Ask Dan Kuykendall - The man behind podPress, phpGroupware, qmail & podCastAlley!

[aashima]

I wonder when my blog too would see a podcast file in it !!
Hello Dan
Its almost monotonous to mention but your work really is amazing. Great going! Between you mentioned in your talk on CE that you get paid for being a hacker. Now that sounds something out of the box and interesting. Could you be a little more elaborate about it?

[seek3r]

Quote:

Originally Posted by aashima

Between you mentioned in your talk on CE that you get paid for being a hacker. Now that sounds something out of the box and interesting. Could you be a little more elaborate about it?

I guess I really didnt elaborate much about that. Well, since you ask, Im very passionate about web app security, which is why I have chosen to do it full time for a living, and why I do my podcast about it.

My job:
My work at NT OBJECTives consists of me spending countless hours reading mailing list and forum discussions, chatting with other web app security professionals and reading every article and website about the subject. In addition I do alot of my own research to discover what kind of mistake web developers are making, and how I can exploit these patterns.

I then have to take every bit of my reseach and figure out how to reproduce the attackes in an automated way, where we can have some reasonable degree of confidence that when we think we found a vuln, that it really is one.
There are things I can do as a human, with leaps of logic and intuition, which are extremely hard to accomplish with a computer which needs to deal in facts. In computer science we call this fuzzy logic, and its a very hard problem to tackle.

The actual hacking:
Well, in web apps there are a number of categories of attacks. I dont want to get too far into it, because its a discussion of its own, but some of the major ones are SQL Injection, Cross Site Scripting (XSS) and various resource discovery issues.

resource discover - In this we try and find files that could lead to information. For example, when you request a files with .php extensoin, the web server executes this thru the PHP engine, and the result is displayed. But if the developer is developing on the server and leaves a somefile.php.bak file, if I request this, then I will see the actual source code. Imagine if this was the config file, with its database passwords. Even a normal source file, could tell me important information about the database. So I look for these kind of files, and learn what I can when I do find them

SQL Injection - With these attacks I attempt to leverage the fact that web apps often take user input as part of a generated SQL query. If I provide an input that will have the affect of altering the sql statement into what I want... I can accomplish fun things. Check out my podcast about this. So when Im hacking a web app, Im lookinhg for user input being used in sql statements which are not being properly validated.

Cross Site Scripting (XSS) - Sites often take input which is re-displayed back to other users. What we attempt is to provide inputs that will still generate a valid html file, but one that is altered into doing something we want for attacking other users. Again, I have a podcast about this which would be informative to listen to and follow along with

Hope that helps

[desijays]

@ Dan

I always thought it was much easier to compromise a system by trying to hack it at the protocol level than the application level. And since web security falls in the domain of the later, I find it hard to adapt.

Usually if there was something that needed to be compromised, in my opinion i believe it is easiar to directly get into the system using commands that the daemon running at that particular port will understand... (thats jus one of the techniques) or if the daemon has a vulnerability the task is even more simplified

ofcourse, sometimes you succeed and sometimes you don't. in the end i suppose its just a matter of persisting.

so doesn't that mean compromising a system at the application level is naturally redundant since you can do all you want with direct access to the system by getting at it at the protocol level..?

for example if you wanted the source code of some php file located on a server and if there is no file called "somefile.php.bak" cos the programmer who programmed the website was concious of making sure to not leave any tracks behind then.. in that case... wouldn't it be easier to just get the source file "somefile.php" by compromising the server directly than to wonder if the programmer was careless enough to leave "somefile.php.bak" lying around.

And again, im aware the techniques that can be used here are equally vast.

And one other thing i have noticed is that, it could be mighty hard to perform XSS and SQL injection techniques using this method although it is very good at discovering resources.

Is that why web hacking is preferred?

And as always, there are issues of ethics to be considered!! But, should we care?

Afterall, we are all curious at one point or other .

I hope i was clear.

Welcome to CE Dan.

Nice to have you here mate.

[seek3r]

One of the things that make web hacking interesting is that you already have a window thru the firewall.
If you are assigned to attack a server, which is sitting behind a firewall and only has port 80 accessible (which is a common situation these days) what are you doing to do?

You will attempt to fingerprint the web server, and then known vuln attacks against the server, but what if they are all patched up?

That leaves you to attacking the web apps to fight your way in.
Web app hacking is much more difficult in that most apps are custom, and so you cannot throw out a bunch of "known vuln attacks" against a host as you can when your attacking at the OS/Services level.

What it most relies on is understanding the habits of web developers, and the problems they can make and what you can do when you find a problem spot. Its also important to understand what you want to accomplish.

If my goal is to view other users data, then its probably easier to review how they display records and then try requesting records by their ID, but for ones not in your lists. If they dont check permissions on each request, then maybe you can get to the data you want, and this may be easier than trying to gain shell access to the system in order to get to this data.

If your goal is to steal paypal accounts, its probably easier to find a XSS problem on the paypal site, and then send out spam emails to try and trick some users into clicking a link that goes to paypal.com but then redirects them to your site and passes along the users sessionid (cookie data) in its request. Trying to hack their well protected servers, which have IDS's and firewalls logging everything would probably be more troublesome.

[aashima]

Amazing informaton Dan. Its all so new and interesting. Thankyou.

[Jerry]

Thank you Mr. Kuykendall! My best wishes for the next version of podpress. I think we can have ideas & technical discussions for podpress on CE. I would like to hear your opinion about this.

Jerry

[Rocker]

Hello Mr. Kuykendall!

I doubt if my question is within the scope of this discussion. Is there a way to distinguish between a fake mail (phishing) which asks for the login details and an authentic mail? Everyday I receive an email from bank of america which asks me to update my account details. They were the first ones to tell me that I've an account with Bank of America !