Web Security

Information disclosure

  • CVS/Entries .svn/entries .git/index

  • hidden parameter debug / test / trace = true / on / 1

  • docs / logs / backup / conf / test

Authentication

  • Common users: admin, test, demo, guest, $company, $product

  • Common passwords: test, test123, password, password1, password123, qwertz, qwerty, letmein

  • Look at: Password Recovery, Remember me

ACL bypass techniques

  • Try GET instead of POST and vice versa

  • Try HEAD instead of GET

  • Double-Slash URL

  • Hidden Parameter like loggedin / isadmin = true / on / 1

  • change userid

Cracking Session Ids

  • hex / base64 encoding

  • predictable token depending on bad algo e.g. +1 or +time

  • weak generation e.g. user AND time -> md5

Fooling Filters

  • Double the input <scr<script>ipt>

  • Bypass by sequence <scri’pt>

  • urlencode (double urlencode)

  • unicode

  • escape / escape escape

SQL injection

  • UNION SELECT NULL, NULL

  • ‘ or double ‘’

  • output von 2 vergleichen mit 1+1

  • output vergleichen von order by 1 2 3

  • select table_schema, table_name from information_schema.tables

  • select into outfile

  • select load_file(‘/etc/passwd’)

Ajax

  • var request = new XMLHttpRequest();

  • request.open(‘GET’, ‘/muh’, true);

  • request.send();

var request = new XMLHttpRequest();
request.onreadystatechange = handler;
request.open('POST', '/muh', true);
request.send("name=balle&pass=maeh");

Bypass Same Origin

  • Set header

Access-Control-Allow-Origin: *

Webworker

  • Run javascript in the background

var worker = new Worker("worker_script.js");
worker.onmessage = function(e){
  e.data
};
worker.postMessage("start");

Client / Session Storage

sessionStorage.setItem('key', 'value');
sessionStorage.getItem('key')
sessionStorage.deleteItem('key')

Web SQL

var db = openDatabase('mydb', '1.0', 'my first database', size)
db.transaction(function (tx) {
 tx.executeSql('CREATE TABLE foo (id unique, text)');
}

Misc

  • Check negative numbers

  • zwei sessions / operationen exakt gleichzeitig ausführen