Web Security

(as) Non-developer friendly (as possible)

Andrea Valenza <avalz>

:~$ whoami

Andrea Valenza (AvalZ)

Ph.D. Student @ DIBRIS

Vulnerability Assessment of Web Applications

Web

What is the Web?

  • Common name for the World Wide Web
  • Pages accessed by a Web browser
  • Web ≠ Internet
Client-Server Paradigm

Security model

NEVER TRUST THE CLIENT

Client Side Checks

Bypassing Client Side Checks

[ZHA] Client Side Validation

Submit a password longer than 10 characters

HTTP Protocol

HyperText Transfer Protocol

Resource exchange over the Internet

HTTP Methods

  • GET — Retreive a resource
  • POST — Send/update a resource
  • HEAD — Same as GET, but only headers
  • Other methods
    • PUT, OPTIONS, TRACE, CONNECT, …

URLs

Uniform Resource Locator

A reference to a resource on a network

and how to retrieve it.

scheme:[//authority]path[?query][#fragment]

authority := [[email protected]]host[:port]

Sample URL

https://avalz:[email protected]/page.php?id=1&some=thing#websec

HTTP Request
HTTP Response

[ZHA] Identify yourself

Make the server accept your request

Sessions and Logins

Basic authentication

base64(username:password)

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

Challenge: get the original credentials!

Set-Cookie: name=value

Optional fields:

  • Expiration date
  • Domain
  • Path
  • Security flags
    • httpOnly
    • secure

[ZHA] Old School Login

Log in as “admin”

Recon

Info Gathering

  • Name/Version of the server
  • Database version
  • Programming language used
  • Hidden content
    • Directory listing
    • robots.txt
    • Common page names

Amazena

The zeneise book shop

“Stay home and send us money”

All challenges available at ZenHackAdemy

Sanity Check

This one is really easy, just open the challenge and you’re done!

Barbie

Purchase item “Barbie - Principessa dell’Isola Perduta” with any valid account.

Computer Security

Purchase the unavailable “Esami di Computer Security” with any valid account.

Incident Response

Purchase Incident Response with the [email protected] account.

Bonus challenge

Find all the hidden books

HINT: every book has a numeric ID

Try this at home!

Root Me — Web - Client

https://root-me.org