Hacking Basics with Women Hackers

uh sorry for that um yeah hi everyone today we are going to have a presentation on hacking basics with women hackers uh me and my squad of women is presenting uh together as we have a little bit of career in cyber security and a lot of interest in hacking um well we will start with recon and recon tools with pile we will have some filters and we will learn more about appsec with uh lalithiya and then we will have uh ubuntu which is file upload bipol bypass and more about it in detail with me so let's first start with introduction uh i am rigakshi i currently work as an information security engineer at fining i have about eight years of experience

in different uh fields in the it industry i have worked at accenture uh buck crowd and octave all all of it a lot of it was an application security and i really enjoy educating everyone else about cyber security and best practices that would work place and also in day-to-day uh life like how to get more secure and i enjoy finding uh things that are out of the box or bugs um yeah lolita would you like to go ahead

are you on mute

we can't hear you at all

i can go next uh yeah uh we'll wait for you to figure out but uh uh i think pal can introduce herself right yeah and i can start the presentation that's fine lithia can't do the introduction with her presentation is it okay yep okay so hello everyone good afternoon my name is pile i am cyber enthusiast slash researcher i completed my degree in cyber security in forensics from my american-based university named as fairly dickinson university currently i'm pursuing my certifications in security plus and comptia pentest plus i'm an active user of try hack me and hack the box additionally i am doing my research on web application hacking and its tool today i will be talking

about a major factor in web application which is known as reconnaissance i will my agenda will be talking about what is reconnaissance what are the types of reconnaissance what are the methodologies we use in recon so let's start with the presentation next slide please sorry there's a glitch a little bit oh it's okay no problem so the first we go with reconnaissance what is reconnaissance reconnaissance is the very first step an attacker takes it helps an attacker to gather as much information he or she can it also known as foot printing of the web application it is used in ethical hacking and pen testing it helps in identifying the weaknesses and also helps in exploitation of that weaknesses

next slide please

types of recon basically there are two types of recon the first is active recon and the second is passive recon in active recon an attacker interacts directly with the system but the biggest disadvantage of active recon is that it is easily detectable because when an attacker send a lot of packets to the defensive mechanism it may it makes easy for the firewall to detect it but there are various methods through which an attacker gather information through active recon the first is operating system services running on the machine as well open and close ports on the other side in passive recon an attacker interacts indirectly with the system and it is very difficult for the defensive

mechanism to detect it because a fantastic uses public resources like employee information the technology used by the company we for example linkedin nowadays companies love to share the information on social media platforms which makes it easy for the attackers to act to gain the access of the information and to gather as much information they can next slide please methodologies of recon so let's talk about the different types of methodologies we use in recon there are so many but i will discuss some of my favorites next slide please so the first one we are going to talk about is google docs google docs also known as google hacking database it helps in finding the sensitive information using google for

other sites some of the examples of google docs are in url which helps in finding the information through url the second is in text it helps in finding the information in the web application the third is site site helps in finding the information through domain fourth is file type it helps in finding the information through different types of files like pdf and doc and many more the link mentioned in this slide contains database of google docs which we can use for research i also use some of the google docs from this database which i am going to present in the upcoming slides next slide please as you can easily see in this i used the

google doc in url which helped me to find an admin panel of the site abcd.com it also contains some sensitive information which i censored in this screenshot next slide please now in the next slide we can see that i use the google doc in text with the help of which i was able to find the chat logs of an web application which contains some sensitive information and also it is very easily available to that to read the chat which was which i found through by using the google doc indexed next slide thank you the next uh methodology we used in recon is wayback machine way back machine helps in finding the changes made on a web page

it is very easy to access payback machine to access the wayback machine we simply have to go on google type payback machine it will open up page as shown in the screenshot over there you have to put us name of the target site about which you want to search like you want to see the changes made on the site for example in this screenshot i search for a company named hudson group and it showed me it highlights the date on which the changes are made on that particular site the disadvantage of this is that sometimes that snapshots contain credential while inspecting the source code which results in bridge and security concerns next slide case the third methodology of recon is server

fingerprinting server fingerprinting simply means finding details of the server on which the web applications are running in the first screenshot we can see that i sent a response through http abc.com and i sent a request sorry to http httpabcd.com and in the response i got the name of the server which is apache which shares apache server info with unix operating system in the selecting screenshot is it easily uh it can be seen that i sent and uh there was an error message i sent to get santa claus abcd but still there is an error message but it is rewarding back me with the server name which is nginx and its version next slide please so there are some automated scanning

tools which we can also use for server fingerprinting and some of my favorite are burp scanner niko and map this oil tools helps in finding the weaknesses of the web application and also helps in exploitation of that weaknesses up next will be lalitha she will be sharing about few application furitas and security headers and more about the web applications hey everyone hope you can hear me now yeah we can hear you awesome thanks uh so since i missed my intro i'm la lithia so i cyber security graduate i did my master's uh in cyber security in 2020 and then i did my internship with buck crowd as an application security engineer uh where i used to try it's a different

kind of uh books that all over the world hackers

um so today i'm gonna talk about absec filters like these are the basic filters there are more filters that you can apply to your application but i'm going to talk about some basic filters that you can what that you need for a web application um so some basic ones are going to cover as you see in the agenda so these are the basic ones that are gonna cover today next screen please so let's talk about some basic um security checks that need to be added to your web application so dmr check is something like um if you have a email service in your application and if you are sending some emails you want to make sure that they are under a

registered domain and they doesn't have any malicious they are not vulnerable to some phishing attacks so uh outside in the commonwealth people will ask is it is it's it's your service registered under the mark so make sure your web application is registered under demag and we have an open tool to check your application is registered or not if not you can uh register yourself under the dmarc account for your web application and http headers check so we all know the http headers are quite most important for any application that we keep but sometimes we miss some important security headers but uh in in real time we don't uh really feel like these security measures are

important even like top companies like google etc does miss some security headers but we have some open source tools that are designed and available in the market which you can go see which security headers are missing and you can add those security headers to your applications that's uh for headers and then exif check is like if your application is having an xf images so sometimes um if we have some open tools where ethical hackers uh use these uh free open source tools like xf headers and they grab their information from the images that we use in our web web application so they upload the image they see if they can disclose any information in that open source tools and it is

sometimes it's vulnerable to uh information disclosure locate the server uh all these kind of info so make sure you're hiding all these additional information and being a like think like an ethical hacker go check and see uh make the security checks as possible update accordingly so if we have a web application um and sometimes it is the case like we have some um external links inside sorry internal links inside an application like your application web application may contain a facebook link a twitter link and an instagram or whatever the social media or any other links so if you are sometimes uh users delete their account but they forgot to update the links in in your application so which is a very

very vulnerable attack and it may lead to broken authentication if it is caught by an ethical hacker sorry any hackers malicious malicious hackers um so make sure those links are updated as soon as if if it if you don't have the account just remove it if you have it just keep the valid account a link to the the ones that you have in your web application for external feature updates uh it's like for example uh the tls version transport layer security version um uh if recently if you have heard the news um the tls versions for encryption the algorithms uh has been updated deprecated like the previous versions have been deprecated in march 2020 and there's a new version

which which has the additional security layer additional cipher uh text uh related kind of algorithms which you need to upgrade it to your application so if your application is falling way back to the previous versions of tls make sure they are updated to the new version so make sure you are updating the external features as well so this will lead to uh this will help you to protect from broken authentication next slide please rate limit validation is a kind of check is like if you have a web application and obviously every web application normally will have a login on logout page uh for example i'm saying that there are many kind of uh rate limit validations that

you can apply to your application and if you have a forgot password link and then it if a forgot password link it can be used for many multiple times we have many automated tools which uh and uh malicious hacker can use it and then he can uh try to uh send a continuous uh request to the uh trusted owner but if we don't have the rate limit validation check applied to the um credentials the fields that you have so for an example if forgot password link if it's uh like it used many times then it doesn't make any sense if it's still working because it should be validated after one time it should expire and it

should not work so make sure this check is applied when you have some external links this also applies for username changing and account uh login logout and many other fields but make sure if you are sending any emails uh to i mean if you want your link to send to an email they are validated with a rate limit next slide please cookie handlings cookie handlings is something like um so we do have many uh secure properties but apart from that we do also have one other property called same site property which is inside a cookie and it can be uh set to some properties like it has attribute attributes like lags or strict so if you set those properties for this

same site and as for these attributes to same side property then it will prevent you to prevent the application from cross site request for jury attack so in an application if you see if you open the cookies and using some chrome browser extension tools you will see third party cookies as well as the first party cookies first party cookies are nothing but the application to that uh particular um to your application but third-party cookies are the ones that you use inside your application those are like external and if you don't set the same side property uh to um lags or strict as i told you lacks a restrictor the attributes one is subset of other we can say um so these

third-party cookies can be inserted by a malicious hacker and it is vulnerable to a cross-site request forgery so this is another filter basic filter that we can use error handling filter check this is the most common one where um i think malicious hackers gets information about what's happening in your application and what they can guess easily like um if you have an application and if you disclose errors they they derive information based on the errors that you provide so if you provide any detailed uh error messages or if you even if you provide any uh hints that let the ethical hacker decide okay this is particular a particular that's that's known for information disclosure then it may lead to some

other vulnerable attacks so one uh example we can say it like if you have a login field and if you have a username uh field and if you have a password field and if you enter an invalid username with an invalid password and if you display a hint error message something like this user doesn't exist in your system then the hacker can know that oh this user isn't existing isn't existing in the system and if he tries with the valid username and an invalid password and if if the error message says in just the incorrect password then it's easy for him okay this uh username is getting enumerated so he can directly guess he or she can directly guess

so this will lead to income information disclosure and the other thing i would like to talk about is input validations which is the most important one these days because um most of the attacks that we see in the real time are due to in input validations so if you have a web application make sure uh your each uh field is validated properly because all of our web applications nowadays um use those fields to bring out data convert data send emails uh do some other stuff etc and if we give an ethical hacker to input a string fields with some malicious payloads that are completely available in the market and if they if we send them to

um an email to a different person then the person is uh almost uh almost he got his uh laptop got hacked so make sure the input field is validated uh like if you have the string fields this that should not uh start with some character special characters so that they are validated even the file types because almost all web applications will have your file types so while you are uh uploading if if you have file types make sure they are restricted to that particular file types so vulnerability to file upload bypass is uh most common these days um and uh my friend rigakshi she gonna continue um to explain about the file upload bypass and

demo how actually it works thanks hi everyone uh thank you lalitya for handing over to me uh well uh as you know we were going to uh exploit more of file upload bypass with me uh so i'm gonna say that file upload bypass is not the nor not the only vulnerability but is it's also exploited a lot in the world and i'm going to talk more about file upload bypass in modern web applications uh so i'm going to start with introducing the vulnerability and then i'll show you a little bit more of different filtering types of uh that are used to uh avoid file upload bypass vulnerability i will give you a small demo and then detailed analysis of

that demo well uh what is actually this vulnerability uploading a file to a web server is generally a feature in many web application for example you might want to upload a cv certain documents you might want to upload a video presentation or any other files that you want uh people or your community to enjoy some important documents that you want to send to the government and things like that so file uploading isn't is an important feature in applications well unrestricted file upload vulnerability is just uh it just means that uh having less validation options or not doing enough uh validation on the uploaded file what attackers aim is here is to uh upload some malicious code into

the software code or uh inserting some malicious code in the website uh so this is this is very common in other vulnerabilities as well but in file upload wipers since we are uploading a file it is it could be way more harmful as we can upload uh more code for code code into the software just by a file which is entering the server so uh a little bit more about web shells and rcas rc is remote code execution due to uh a web shell so this is a one liner php code php eco file get contents path to file so uh event you see this part path to target file uh it essentially means that we want to access whatever is

present on this path and uh get contents will get the contents of the of the folders or whatever is present on this file part and this small one liner code can be uploaded to uh to a server where it was essentially looking for an image or a video or something but it never uh never disallowed the php code to be entered anyway so let's start with a little bit more about filters there could be some filters that are just client-side filters and there are other filters that are server-side filters uh in general cases client-side filters are easier to bypass than the server-side filters because uh it's way more easier to know what the client-side filters are just by

uh checking uh the the normal uh traffic on the website uploading something and then checking the traffic but server side filters are way more harder to bypass so it's always better to have more server side filters in place as well uh some of the filters i'm going to discuss here are multi-purpose internet mail extension uh actually called mime it was initially made to filter mails that is why the name but now it is also it is not used in the mails anymore but it's used in file upload bypass and as you can see the content type image slash png in the image shown so this is the content type header that's generally uh present if uh if i'm

uploading a jpeg image then it will show content type header as imagej but we can easily edit it and i i can show more of this in the demo later but if you changed it change it to something else then the server might get fooled and instead another file gets uploaded magic number validation is another type of validation that is put as a filter in in many web applications so when we upload a jpeg file it generally has hexadecimal values starting with f8 d8 this is the magic number of jpeg file similar to that there are different magic numbers of different files mp3 files can have a different magic number which and we can always use

a hexadecimal editor to change that value so we can change the value and fool the server that this is not a php file this is the jpeg file and things like that

another filter is file length filtering uh so while this is not really a great filter it can prevent some of the denial of or of service or dos attacks uh you can find a lot more about a lot of web shelves present at printestermonkey.net the link is present in this line well filters filtering files on maximum size can be helpful sometimes when uh when someone some attacker find a vulnerability that can be exploited with a long uh set of code but cannot be exploited by a one liner yeah this could be helpful file name filtering is another type of filtering that is put there uh to ensure that there are no duplicates being uploaded by the

attacker for example appending a random string to a file name upon upload can prevent this there could be a certain change in the file name when the file name files are uploaded so if same name file is uploaded you could just change the name we could also sanitize bad characters like uh add the date slash dot dot slash so sometimes we use slash dot dot slash to enter another location and save our file to temp folder or something somewhere where it's not meant to be stored and thus access xc password files and root files so uh let's talk about file content filtering file content filtering is a new way uh it's not it's it has not been very common in

the past but it basically looks for text strings or objects within images and it looks for content patterns it looks for different uh spoofing attempts it studies how attackers have been attacking an organization or similar businesses uh it looks for uh those patents that have been there in the past like and looks for certain signatures malwares could have some signatures and then detects those files uh so this is used in complex uh organizations and uh as it is way harder to implement and then there is the last one is extension validation this allows and injects a file based on the allowed list of extensions and denied list of extensions while uh having a blacklist is possible we can

have certain uh certain extensions in our blacklist but whitelist is way more preferred from security perspectives because we have seen we have seen now that there could be people using null byte extension like php percentage zero zero shows shown in the image this kind of file will be a jpeg will be considered as a jpeg image by the server and thus gets uploaded to the server double extensions like php.jpg and alternate extensions are also common

let's start with a quick demo sorry about that yeah so uh there's a portugal lab where uh where uh we are going to bypass a content type restriction bypass so uh we have a web shell file that we have created already and we are going to bypass a content type restriction uh this is the port cigar lab just look at the php shell we are uploading it uh here and we are checking the request on burp on the other side so when we check the request uh the this is a php one liner code php eco file get contents and it's trying to access the contents of home carlos secret as you can see the content type is text

slash hp so here we are not going to do anything we will just uh check the request check the content type header and the file and the file contents and we will forward this request and i try to upload

it so as you can see that it's uh it says sorry and the file has not been uploaded to the server now again i'll try to upload this file again

so i uploaded the file and insert intercepted the request again and notice that it's again text php and we are just going to update it to image slash jpeg

so the file is successfully uploaded and now let's see it's uploaded in after or no uh let's go back to the account and try to access the uh the source code of uh avatar

yeah so this i find the source code of the and this is the content of the file we successfully uploaded the web shell and executed it thank you everyone and we welcome you to ask more questions from all of us

[Music]

hmm

you