1 / 14

Hacking websites for fun & profit

Explore the intricacies of web security through the lens of hacking techniques used for fun and profit. This guide covers critical concepts such as form parameter manipulation, cookie manipulation, SQL injection, and cross-site scripting (XSS). Learn how data can be exploited and the importance of validation to protect against vulnerabilities. Discover methods to secure your applications, including session management, encoding, and effective use of server-side hashes. Stay informed about security best practices to safeguard your web applications from malicious attacks.

miller
Download Presentation

Hacking websites for fun & profit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking websites for fun & profit Barry Dorrans Charteris plc http://idunno.org

  2. Form Parameter Manipulation “Important” data is for server sideHash or ChecksumDuplicate validation

  3. Cookie Manipulation Hash or ChecksumValidate

  4. HTTP Headers Easily Faked Validate

  5. Cross Site Scripting / XSS Beware < & >Never display raw inputDo not turn off validation site wide

  6. Cross Site Scripting / XSS There’s more to script than <script>HTML tags have eventsSession hijacks, cookie stealing, browser hijinks

  7. Character Encoding \ = %5C = %255C = %%35%63Server.*Encodehttp://ha.ckers.org/xss.html

  8. SQL Injection Manipulation of “raw” SQLStored ProceduresNamed Parameters

  9. SQL Injection SQL PermissionsCAS / Data Access AssembliesManaged Components

  10. Storing Secrets Hashing is not encryptingDictionary attacksSalt your data

  11. Leaking Information; Search Search Engines"# -FrontPage-" inurl:service.pwd http://johnny.ihackstuff.com/

  12. Leaking Information; Errors Exceptions<compilation debug="true" />

  13. Leaking Information; ViewState ViewState is not encrypted by defaultMAC lock • <system.web> <machineKeydecryptionKey="AutoGenerate,IsolateApps" decryption="3DES" ... /> <system.web/>

  14. Are you scared yet?

More Related