork AttacksRule #1Never trust the client, the server, or the network.All inputs must be validated.All interactions with other parties must be assumed to be malicious until proven otherwise.