diff --git a/Cryptography/README.md b/Cryptography/README.md index 9f464a5..95a09ae 100644 --- a/Cryptography/README.md +++ b/Cryptography/README.md @@ -1,5 +1,8 @@ # Cryptography +* Often data is just encoded in base64 or hex. Other thimes it's just compressed (gzip). + + ## MD5 @@ -225,7 +228,34 @@ $ ./openssl s_client --no_tls1 --no_ssl3 --connect :443 * For Identification and verification of encoding supported by the Website we can use **EcoScan34**. +--- +## Block Cipher Encryption + +* Electronic code book (ECB) mode. +* Simplest and default block cipher mode. +* Message is split into blocks and each is encrypted separately. +* Disavantage: identical plaintext block encrypts to identical cipher text block (for example, figures). + +### Attacking Randomness + +* Good Randomness is vital for cryptographic operations. + +* Two common attack against a PRNG : + - PRGN state is reconstructed from its output. + - Same PRNG is used more than once. + +* Statistically random is not secure random! + - if a PRNG is seeded with a value the attacker can influence, the state of the PRNG is likely compromised. + +* Seed race condition attacks: + - System clock often used to seed PRNG + - Submit 10's or 100's of rquests at a time. Seed a PRNG with the same system clock and the output will be the same. + + + + +---- diff --git a/Web_Security/README.md b/Web_Security/README.md index fa55be2..a7aded2 100644 --- a/Web_Security/README.md +++ b/Web_Security/README.md @@ -263,6 +263,32 @@ Set-Cookie: SID=472ndsw;expires=DATE;path=/;domain=SITE,HttpOnly - Burp Suite - FireBug] in Firefox + +---- + +## Same-Origin Policy + +### DOM Same-Origin Policy + +* JavaScript executing in context of one document should not be allowed to access context of another document, unless: **protocol, hostname and port all match**. This defines a document's origin. + +* IE doesn't always observer port number. + +* Wildcard * policies is ill-advised: explose content on your domain to script access from any/all origins. + +### Cross-Domain Policies + +* Extend SOP beyond a document's origin. +* Permit applets originating from another domain access to resources. +* Permit issuing arbritary HTTP requests with whitelisted headers. + +### CORS - Cross Origin Resource Sharing + +* Browser allows XMLHttpRequest's to acess response data return from cross-origin requests when: + - Response contains Acess-Control-Allow -Origin header + - Requst's Origin value is defined in set + + ---- ## OWASP TOP 10 @@ -307,6 +333,12 @@ SELECT user_id FROM user_data WHERE name='john' and password='password' ## CSRF +* Tricks victim's browsers into performing unsuspecting actions. + +* Server doesn't verify request was imitated from the expect client-side origin. + +* Browser naively submits credentials when attempting to retrieve resources. + * Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability). * To check this, you will need to copy an original request (GET / POST) on a form and then make a change in the parameters and re-send the same request modified. If the server does not return an error, it can be considered that it is vulnerable to @@ -314,6 +346,22 @@ CSRF. * To perform this task, we can use the tools **csrftester** or **burp** proxy. +* Can be used to exploit admin-only vulnerabilities (router admin pages, etc). + +* A simple mitigation, often hard to implement: include secret user/session specific value with request. + + +### Example of CSRF + +1. User logs into account at bank.com +2. In another tab, user visit a site that sources an image from: +``` + +``` +3. User's browser sends a GET request from the image. +4. User just transfered 100k into Joe's account. + + ---- ## XSS @@ -446,6 +494,156 @@ qr / ((could not|cannot|unable to) (open|find|access|read)|(path|file) not found +--- + +## Authentication + +* Applications can verify identity based on: + + - Something the user knows: password, passphrase, pin, etc. + - Something the user has: smartcard, security token, mobile device/ + - Something the user is or does: fingerprint, voice recognition. + +* Common authentication methods: + - HTTP authentication + - Form-based + - Kerberos/NTLM + - Single Sign-on (SSO) + - Certificate based + +### Basic Authentication + +* Credentials are Base64 enconded: in the format username:password +* Each subsequent request includes credentials with the Authorization HTTP request header. + +* For example, admin:admin is YWRtaW46YWRtaW4=: + +``` +GET /home.jsp HTTP/1.1 +Host: www.acme.com +User-Agent: Mozilla/4.0 +Authorization: Basic YWRtaW46YWRtaW4= +``` + +* Password brute force: if no lockout, automate: **Hydra, Brutus**. + + +### Bypassing Authentication + +#### Server-Side + +* Predicting session tokens: what's the character composition of cookie? +* Session hijacking via fixation/trapping: same session cookie used pre and post authentication? +* Exploiting an injection flaw in login routine: SQL Injection. + +#### Client-Side + +* Does application set persistent authentication cookies: remember me or look for Expires attribute of Set-Cookie header. + +* Back button to steal cached credentials (credentials stored in browser memory). + +### Weak Authentication + +* Does application authenticate requests across all resources? + +* Issue direct requests to resources (forceful browsing): guess common file names. + +* Inventory resources authenticated & request anonymously. + - Authenticate, crawl through UI, and record requests, responses. + - Re-issue those requests unauthenticated and diff responses. + + + +----- + +## Authorization + +* System of determining whether a user is allowed to access a particular resource. + +* Role-based authorization. + +* Access decision can be made at: + - resource level + - function/method-level + - record-level + +### Authorization Attacks + +* Vertical: + - Elevate to a more privileged user + - access restricted functionality + - edit records intend to be read only + +* Horizontal: + - access another user's data + +* Parameter manipulation: insecure direct object reference (DB record id's exposed to user). + +* Failure to restrict URL access: + - protect sensitive functionality by disabling the display of links, buttons, URL, and hiddel URL or parameters. + - forceful browsing is a common attack technique: typically results in vertical escalation, administrative interfaces. + + +--- + +## Attacking Web Servers + +### XML Web Services + +* Facilitate machine to machine interaction: + - usually implemented as middleware, though sometimes called directly by the client. + - often implemented using **Simple Object Access Protocol (SOAP)**. + - request and Response structure defined by *8Web Service Definition language (WSDL). + +### Attacking web services + +1. Locate the web service endpoint. + + * pay attention to proxy logs + * look for common web service endpoints: .asmx, .svc, /axis, /axis2 + +2. Obtain metadata. + + * Try appending **? WSDL** or **.wsdl** to endpoint URL. +``` +: Operations performed by the web service +: Messages used by the web service +: datatypes used by the web service +: protocol used by the web service +``` + +3. Invoke the web service: + + * Issue SOAP requests directly to end point (SoapUI) + * Fuzz inputs just like any other parameter: same vulnerabilities. + +### Exploiting XML Parsers + +* Web services often vulnerable to common attacks on XML parsers. +* Entity expansion attacks: + - Denial of service against XML parser. + - Infinite recursion occurs during parsing. +* XML External Entity attacks: + - Information disclosure to almost anything. + +### XML External Entity Attacks: + +1. Define an XML entity in the DTD +2. Reference defined entity in XML body. +3. Parser will read /etc/passwd contents into e1: + +``` +]> + +&x3; + +``` + +---- + + + + ----------------- [FireBug]: http://getfirebug.com/ [Burp Suite]: http://portswigger.net/burp/