Use navigation arrows
CSRF
XSS
MD5
SQL Injection
CORS
Origin
drwxr-xr-x 1 root
The attacker scanned someone's web app, I was hosting on my server...
...and found some interesting stuff :-)
Nikto
<?php
$email = $_POST['email'];
$passwdHash = md5($_POST['passwd']);
$re = mysql_query("SELECT * FROM users WHERE email = '$email' AND password='passwdHash'");
if (mysql_num_rows($re) == 0) {
// User unknown or wrong password
} else {
// Valid password
}
// POSTing the line below to /login gives you immediate access:
// email=' OR id=1 OR '
<?php
$email = $_POST['email'];
$passwdHash = md5($_POST['passwd']);
$stmt = $db->prepare("SELECT id, name FROM users where email=? AND AND password=? LIMIT 1");
$stmt->bind_param('ss', $email, $passwdHash);
$stmt->bind_result($uid, $name);
$stmt->fetch();
$stmt->close();
if ($uid) {
// Valid password
} else {
// User unknown or wrong password
}
Binds parameters as STRINGs (NOT SQL Code)
md5(pass) is so bad:
FIPS Compliant
salted + slow + many iterrations
(simplified)
$2a
$10
$N9qo8uLOickgx2ZMRZoMye
IjZAgcfl7p92ldGxad68LJZdL17lhWy
algorithm id
Iterrations
Salt
Hash
bcrypt
Login Cookies sent by the Browser
POST /_private/browser/stats HTTP/1.1
Host: api.github.com
Connection: keep-alive
Content-Length: 8060
Origin: https://github.com
User-Agent: Mozilla/5.0
content-type: application/json
Accept: */*
Referer: https://github.com/Azure/ACS/issues
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
Two pages have the same origin if the protocol,
port (if one is specified), and host are the same for both pages.
Access-Control-Allow-Origin: <value>
application/x-www-form-urlencoded
multipart/form-data
text/plain
OPTIONS /resources/post-here/ HTTP/1.1 Host: bar.other Accept-Language: en-us,en;q=0.5 Origin: http://foo.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER, Content-Type HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Origin: http://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 Content-Type: text/plain
Authorization : Bearer 7e224714-6b43-4b0a-bb92-5123fbbf25f1