So first one down was actually pretty simple. below is the solution I submitted.
Explain the security problem
The user is able to supply both the user name and password to login to the website, this user input can be used to supply sql to the back end of the web app allowing the user to bypass the apps authentication.
Explain your attack. (exploit, screenshot, hacking journal)
after a quick play with the web app, I decided to start as simply as possible and assumed that the SQL statement for the login authentication would be as below.
SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’
in the username field I used hacker10
in the password field I used 1′ or ’1′ = ’1
this created the statement SELECT * FROM Users WHERE Username=’hacker10′ AND Password=’1′ OR ’1′ = ’1′
This created a valid sql statement and logged me in as hacker10 becuase the SQL checked the password for hacker 10 was 1 or that 1 = 1 as 1=1 is always true it logged me in.
To complete the challenge I supply the credit card number below.
Explain mitigation (remedy)
The simplest mitigation would be to use prepared statements when creating the site, this forces the developer to define all the SQL code and ensure that an attacker is not able to change the intent of the statement as I was able to previously. a prepared statement would literally look for the username ‘ or ’1′=’1 and fail.
So last year was an eye opener for me, I learnt a lot but I spent nowhere near as much time as I wanted to on info sec related learning. I did get the the Cyber Security Challange Masterclass though, and with it being only a few months away I think I need to put some serious effort into practicing everything I have been reading about. I recently found the site hacking-lab.com which has quite a few challenges on that I am going to sink my teeth into.
So my resolution for the first part of 2014 is quite modest, I am going to do one challenge a week and document my process. The full challenge I am working on is the OWASP top 10 challenge, and the first one is sql injection. Wish me luck!
I found out about the Cyber Security Challenge quite recently, I think it was from someones twitter posting. Needless to say I found their website interesting. The opportunity to take part in online and face to face challenges all going towards the final Masterclass.
When I registered I found the site a little bit unintuitive where in it looks like the closing date to sign up seems to be when the challenge finishes, but once I had worked that out I signed myself up to a couple of challenges. One was designed by SANS & SOPHOS and it was a multiple choice quiz with approx 20 questions.
They were not easy questions! The were very varied and a real challenge. I made a deliberate attempt to not Google any of the answers as I wanted to use it as a test for my knowledge, but the windows questions did scare me if I am honest! So about a week or 2 later I got an email with my score, I scored 17.67 and it had took me an hour and forty eight minutes. I was happy with that score but even more happy when I found that had put me in the top 15 and earned me a place at a face to face event at Bletchley Park.
While this was going on I also received an invite to go up to Glasgow and take part in the Cyber Security Challenge Camp. When I found out I had manged to snag a place i was a little bit concerned I would end up being the oldest person there and completely out of my depth. I couldn’t have been more wrong every age seemed accommodated for and there was many different levels of experience present.
We were thrown in the deep end, split into teams and tasked with designing a security influenced product, my team decided to go with an idea I have previously blogged about. We spent time with security experts from Blackberry who helped flesh out our idea. We then had to present our idea in a 7 minute pitch to a VIP who decided the winner. Alas it was not my team but a product titled Billy Goat, I will leave you to work out what their product idea was.
Day two saw us getting on a bus to Tulliallan castle and the Scottish Police College where we were tasked with creating an evidence report for trial and recovering data from a Blackberry. The trail was to take part that very afternoon. Now one thing I must say is this was an experience money just cannot buy. It was also the task I was least looking forward to if I’m being 100% honest. But it was an amazing experience and really opened my eyes to the idea of working for the police in the future. The mock trials were both insightful and hilarious. Detective Inspector Eamonn Keane, head of the e-crime unit deserves a medal in my opinion for making it possible for us to have that experience and I hope over the next few years other people get to experience it too.
Our final task was NETWARS designed by SANS and used worldwide to test and teach network penetration testing. Again a great experience, it was England Vs Scotland and obviously Scotland won. I am not going to go into detail about NETWARS as I think it deserves a blog post all to itself.
So my experience so far?
Cyber Security Challenge are doing everything in their power to help people find direction in the cyber security industry and it can’t be an easy task but they make it look easy! I have made friends for life and people that no doubt will be there to help me over the years. So please support them by taking part in their challenges and maybe you could be going to the Masterclass in March 2014. You can signup athttps://cybersecuritychallenge.org.uk/
Having just arrived in Glasgow I am sitting in a cafe drinking Vimto and wasting an hour until I can check into my room. I am here for the Cyber Security Challenge Camp.
I hear the first challenge to face us here will be a dragons den style competition to create a security product and business model around it. I have some ideas for this, but they are not great ideas. Everything simple seems to have been done, so you have to look at more complex solutions to problems people will face.
The first thought that springs to mind is something to protect against insecure wireless networks, I’m using one at the moment to publish this (using a vpn of course!) But what about the average member of the public? Most people just don’t bother, so what about some device or program that detects your on a public network and routes your traffic through a vpn, for a cost of course.
How that would technically work I have no idea!
I have had a issue that has been bugging me recently, I was trying to do a stored XSS but the form field would only let me store a small amount of data so I could only ever get to having something like.
Which obviously doesn’t give much room to do anything at all. So I left it for a while but today decided to come back to it and started thinking could I maybe not use other fields in the form?
Turns out I could with the use of comments so after much trial and error I was able to get something working
I had 4 fields I could use and ended up breaking down the XSS like so.
What I hoped to achieve here was that the comments would take out all of the stuff between the forms and join my XSS together. It did this is what the source looked like.
and that is now stored so when the page is reloaded we get a nice alert with the cookie. I have disclosed this to the website involved and once it has been rectified I will give full discourse with some screenshots.
feel free to leave a comment or you can catch me on twitter @kurtisebearuk
We all seem to take a lot from the community. The amount of tools I have only used once but have been invaluable litter my hard drive. So In my quest to learn Python I have created something that actually has a use!
I needed the to open a pdf file that I knew part of the password for but missing a vital bit of information, the password was in the format of “[businessname][sender]XXXX” well I knew the business name and the sender and XXXX was a number from 0000 to 9999.
Now I no doubt could of found a pdf bruteforcer online but I wanted a bit of a challenge. I had a look at some PDF Libarys and came across PDFMiner and decided to have a go at making a tool that I could use. The result was PDFCrack.py, its pretty simple but does require PDFMiner to be installed.
It could probably be so much better but its my first attempt at a tool I actually had a use for and I must say when you run something you created yourself and it works and solves the issue it was designed for I must say it makes you damn happy.
If you want to have a look you can download it from here : PDFCrack.py.
If you have any suggestions or any ideas on how to improve it feel free to leave a comment. You can allways find me on twitter too @kurtisebearuk
So I popped my CV on a jobsite the other day. Today I received an rather interesting email :
As a result your application, I would like to invite you to attend an interview.
You will have an interview with the department manager, Edie Wilson.
The interview will last about 30 min.
Please bring three reference (If available), as well as a copy of your ID,
e.g. Passport, Driving License to the interview.
Please contact me on 07064848730, in order to arrange an interview
We look forward to seeing you
Well A few things here, I didn’t apply for any jobs, its sent from a yahoo email address firstname.lastname@example.org and the number is a premium rate number.
I Googled the number but I hope other people are not falling for this scam its a bloody disgrace.
I have started playing with python and have also been checking out http://www.pentesterlab.com One of the tasks has been to:
Write an HTTP client to retrieve the home page of your site using an http library (for example net/http in ruby).
Well I decided to use httplib for python and this is what I came up with :
address = raw_input('Input Website Address: ')
Connection = httplib.HTTPConnection(address)
request1 = connection.getresponse()
output = request1.read()
Seems to have done the job I needed plus allows me to specify the url without having to change my code.
I have not used twitter until very recently. I could never see the point in it. I didn’t get why I needed to see 140 characters of peoples bile.
That was until recently, it seems the information security people love it. So I joined and I followed about 10 people. I installed tweet deck on my phone and then went away. I still didn’t get it. I wondered what hash tags were and why no one was following me, why would I tweet to no one?
Then I realised that you can reply to people who don’t follow you. Ahh now I see it, random conversations with people with a wealth of experience its like taking a degree in tiny tiny chunks. I have even one something!
So Now I am following new people everyday and I seem to learn something new many times of day.
So what can I say I am converted, now I suppose I should look at Google+
Anyway if you want to follow me feel free @kurtisebearuk
Well I have decided to study for my CEH (Certified Ethical Hacker) V8 exam.
Brought the harper book from amazon and just waiting for it to be delivered.
I think it will be a much more cost effective way of doing the exam than paying for a training course.
Lets hope so anyway.