Top 3 Most Dangerous Lines of Code

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm going to show you the three most dangerous lines of code in web application security and we're not just going to talk about it I'm going to show you how to exploit it and naturally with any good hacking video we'll pop some shells at the end don't forget to like And subscribe and let's dive in first up we have some code that lets us Traverse directories and read basically any file we want and for good measure I've written this in node and PHP but of course there are variations of the Snippets across every language now What's Happening Here is the input is being directly passed into the fs.read file or the file get contents function which are both used to grab the contents of a file from the system and return it if our input goes in unchecked the results can be pretty dire let's take a look so here we are at our first demo all we're going to do is click the drop down and decide on whether we want an espresso or a latte I'm more of an espresso kind of guy so I'm going to go with that and click load file and we get a guide on how to make espresso at home here at the top we notice we have the parameter file name and this equals espresso.txt all we're going to do is we're going to test for DOT slash dot slash dot slash a bunch of times to make sure we're at the roots of the file system and we're going to go Etc plus WD hit enter and you can see that we have indeed loaded the ETC pass WD file so pretty trivial in this case where we're using fs.file read and we're not checking the inputs now this might not be very exciting for you if you've seen this path traversal or directory traversal and the file read attack before but something to look at is once we get Etc pass WD and we verify the vulnerability we can start doing things like home Kali dot SSH and reading things like ID RSA and here we can steal this private key and now I'm gonna have to go and rotate my keys but never mind this is always a great win in a penetration test and demonstrates the impact of the vulnerability now nothing has done more for for the security industry than SQL injection and I suppose this makes sense since you can't have Heroes if there are no villains our first snippet is a variation of sqli in that it's using nosql but the principles are exactly the same if we can inject some code that changes the query used to interact with the database we have SQL injection and our PHP Snippets is the more classical variation of this attack a quick fun story for you going back to when I built my first online browser game around the age of 13 someone actually bricks the whole thing using SQL injection but afterwards they ended up helping me fix the issue and spend a fair bit of time doing Dev work for the site weird huh that's hackers for you let me show you a quick sqli demo in this case our application is going to read from the database rather than from a file so what we're going to do is we're going to come down and again select our espresso hit load guide and we get a guide to making espresso at home as we can see there's a guide parameter in the URL so I'm just going to change this to something like Union selects username from users this comes back with Jeremy so in this case instead of selecting the content from the guides table and returning it back we're saying hey select the contents and Union select the username from users and since the contents is empty we get the username back and we can do the same thing and try and grab Jeremy's password and we get his shot 256 hashed password in this case once again our code is taking our input without question and allowing us to manipulate the application to give us what we want rather than what the application was designed to do let's take a look at our last line of dangerous code there's a reason we have the saying eval is evil and it's because it's probably the easiest way to get code execution on a application of course there are other functions that give you code execution but eval is often the main culprits that's not to say it can't be used safely it's just easy to get wrong let's take a look at our final lab so for this one it looks like we need to input the number of espressos and the number of lattes that we want to drink so let's go with four espressos two doubles not too bad and just for the people who like latte out there let's go with one latte and we hit calculate time and it looks like the total time to make all of the drinks is 11 minutes and we notice there's nothing in the URL so we're gonna have to switch over to pepsuite to have a look and see what's going on and then play with this application so I'm just going to come over come to proxy HTTP history post to slash calculate I'm going to come here press Ctrl R send to repeater and then let's send the request again and you can see that we get the same results so in this case the application is using eval so I'm going to go ahead and just throw in a payload and see what comes back so in this case we're just going to include fs and then we're going to read file sync home Kali SSH ID RSA so taking a leaf out of the book from our first vulnerable line of code and we hit enter and you can see that we've indeed stolen the SSH key but we've already done that so let's actually go ahead and pop a shell and before we do this we're gonna have to come over to the terminal and set up a listener so netcat no VP and then we'll come back I'm going to copy and paste this because otherwise I will typo everything as it's quite long paste in our shell make sure we're connecting to 127001 we'll get a share locally not the most exciting shell in the world but still good for demo purposes and then we're going to connect on 4444 and we hit send and the Moment of Truth when we alt tab over we get a connection from ourselves and if we do who am I we get Kali hostname Cali as well so that's our three most dangerous lines of code for web applications now I realize it's easy to point at some application with no protection and talk about how bad these attacks can be but all of them still crop up in modern web apps even if it's somewhat less frequent than it used to be so before you go let's quickly consider some generic ways we can protect our application against these attacks to prevent path traversal and arbitrary file read we should of course validate and sanitize our user inputs to ensure that it doesn't contain things like dangerous characters like dot dot slash or similar patterns using nlr list in this case is better than using a block list as block lists tend to get bypassed also using built-in functions such as real path in PHP to resolve absolute paths and don't run your web server with a privileged account that's usually a given and the best practice but we can also limit the types of files users can access by using an allow list of extensions to protect against SQL injection of course we should use prepared statements so that data is treated as data and not as code and again sanitizing user inputs and thinking about the Privileges of our users and application and finally for eval the easy solution is to not use eval we'll get around to doing a Hands-On dive on web app defenses in the future but for now I hope this helps you out and if there's something else you want us to cover let us know in the comments below and I'll see you next time

Info

Channel: The Cyber Mentor

Views: 15,312

Rating: undefined out of 5

Keywords:

Id: 0mOW2eZ_oAU

Channel Id: undefined

Length: 8min 30sec (510 seconds)

Published: Fri Apr 07 2023