Elusive Thoughts

Intro  This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems. The Code In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to post the user comments securely. <?php require_once 'common.php'; validateMySession(); ?> <html> <head> <title>User Posts</title> </head> <body> <h1>Showing current posts</h1> <form action='awsomePosts.php'> <p>MySearch: <input type='text'  value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p> <p><input type='submit' value='MySearch'></p> </form> <?php showAwsomePosts();?> ...

Intro  This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems. The Code In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to validate the credentials and allow the users to login. <?php require_once 'commonFunctionality.php'; if (validateCredentials($someUsername, $somePassword)) { header('Location: myIndex.php'); } else { header('Location: wrong_login.php'); } ?> If you look carefully the code you will se that the code is vulnerable to the following issues: Reflected/Stored XSS Session Fixation/Session Hijacking   Lock Out Mechanism Not In Place Think this is not accurate , think better. Session Fixation/Session Hijacking An adversary may on purpo...

Introduction Nowadays hacking, as already mentioned in my previous articles, has been industrialized, meaning that professional hackers are constantly hired to make money out of practically anything and therefore all Web Application vulnerabilities have to be understood and defeated. This article is going to talk about what Cross Site Request Forgery (CSRF) is, explain how can someone perform a successful CSRF attack and describe how to amplify a CSRF attack (e.g. combine CSRF with other vulnerabilities). CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated (simplistically speaking). With a little help from social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of a normal user. If the targeted end user is the administ...

Intro This post is about describing from the security perspective how the life cycle of a Web Application should be. By saying life cycle I mean all the stages a session goes through and what are the steps to be taken on order to properly test the session. Very recently I had a discussion about session management with a colleague of mine and he seemed confused about what session management is and how it should be handled. Now if you lookup the OWASP session management cheat sheet you are going to find lots of interesting information overlapping the information presented here but, there is no information in the internet that has a complete and easy to understand guide about how to test a session. What is a Session and how should it behave A web application session is a user credential "representative" for as long as the user is logged in (well not always). In more simple words the user credentials after a successful log-in should be translated into one or more cry...