Skip to main content

Si te ndertoni nje Web App te sigurt

Duke pare qe shumica e "data breach" ndodhin per shkak te panjohurise qe kane programuesit ne fushen e sigurise. Une besoj qe menyra me e mire per te parandaluar nje sulm eshte qe ta kuptojme ate sa me mire dhe kete do perpiqem te bej ne kete postim. Do hyme ne detaje teknike se si nje "bug" sulmohet nga nje sulmues dhe si ti shmangim keto lloj sulmesh. Ne kete postim do bazohemi ne disa nga problemet me te perhapura dhe me te rrezikshme.


  • Cross Site Scripting
  • Bad Session Management
  • SQL injection



Cross Site Scripting

  • Pse ndodh:
          Mos validimi dhe mos filtrimi i inputeve.
  • Impakti:
          Vjedhja e sessionid-se, cookie-s dhe mund te arrije deri ne ekzekutim komandash.

Ketu kemi nje shembull:

                <?php
                  if(isset($_GET["emri"])){
                            echo "Miresevini " .  $_GET["emri"];
                     }
                 ?>

Neqoftese shohim me kujdes ne afishojme parametrin "emri" direkt pa e bere validate qe ben te mundur XSS sic e shohim dhe te fotoja me poshte.



Per te zgjidhur kete problem mjafton validimi i parametrit "emri"

<?php

if(isset($_GET["emri"])){
echo "Miresevini " . htmlspecialchars($_GET["emri"]);
}

?>

Perdorimi i funksionit htmlspecialchars() beri te mundur validimin e parametrit "emer".


Menaxhimi i keq i sessioneve

  • Pse ndodh:

Programuesit krijojne mekanizma logini duke mos patur eksperiencen e duhur. 

  • Impakti:

Manipulimi I privilegjeve.
Identifikimi si nje perdorues tjeter. (etj)

Ne figura me poshte ndodhet nje kod shembull:


Kemi nje applikacion shume te thjeshte qe shikon ne cookie neqoftese vizitori eshte User i thjeshte apo administrator. 

Si default vlera e cookie-t "admin" eshte 0 , dhe ne jemi si nje user i thjeshte, por cfare ndodh nqs ne e modifikojme vleren dhe e bejme 1?

Duke modifikuar cookie beme te mundur rritjen e privilegjeve.

Si ti shmangim ?

  • Perdorimi I librarive te sigurta , qe jane testuar.
  • Perdorimi I “session” te gjuhes se programimit.
  • Enkriptimi I vlerave qe ndodhen ne session dhe cookie.

SQL Injection

  • Pse ndodh?

Kalimi I inputeve ne query pa u validuar dhe filtruar.

  • Impakti?

Ekzekutimi I query, leximi dhe shkrimi I file-ve etj.

Me poshte kemi nje kod shembull i cili lidhet me nje database dhe shikon neqoftese username dhe passwordi jane te sakta dhe te jep akses ne sistem.


 Database person permban te dhenat per dy perdorues admin dhe moderator sic shihet meposhte:



Per te pare me me kujdes query-n qe ekzekutohet , behet printimi i query-t. Duke u loguar me nje username dhe password valid sic eshte admin : 123456 


Sic shohim QUERY eshte normal dhe gjithcka shkoi sic duhet. Problemi qendron se neqoftese ne query futet nje karakter special i SQL ai do te interpretohet si i tille. Pershembull neqoftese ne vend te username do kalojme vleren ' or 1=1#  do te logohemi si useri i pare ne database.

Query do te behet si meposhte :
SELECT * FROM `users` WHERE `username` = '' or 1=1;#' and `password` = ''
Duke qene se pjese pas # do te trajtohet si koment ne query dhe kushti "OR 1=1" do te ktheje gjithmone true duke bere te mundur logimin ne aplikacion sic shihet dhe meposhte:




Si ti shmangim:


  • Perdorimi I prepared statement.
  • Filtrimi dhe validimi I inputeve.
  • Privilegje te uleta te userit te databazes.




Ky postim eshte teresisht per fillestaret dhe per ti kuptuar me mire konceptet e mesiperme duhet te behen kerkime me te detajuara , qe nuk mund te mesohen vetem nga nje  postim blogu. Informacioni i mesiperm eshte per qellime edukative dhe perdorimi informacionit te mesiperm per te shkaktuar deme ose veprime ilegale eshte pergjegjesi e individit dhe jo e autorit te ketij postimi.

Comments

Popular posts from this blog

WordSteal - Stealing Windows Credentials through crafted document

On every external pen-test I do after information gathering  and enumeration phase I prepare some spear-phishing campaigns. My favorite method is using Word Macros because most of the companies use a windows environment and the Microsoft Office pack is used widely.

During a pen-test on of the problems that I faced was the mail gateway was rejecting every email that contained macro. Even if it was encoded,obfuscated, encrypted even empty the email gateway rejected our emails. 
Since I hadn't some l33t 0day for all the version of Microsoft Word ( company used different versions) ,  I had to find a different way to spear-phish the employees.

Then I remembered a post about a Word Exploit generator which used an unusual way to track how many times the document was opened. Microsoft Word had an undocumented function that can load a remote picture. The malware creators used http to map the users who opened the files.

Then I thought why not trying the  'file://' handler.
If you want to…

SkyTower CTF Walkthrough

VM Author Description

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

Author: Telspace Systems

Download: VulnHub

Facebook Vulnerability Reflected File Download

Before starting with the write up i want to share the response that i got from facebook after reporting the bug.


Hi Rio,

Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.


I will let you guys decide if its a vulnerability or not.
Lets begin.