# Web Security SQLab 2023 Author: Sean 韋詠祥 <br> ###### Slide: https://hackmd.io/@Sean64/sec-sqlab2023 Note: 日期：2023-06-07（三） 課程時間：10:30 - 12:00 10:30 開場 10:35 filter 10:40 Lab: My Blog 10:50 x-fwd 10:55 Lab: Cloud Drive 11:05 off-by-slash 11:10 Lab: Dynamic Pricing 11:20 Lab Demo 11:25 XXE 11:30 Lab: Import Blog Post 11:35 SSTI 11:45 Lab: WIP 11:55 PP 12:00 Lunch ---- ## About Me - Sean Wei 韋詠祥  Note: - 交大 資安檢測員 竹苗區網 - 行政院 網路攻擊手 政府弱掃 - CEH 技術、(ISC)² CC 管理 ---- ## Outline - `php://filter` - X-Forwarded-For - NginX off-by-slash - XML External Entity Injection - Template Injection - Prototype Pollution --- # `php://filter` Note: Week 1 p108 https://github.com/splitline/How-to-Hack-Websites/blob/master/slides/week/week1.pdf ---- ## What is `php://` wrapper - Accessing various I/O streams - `php://stdin`, `php://stdout`, `php://stderr` - `php://input`, `php://output` - `php://filter` - `php://memory`, `php://temp`, `php://fd` Note: https://www.php.net/manual/en/wrappers.php.php ---- ## Parameters of `php://filter` - `/resource=index.php` - `/read=string.rot13` - `/read=convert.base64-encode` - `/write=zlib.deflate` ---- ## Example - `php://filter/read=string.rot13/resource=https://sean.cat/` ---- ## Lab: My Blog  Note: https://ctf.sean.cat/filter/ --- # X-Forwarded-For How to get user's IP address? Note: https://devco.re/blog/2014/06/19/client-ip-detection/ ---- ## StackOverflow?  ---- ## And ChatGPT  ---- ## What are those variables - REMOTE_ADDR - HTTP X-Forwarded-For - HTTP Client-IP ---- ## Lab: Cloud Drive  Note: https://ctf.sean.cat/ip-addr ---- ## CF-Connecting-IP - Cloudflare CDN - NginX: set_real_ip_from, real_ip_header --- # NginX off-by-slash Note: Week 1 p101 ---- ## Recap: Path Traversal  ---- ## NginX Config  ---- ## Off-by-slash  Note: Breaking Parser Logic, Orange @ Black Hat https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf ---- ## Lab: Dynamic Pricing  Note: https://ctf.sean.cat/slash.php --- # XXE XML External Entity Injection ---- ## XML Syntax ```xml <?xml version="1.0" encoding="UTF-8"?> <article> <title>我的第一篇文章！</title> <summary>這是我人生中的第一篇部落格文章！我感到非常興奮</summary> </article> ``` ---- ## XML Custom Entity ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE post [ <!ENTITY title "我的第一篇文章！" > ]> <article> <title>&title;</title> <summary>這是我人生中的第一篇部落格文章！我感到非常興奮</summary> </article> ``` Note: https://portswigger.net/web-security/xxe/xml-entities ---- ## XML External Entity It could be external links ```xml <!DOCTYPE xxe [ <!ENTITY ext SYSTEM "http://cs.sean.cat/" > ]> ``` And could be local files ```xml <!DOCTYPE xxe [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]> ``` ---- ## Lab: Import Blog Post  Note: https://ctf.sean.cat/xxe/ --- # Template Injection Note: Week 3 p190 https://github.com/splitline/How-to-Hack-Websites/blob/master/slides/week/week3.pdf ---- ## Slide Refer to https://img.sean.taipei/2023/06/web-sec.pdf <br> Full Version: https://github.com/splitline/How-to-Hack-Websites/blob/master/slides/week/week3.pdf ---- ## Lab: WIP ---- # Prototype Pollution Note: Week 3 p172 --- ## Reference - [splitline/How-to-Hack-Websites](https://github.com/splitline/How-to-Hack-Websites) ---- # Q&A 投影片連結：https://hackmd.io/@Sean64/sec-sqlab2023 <!-- .element: class="r-fit-text" --> <br> [](https://creativecommons.org/licenses/by/4.0/deed.zh_TW) ###### 這份投影片以 [創用 CC - 姓名標示](https://creativecommons.org/licenses/by/4.0/deed.zh_TW) 授權公眾使用，原始碼及講稿請見 [此連結](https://hackmd.io/@Sean64/sec-sqlab2023/edit)。