Web Security¶
Information disclosure¶
CVS/Entries .svn/entries .git/index
hidden parameter debug / test / trace = true / on / 1
docs / logs / backup / conf / test
Authentication¶
Common users: admin, test, demo, guest, $company, $product
Common passwords: test, test123, password, password1, password123, qwertz, qwerty, letmein
Look at: Password Recovery, Remember me
ACL bypass techniques¶
Try GET instead of POST and vice versa
Try HEAD instead of GET
Double-Slash URL
Hidden Parameter like loggedin / isadmin = true / on / 1
change userid
Cracking Session Ids¶
hex / base64 encoding
predictable token depending on bad algo e.g. +1 or +time
weak generation e.g. user AND time -> md5
Fooling Filters¶
Double the input <scr<script>ipt>
Bypass by sequence <scri’pt>
urlencode (double urlencode)
unicode
escape / escape escape
SQL injection¶
UNION SELECT NULL, NULL
‘ or double ‘’
output von 2 vergleichen mit 1+1
output vergleichen von order by 1 2 3
select table_schema, table_name from information_schema.tables
select into outfile
select load_file(‘/etc/passwd’)
Ajax¶
var request = new XMLHttpRequest();
request.open(‘GET’, ‘/muh’, true);
request.send();
var request = new XMLHttpRequest();
request.onreadystatechange = handler;
request.open('POST', '/muh', true);
request.send("name=balle&pass=maeh");
Bypass Same Origin¶
Set header
Access-Control-Allow-Origin: *
Webworker¶
Run javascript in the background
var worker = new Worker("worker_script.js");
worker.onmessage = function(e){
e.data
};
worker.postMessage("start");
Client / Session Storage¶
sessionStorage.setItem('key', 'value');
sessionStorage.getItem('key')
sessionStorage.deleteItem('key')
Web SQL¶
var db = openDatabase('mydb', '1.0', 'my first database', size)
db.transaction(function (tx) {
tx.executeSql('CREATE TABLE foo (id unique, text)');
}
Misc¶
Check negative numbers
zwei sessions / operationen exakt gleichzeitig ausführen