Charles Engelke's Blog

February 25, 2004

Web Hacking Live

Filed under: RSA 2004 — Charles Engelke @ 8:18 pm

My second session of the day is billed as demonstrations of how
to hack systems using open source tools. (The hacking using open
source, not necessarily the systems being hacked.) The speaker is
Kurt R. Roemer, the Director of Security Research at NetContinuum.

The talk is starting with a lot of background material about kinds
of vulnerabilities and attacks. I’m waiting to see the concrete
demonstrations that were promised!

Halfway through the talk. No demonstrations yet.

Finally, a demo. He’s mocked up a web site for “badstore.net” that
we’ll attack. He shows us around the site, and adds a few products
to the shopping cart and places an order. He then runes a tool
called nikto. It’s a Perl script that will scan
CGI applications to try out various common exploits. It finds
vulnerabilities right away (such as running under an ancient version
of Apache with known exploits).

A question to the audience: “anybody know what robots.txt is?” And
this talk is rated a 5 – Very Technical! That’s the highest
technical rating they have here.

Well, the robots.txt file excludes some directories from scanning,
such as /backup and /suppliers. So look at those URLs, and there
are real backup files there that can be downloaded. The suppliers
directory also has accounts and passwords that are “encrypted”. Well,
they aren’t encrypted, they’re just base-64 encoded. He uses
a base-64 decoder called SPI to see the raw usernames and
passwords for all the suppliers.

These exploits seem ridiculous, but I know they really do often
work.

We then see SQL injection, where we see that the search URL has some
parameters, and we put some SQL in them. The server gives us very
helpful error messages to make it easier to fix our injected
query, which ends with “OR 1=1”, making the query always match all
records.

Cross-site scripting. Put some Javascript into text that the web
site will later display to other users (a guestbook comment in the
example). When a user looks at the page, your client-side code
runs on his or her PC. The first example just pops up a Javascript
alert box to scare the other user. The second demonstrates
examining and changing cookies. (Though doing that on your own PC
just requires editing the cookie file you have, no scripting
necessary.)

Time is running out, and he was just getting started. If the talk
had actually focused on the demonstration, as the blurb claimed,
it would have been very good.

Advertisements

Blog at WordPress.com.

%d bloggers like this: