1 00:00:00,000 --> 00:00:09,250 2 00:00:09,250 --> 00:00:10,300 >> LUCIANO ARANGO: OK, guys. 3 00:00:10,300 --> 00:00:11,550 My name is Luciano Arango. 4 00:00:11,550 --> 00:00:13,915 I'm a sophomore in Adams House. 5 00:00:13,915 --> 00:00:17,550 And we're going to be talking about web security active defense. 6 00:00:17,550 --> 00:00:24,220 So I work for the Office of Information Security in SEAS. 7 00:00:24,220 --> 00:00:28,670 And over the summer, I interned at SeguraTec, which was a information 8 00:00:28,670 --> 00:00:31,310 security company that served for the Bank of Columbia. 9 00:00:31,310 --> 00:00:34,740 That's mostly where I learned what I've learned so far. 10 00:00:34,740 --> 00:00:37,990 >> And so some of the material that we're going to go over today, we haven't 11 00:00:37,990 --> 00:00:39,670 really talked about in class. 12 00:00:39,670 --> 00:00:40,410 But we will soon. 13 00:00:40,410 --> 00:00:42,360 It's going to be like SQL, JavaScript. 14 00:00:42,360 --> 00:00:44,870 And we haven't really gone over it. 15 00:00:44,870 --> 00:00:47,730 So I may sort of flight through it, and you might not know some things. 16 00:00:47,730 --> 00:00:48,890 But soon, you'll learn it. 17 00:00:48,890 --> 00:00:52,080 And it'll all make sense. 18 00:00:52,080 --> 00:00:54,010 Also another thing-- 19 00:00:54,010 --> 00:00:55,780 stay ethical. 20 00:00:55,780 --> 00:01:00,560 Some of the things that you learn, you could use in non-ethical ways. 21 00:01:00,560 --> 00:01:01,950 >> If it's yours, definitely try. 22 00:01:01,950 --> 00:01:04,500 I definitely motivate you guys to try your own servers, try 23 00:01:04,500 --> 00:01:05,519 going inside them. 24 00:01:05,519 --> 00:01:08,500 See if you can penetrate them, if you can get inside them. 25 00:01:08,500 --> 00:01:09,560 But not anyone else's. 26 00:01:09,560 --> 00:01:12,390 Cops don't really like the jokes and the whole, we put this here. 27 00:01:12,390 --> 00:01:14,040 We were messing around. 28 00:01:14,040 --> 00:01:15,780 They get really angry. 29 00:01:15,780 --> 00:01:18,700 >> So head over to this website. 30 00:01:18,700 --> 00:01:23,560 I have it opened right here. 31 00:01:23,560 --> 00:01:26,780 This is a website, and it has a bunch of examples. 32 00:01:26,780 --> 00:01:30,000 What happens is that the first example is sort of going to be a lot easier 33 00:01:30,000 --> 00:01:33,470 than the last example in a sense that the first example 34 00:01:33,470 --> 00:01:34,970 is completely insecure. 35 00:01:34,970 --> 00:01:40,850 And the last one is sort of what a normal web security person would do. 36 00:01:40,850 --> 00:01:42,760 But you can still sort of get around that. 37 00:01:42,760 --> 00:01:44,860 And we're going to focusing on one and two, examples one and two. 38 00:01:44,860 --> 00:01:49,880 39 00:01:49,880 --> 00:01:49,920 >> OK. 40 00:01:49,920 --> 00:01:52,780 Let's start with cross-site scripting. 41 00:01:52,780 --> 00:01:56,100 The JavaScript is run on the client's browser. 42 00:01:56,100 --> 00:01:59,980 It's a programming language that you use to run on the client's browser so 43 00:01:59,980 --> 00:02:04,120 you don't have to update the website and go back to the server. 44 00:02:04,120 --> 00:02:04,940 You have it running. 45 00:02:04,940 --> 00:02:08,870 For example, Facebook, you don't have to reload the website for new status 46 00:02:08,870 --> 00:02:09,710 updates to come up. 47 00:02:09,710 --> 00:02:12,170 It's using JavaScript to generate all these things. 48 00:02:12,170 --> 00:02:16,290 So we can inject malicious JavaScript into the websites. 49 00:02:16,290 --> 00:02:20,890 And that way, when we send a link to someone, we could sort of send it with 50 00:02:20,890 --> 00:02:23,050 some of the code that we want. 51 00:02:23,050 --> 00:02:26,450 >> There's persistent and non-persistent JavaScript-- 52 00:02:26,450 --> 00:02:30,640 persistent and non-persistent cross-site scripting, I mean. 53 00:02:30,640 --> 00:02:33,760 And the difference being that persistent is JavaScript that will be 54 00:02:33,760 --> 00:02:36,060 saved on the website. 55 00:02:36,060 --> 00:02:39,780 And non-persistent will be JavaScript that will actually just happen once. 56 00:02:39,780 --> 00:02:41,795 So let's look at an example real quick. 57 00:02:41,795 --> 00:02:45,660 58 00:02:45,660 --> 00:02:46,130 >> OK. 59 00:02:46,130 --> 00:02:51,620 So this website, simple, nothing happens here. 60 00:02:51,620 --> 00:02:53,070 And we're going to try to insert some JavaScript. 61 00:02:53,070 --> 00:02:58,110 So the way we start writing JavaScript is we start with the beginning script. 62 00:02:58,110 --> 00:03:00,570 And we close it with script. 63 00:03:00,570 --> 00:03:03,770 We're simply going to put a message-- 64 00:03:03,770 --> 00:03:05,410 I'll show you-- 65 00:03:05,410 --> 00:03:06,500 alert. 66 00:03:06,500 --> 00:03:11,150 Alert is a function that JavaScript uses to display something. 67 00:03:11,150 --> 00:03:12,400 So let's try it real quick. 68 00:03:12,400 --> 00:03:15,600 69 00:03:15,600 --> 00:03:18,944 I'm going to go, alert hello. 70 00:03:18,944 --> 00:03:20,400 Well, I forgot to put-- 71 00:03:20,400 --> 00:03:24,510 72 00:03:24,510 --> 00:03:25,460 OK. 73 00:03:25,460 --> 00:03:26,540 So that's simple. 74 00:03:26,540 --> 00:03:28,730 >> We put JavaScript on a website, and it came up. 75 00:03:28,730 --> 00:03:31,200 And it sort of only happens on our website, right? 76 00:03:31,200 --> 00:03:33,040 So it seems like it's not a problem, right? 77 00:03:33,040 --> 00:03:34,920 I mean, how could you use this maliciously? 78 00:03:34,920 --> 00:03:39,930 So the way that hackers do this is really simple. 79 00:03:39,930 --> 00:03:40,970 They're going to grab it. 80 00:03:40,970 --> 00:03:43,750 They can send this link to you. 81 00:03:43,750 --> 00:03:46,780 If I'll send this link to you right now, and you open it up, it's going to 82 00:03:46,780 --> 00:03:51,620 say, hello, saying that my website is telling you hello. 83 00:03:51,620 --> 00:03:57,280 >> And so if I were to say something a little bit smarter, if I pull up a 84 00:03:57,280 --> 00:03:59,880 JavaScript function I kind of already wrote-- 85 00:03:59,880 --> 00:04:03,940 but if you look at it, I'll go over it before I wrote it. 86 00:04:03,940 --> 00:04:06,650 So we're going to set a timeout. 87 00:04:06,650 --> 00:04:08,450 We're going to wait for a couple seconds. 88 00:04:08,450 --> 00:04:13,970 In fact, we're going to wait for, if I'm not mistaken, five seconds. 89 00:04:13,970 --> 00:04:15,870 This goes in milliseconds. 90 00:04:15,870 --> 00:04:18,640 And then what we're going to do is we're going to alert that the login 91 00:04:18,640 --> 00:04:21,459 timed out to log back in. 92 00:04:21,459 --> 00:04:23,990 And we're going to change the location to a different location. 93 00:04:23,990 --> 00:04:30,370 94 00:04:30,370 --> 00:04:32,970 >> So if I send this website to someone, they're going to be 95 00:04:32,970 --> 00:04:34,380 browsing around, calm. 96 00:04:34,380 --> 00:04:35,650 Nothing's happening. 97 00:04:35,650 --> 00:04:38,550 And in five seconds, it's going to say, your login timed out. 98 00:04:38,550 --> 00:04:40,200 Please log back in. 99 00:04:40,200 --> 00:04:43,400 Once they click OK, I'm going to take them to another website. 100 00:04:43,400 --> 00:04:45,980 Presumably, the website's going to be similar to the website that 101 00:04:45,980 --> 00:04:47,280 they were in before. 102 00:04:47,280 --> 00:04:50,770 And they're going to log their credentials into my website instead of 103 00:04:50,770 --> 00:04:51,850 their website. 104 00:04:51,850 --> 00:04:54,780 >> And so I can send people an email with this link. 105 00:04:54,780 --> 00:04:56,240 I say, oh, here's a link. 106 00:04:56,240 --> 00:04:57,290 This is a bank, for example. 107 00:04:57,290 --> 00:05:01,390 I say, here, go on this link. 108 00:05:01,390 --> 00:05:03,730 And once they send it, they're going to be browsing around. 109 00:05:03,730 --> 00:05:07,560 I can wait for 15 seconds, 20 seconds, and then pop that please log back in 110 00:05:07,560 --> 00:05:08,840 sign back on. 111 00:05:08,840 --> 00:05:10,120 You guys can try it with a lot more things. 112 00:05:10,120 --> 00:05:13,190 It's complicated because you guys haven't seen JavaScript, so you might 113 00:05:13,190 --> 00:05:14,750 not know some functions. 114 00:05:14,750 --> 00:05:18,625 But all you have to do is start with script, end with script. 115 00:05:18,625 --> 00:05:22,105 116 00:05:22,105 --> 00:05:25,510 And you could put anything in the middle. 117 00:05:25,510 --> 00:05:27,350 >> Alert is a function, wait for. 118 00:05:27,350 --> 00:05:29,365 Window location takes you to a new location. 119 00:05:29,365 --> 00:05:31,370 But you can do so much more. 120 00:05:31,370 --> 00:05:32,630 And so the idea is that we take that off. 121 00:05:32,630 --> 00:05:39,350 If I go to example two, and I put in this same code, it's 122 00:05:39,350 --> 00:05:40,210 not going to work. 123 00:05:40,210 --> 00:05:43,620 So it's printing everything out because what this website originally 124 00:05:43,620 --> 00:05:50,350 does is if I put anything here, it'll print it out right here. 125 00:05:50,350 --> 00:05:52,390 So it's not printing anything out. 126 00:05:52,390 --> 00:05:55,560 This example is actually checking to see if script is there. 127 00:05:55,560 --> 00:05:57,163 So yeah, go ahead. 128 00:05:57,163 --> 00:05:57,606 Ask me. 129 00:05:57,606 --> 00:05:59,560 >> AUDIENCE: Is not sending a get or post request? 130 00:05:59,560 --> 00:06:00,670 >> LUCIANO ARANGO: Yeah. they're sending a get request. 131 00:06:00,670 --> 00:06:01,350 >> AUDIENCE: It is? 132 00:06:01,350 --> 00:06:02,490 >> LUCIANO ARANGO: Yeah. 133 00:06:02,490 --> 00:06:04,030 Also browsers use post requests. 134 00:06:04,030 --> 00:06:07,470 But I'm trying to show get requests so that we can see what is 135 00:06:07,470 --> 00:06:10,760 actually going on. 136 00:06:10,760 --> 00:06:12,880 And so if we look at this code-- so it's not working anymore. 137 00:06:12,880 --> 00:06:24,870 And if we take a look at this code, it's going to be in example two. 138 00:06:24,870 --> 00:06:29,300 What this person is doing, the person in charge of this browser-- 139 00:06:29,300 --> 00:06:35,370 open up, OK-- 140 00:06:35,370 --> 00:06:39,290 is replacing the word script. 141 00:06:39,290 --> 00:06:42,850 This is PHP, which you guys might have seen a little bit of yet. 142 00:06:42,850 --> 00:06:46,250 >> He's just replacing the word script with name. 143 00:06:46,250 --> 00:06:50,895 So however, if I go ahead and just put in-- 144 00:06:50,895 --> 00:06:58,520 145 00:06:58,520 --> 00:07:02,360 if I grab my code again, and I'm going to modify it just a little bit. 146 00:07:02,360 --> 00:07:15,010 Instead of script, I'm going to change it for scRipt with a capital R. And 147 00:07:15,010 --> 00:07:16,390 we're going to see if this code works. 148 00:07:16,390 --> 00:07:19,090 So it didn't print it out, which is a good sign. 149 00:07:19,090 --> 00:07:21,990 And hopefully in two more seconds, it's going to pop up. 150 00:07:21,990 --> 00:07:22,820 >> Your login timed out. 151 00:07:22,820 --> 00:07:23,210 OK. 152 00:07:23,210 --> 00:07:24,460 That's all right. 153 00:07:24,460 --> 00:07:27,670 So checking for script might not necessarily work. 154 00:07:27,670 --> 00:07:28,130 The person-- 155 00:07:28,130 --> 00:07:32,290 it can also check for script uppercase, script lowercase, str case 156 00:07:32,290 --> 00:07:34,180 compare, make sure they're the same. 157 00:07:34,180 --> 00:07:38,480 But the hacker can still do sort of what we did in Vigenere when we moved 158 00:07:38,480 --> 00:07:40,620 back a couple characters, move forward. 159 00:07:40,620 --> 00:07:43,470 And it can figure out how to put script back in there so it can inject 160 00:07:43,470 --> 00:07:44,460 that script. 161 00:07:44,460 --> 00:07:50,370 >> So what you want to use is htmlspecialchars to 162 00:07:50,370 --> 00:07:51,330 protect your website. 163 00:07:51,330 --> 00:07:56,490 And what this does is it makes sure that what you put in-- 164 00:07:56,490 --> 00:07:59,610 for example, quotations or this greater than or less than-- 165 00:07:59,610 --> 00:08:04,701 is replaced with something that won't be-- 166 00:08:04,701 --> 00:08:05,951 let me zoom in here-- 167 00:08:05,951 --> 00:08:08,730 168 00:08:08,730 --> 00:08:09,685 the actual ampersand. 169 00:08:09,685 --> 00:08:13,420 It will replace those special HTML characters that we'll see when we're 170 00:08:13,420 --> 00:08:14,670 talking about-- 171 00:08:14,670 --> 00:08:18,635 172 00:08:18,635 --> 00:08:20,740 oh, this is going to take me back to-- 173 00:08:20,740 --> 00:08:24,220 174 00:08:24,220 --> 00:08:25,380 these characters right here. 175 00:08:25,380 --> 00:08:28,180 >> These signify that something is coming. 176 00:08:28,180 --> 00:08:31,570 For HTML, that beginning bracket tells us that something 177 00:08:31,570 --> 00:08:33,299 HTML related is coming. 178 00:08:33,299 --> 00:08:33,980 And we want to get rid of that. 179 00:08:33,980 --> 00:08:36,200 We don't want to put HTML into a website.k We don't want the user to be 180 00:08:36,200 --> 00:08:40,260 able to put something in their website that can affect their website, like 181 00:08:40,260 --> 00:08:43,480 script or HTML or something like that. 182 00:08:43,480 --> 00:08:53,090 What's important is that you sanitize the user input. 183 00:08:53,090 --> 00:08:54,720 >> So the users may input many things. 184 00:08:54,720 --> 00:08:58,110 He can input a bunch of stuff to try to trick your browser into still 185 00:08:58,110 --> 00:08:59,410 running this script code. 186 00:08:59,410 --> 00:09:02,870 What you want to do is not just look for script, but look for everything 187 00:09:02,870 --> 00:09:04,250 that could be malicious. 188 00:09:04,250 --> 00:09:06,800 And htmlspecialchars will do that for you, so you don't have 189 00:09:06,800 --> 00:09:07,340 to worry about it. 190 00:09:07,340 --> 00:09:12,280 But don't try to do by yourself sort of with your own code. 191 00:09:12,280 --> 00:09:14,055 Is everyone clear on XSS? 192 00:09:14,055 --> 00:09:14,370 >> OK. 193 00:09:14,370 --> 00:09:16,355 Let's go to SQL injection. 194 00:09:16,355 --> 00:09:21,010 So SQL injection is probably the number one vulnerability 195 00:09:21,010 --> 00:09:22,490 in different websites. 196 00:09:22,490 --> 00:09:24,350 I mean, a good example-- 197 00:09:24,350 --> 00:09:27,350 I was just researching furthest for this thing. 198 00:09:27,350 --> 00:09:34,430 And I found this awesome article, where I saw that Harvard was breached, 199 00:09:34,430 --> 00:09:35,390 was hacked. 200 00:09:35,390 --> 00:09:37,370 And I was wondering, well, how would they do it? 201 00:09:37,370 --> 00:09:41,660 Harvard's the most awesome, most secure university ever. 202 00:09:41,660 --> 00:09:43,850 Right? 203 00:09:43,850 --> 00:09:45,410 Well, to breach the servers, the hackers used a 204 00:09:45,410 --> 00:09:47,710 technique called SQL injection. 205 00:09:47,710 --> 00:09:50,250 >> So this happens on a day to day basis. 206 00:09:50,250 --> 00:09:53,590 People forget to take account for SQL injection. 207 00:09:53,590 --> 00:09:54,930 Harvard does. 208 00:09:54,930 --> 00:10:00,050 I think it says here, Princeton, Stanford, Cornell. 209 00:10:00,050 --> 00:10:03,550 So how do we-- so what is this SQL injection that is bringing all these 210 00:10:03,550 --> 00:10:05,668 people down? 211 00:10:05,668 --> 00:10:08,010 OK. 212 00:10:08,010 --> 00:10:12,090 So SQL is a programming language that we use to access databases. 213 00:10:12,090 --> 00:10:14,560 What we do is we select-- 214 00:10:14,560 --> 00:10:18,510 so what this reads right now is select everything from the table. 215 00:10:18,510 --> 00:10:22,640 >> SQL, it changes into these databases that have tables full of information. 216 00:10:22,640 --> 00:10:26,550 So select everything from users where the name is username. 217 00:10:26,550 --> 00:10:28,120 Right? 218 00:10:28,120 --> 00:10:30,770 Simple enough. 219 00:10:30,770 --> 00:10:34,490 The idea of SQL injection is that we insert some malicious code that would 220 00:10:34,490 --> 00:10:37,270 trick the server into running something different than what it 221 00:10:37,270 --> 00:10:38,430 originally was running. 222 00:10:38,430 --> 00:10:44,970 So let's say for username, we put in or 1 equals 1. 223 00:10:44,970 --> 00:10:46,700 So we put in or 1 equals 1. 224 00:10:46,700 --> 00:10:49,890 The way it will read now will be select from users, everything from 225 00:10:49,890 --> 00:10:51,360 users-- this is everything-- 226 00:10:51,360 --> 00:10:55,880 where name is username, but username is or 1 equals 1. 227 00:10:55,880 --> 00:11:01,760 >> So name is nothing or 1 equals 1. 228 00:11:01,760 --> 00:11:04,060 1 equals 1 is always true. 229 00:11:04,060 --> 00:11:07,690 So this will always return information from the users. 230 00:11:07,690 --> 00:11:08,100 OK. 231 00:11:08,100 --> 00:11:10,030 We don't need to have the correct username. 232 00:11:10,030 --> 00:11:14,240 We can just have anything that we want, and it will return information 233 00:11:14,240 --> 00:11:15,690 that we need. 234 00:11:15,690 --> 00:11:17,160 Let's look at another example. 235 00:11:17,160 --> 00:11:22,720 >> If we have select everything from user, where name is DROP TABLE users-- 236 00:11:22,720 --> 00:11:26,420 so what do you think this will do if I put in the username 237 00:11:26,420 --> 00:11:29,560 as DROP TABLE users? 238 00:11:29,560 --> 00:11:30,230 Anyone have an idea? 239 00:11:30,230 --> 00:11:31,050 Yes. 240 00:11:31,050 --> 00:11:32,470 >> AUDIENCE: It's going to tell it to dump all the tables. 241 00:11:32,470 --> 00:11:35,460 >> LUCIANO ARANGO: It's going to tell us to dump everything in the website, 242 00:11:35,460 --> 00:11:38,290 everything in the database. 243 00:11:38,290 --> 00:11:41,910 And what people use this for-- so I'm going to show you guys. 244 00:11:41,910 --> 00:11:45,462 I disabled dropping the tables because I didn't want you 245 00:11:45,462 --> 00:11:48,240 guys to drop my tables. 246 00:11:48,240 --> 00:11:49,850 Let's take a look at this. 247 00:11:49,850 --> 00:11:54,410 So this simply pulls up the information for a certain person. 248 00:11:54,410 --> 00:11:57,550 So how do we know if this is affected by SQL injection. 249 00:11:57,550 --> 00:12:01,545 We're going to check real quick if we can put something-- 250 00:12:01,545 --> 00:12:04,990 251 00:12:04,990 --> 00:12:06,080 let me copy this code. 252 00:12:06,080 --> 00:12:08,140 I'm going to go over it in a second. 253 00:12:08,140 --> 00:12:12,210 I'm going to put root and 1 equals 1. 254 00:12:12,210 --> 00:12:15,510 >> This right here, this percent sign 23-- 255 00:12:15,510 --> 00:12:19,970 what it really is, if I look right here at-- 256 00:12:19,970 --> 00:12:23,820 the way HTML takes in numbers, if you take a look at when I put in a space 257 00:12:23,820 --> 00:12:28,380 here-- if I were to space something here, it changes it to a percent 2. 258 00:12:28,380 --> 00:12:31,420 Do you guys see this right here when I put in a space? 259 00:12:31,420 --> 00:12:36,710 The way it works is that you can only send ASCII values through HTML. 260 00:12:36,710 --> 00:12:40,330 So it replaces, for example, a space with percent 20. 261 00:12:40,330 --> 00:12:41,970 I don't know if you guys have seen that before. 262 00:12:41,970 --> 00:12:45,100 >> It replaces a hashtag with percent 23. 263 00:12:45,100 --> 00:12:50,840 We need a hashtag at the end of or statement so that we can tell the 264 00:12:50,840 --> 00:13:00,885 database to forget to comment out this last semicolon at the end. 265 00:13:00,885 --> 00:13:03,060 We want it to not think about that. 266 00:13:03,060 --> 00:13:05,980 We just want it to run everything that we have beforehand and 267 00:13:05,980 --> 00:13:07,450 comment that out. 268 00:13:07,450 --> 00:13:08,710 Let's take a look at it. 269 00:13:08,710 --> 00:13:14,670 >> So if I were to put something wrong-- let's say for example, I put 2 equals 270 00:13:14,670 --> 00:13:15,690 1, it doesn't give me anything. 271 00:13:15,690 --> 00:13:22,930 When I put in 1 equals 1, and it does return something, this tells me that 272 00:13:22,930 --> 00:13:24,660 this is vulnerable to an SQL injection. 273 00:13:24,660 --> 00:13:29,090 I know now that whatever I put after this-- 274 00:13:29,090 --> 00:13:39,110 and for example, DROP TABLES or something like that 275 00:13:39,110 --> 00:13:41,190 will definitely work. 276 00:13:41,190 --> 00:13:44,350 I know it's vulnerable to SQL injection because I know that 277 00:13:44,350 --> 00:13:49,850 underneath the hood, it's letting me do the 1 equals 1 thing. 278 00:13:49,850 --> 00:13:51,100 OK? 279 00:13:51,100 --> 00:13:53,950 280 00:13:53,950 --> 00:13:56,540 >> And if we look at these other ones, number two and number three, it's 281 00:13:56,540 --> 00:13:59,110 going to do a little bit more of checking underneath the 282 00:13:59,110 --> 00:14:03,680 hood of what it is. 283 00:14:03,680 --> 00:14:07,425 So anyone enable the drop anything yet or tried? 284 00:14:07,425 --> 00:14:08,760 Do you guys sort of get SQL yet? 285 00:14:08,760 --> 00:14:10,430 Because I know you guys haven't seen it yet, so it's kind of 286 00:14:10,430 --> 00:14:11,759 confusing for you guys. 287 00:14:11,759 --> 00:14:16,160 288 00:14:16,160 --> 00:14:18,480 Let's take a look. 289 00:14:18,480 --> 00:14:21,270 So what's the way to prevent SQLI? 290 00:14:21,270 --> 00:14:21,390 OK. 291 00:14:21,390 --> 00:14:23,330 So this is really important because you guys definitely want to prevent 292 00:14:23,330 --> 00:14:24,090 this in your websites. 293 00:14:24,090 --> 00:14:28,040 >> If not, all your friends are going to make fun of you when they drop all 294 00:14:28,040 --> 00:14:29,390 your tables. 295 00:14:29,390 --> 00:14:36,150 So the idea is that you repair the SQL in a certain way, whereas you match 296 00:14:36,150 --> 00:14:41,940 what the user inputs with a certain string. 297 00:14:41,940 --> 00:14:46,120 So the way this works is you prepare the database. 298 00:14:46,120 --> 00:14:50,830 You select name, color, and calories from a database called fruit. 299 00:14:50,830 --> 00:14:53,580 And then where calories is less than, and we put a question mark there 300 00:14:53,580 --> 00:14:56,530 saying we're going to input something in a second. 301 00:14:56,530 --> 00:14:58,850 >> And color equals, and we put a question mark saying we're going to 302 00:14:58,850 --> 00:15:00,913 input something in a second as well. 303 00:15:00,913 --> 00:15:02,660 OK? 304 00:15:02,660 --> 00:15:09,920 And then we execute it, putting in 150 and red. 305 00:15:09,920 --> 00:15:12,820 And this will check to make sure that these two-- 306 00:15:12,820 --> 00:15:15,300 this array will check that these two are an integer and 307 00:15:15,300 --> 00:15:16,550 that this is a string. 308 00:15:16,550 --> 00:15:18,810 309 00:15:18,810 --> 00:15:20,890 Then we go, and we fetch all, we put it in red. 310 00:15:20,890 --> 00:15:21,964 That means we fetch all. 311 00:15:21,964 --> 00:15:26,790 It means we actually execute the SQL statement and put it back in red. 312 00:15:26,790 --> 00:15:30,530 Here we do the same, but we do the same for yellow. 313 00:15:30,530 --> 00:15:32,490 And we fetch all. 314 00:15:32,490 --> 00:15:36,140 >> And in this way, we prevent the user from being able to input something 315 00:15:36,140 --> 00:15:41,710 that is not what we specified, a string or an integer, for example. 316 00:15:41,710 --> 00:15:45,100 317 00:15:45,100 --> 00:15:46,610 I was talking earlier about relying on others. 318 00:15:46,610 --> 00:15:50,010 When you guys start your project, you're most definitely going to use 319 00:15:50,010 --> 00:15:52,310 bootstrap or something similar. 320 00:15:52,310 --> 00:15:53,490 Have you guys ever used Wordpress? 321 00:15:53,490 --> 00:15:57,170 Probably you guys have used Wordpress most likely. 322 00:15:57,170 --> 00:16:00,050 So the problem with using other people's things-- 323 00:16:00,050 --> 00:16:05,940 I'm just going to Google real quick Wordpress vulnerability. 324 00:16:05,940 --> 00:16:07,495 >> If I pull this up right now-- 325 00:16:07,495 --> 00:16:08,995 I literally did a two second Google. 326 00:16:08,995 --> 00:16:12,300 327 00:16:12,300 --> 00:16:13,800 We can see that Wordpress-- 328 00:16:13,800 --> 00:16:17,450 this is dated as September '12. 329 00:16:17,450 --> 00:16:19,120 26 is updated. 330 00:16:19,120 --> 00:16:23,620 The default configuration of Wordpress before 3.6 does not prevent these 331 00:16:23,620 --> 00:16:27,110 certain uploads, which might make it easier for 332 00:16:27,110 --> 00:16:29,790 cross-site scripting attacks. 333 00:16:29,790 --> 00:16:34,530 So a quick story, once we were working with-- so I was, in summer, working an 334 00:16:34,530 --> 00:16:34,970 internship. 335 00:16:34,970 --> 00:16:40,400 And we were working with sort of like a big credit card company. 336 00:16:40,400 --> 00:16:42,020 >> And they rely on something called-- 337 00:16:42,020 --> 00:16:45,740 I don't know if you guys ever played with a product called Joomla. 338 00:16:45,740 --> 00:16:51,750 Joomla's a product that is used to control-- sort of similar to 339 00:16:51,750 --> 00:16:54,340 Wordpress, used to build websites. 340 00:16:54,340 --> 00:16:56,060 So they had their website working on Joomla. 341 00:16:56,060 --> 00:16:59,290 This is actually a credit card company in Colombia. 342 00:16:59,290 --> 00:17:01,000 I'll take you to their website real quick. 343 00:17:01,000 --> 00:17:04,550 344 00:17:04,550 --> 00:17:05,400 >> So they used Joomla. 345 00:17:05,400 --> 00:17:08,630 And they hadn't updated Joomla to the latest addition. 346 00:17:08,630 --> 00:17:12,160 And so when we were taking a look at their code, we were able to actually 347 00:17:12,160 --> 00:17:18,430 go inside their code and steal all the credit card information that they had, 348 00:17:18,430 --> 00:17:21,670 all the credit card numbers, the names, the addresses. 349 00:17:21,670 --> 00:17:22,740 And this was just-- 350 00:17:22,740 --> 00:17:23,569 and their code was perfectly fine. 351 00:17:23,569 --> 00:17:24,710 They had great code. 352 00:17:24,710 --> 00:17:25,389 It was all security. 353 00:17:25,389 --> 00:17:26,520 They checked all the databases. 354 00:17:26,520 --> 00:17:29,020 They made sure cross-site scripting was fine. 355 00:17:29,020 --> 00:17:34,390 >> But they used something that was not updated, that was not secure. 356 00:17:34,390 --> 00:17:36,940 And so that led them to-- so you guys are definitely going to use other 357 00:17:36,940 --> 00:17:40,650 people's code, other people's frameworks to build up your website. 358 00:17:40,650 --> 00:17:43,860 Make sure that they're secure because sometimes it's not you, the one that 359 00:17:43,860 --> 00:17:44,480 makes a mistake. 360 00:17:44,480 --> 00:17:47,440 But someone else makes a mistake, and then you fall down because of that. 361 00:17:47,440 --> 00:17:51,190 362 00:17:51,190 --> 00:17:53,885 >> Passwords and PII. 363 00:17:53,885 --> 00:17:56,820 So passwords. 364 00:17:56,820 --> 00:17:58,070 OK. 365 00:17:58,070 --> 00:17:59,980 366 00:17:59,980 --> 00:18:04,230 Let's take a look at passwords real quick. 367 00:18:04,230 --> 00:18:04,590 OK. 368 00:18:04,590 --> 00:18:06,520 Please tell me that everyone uses secure-- 369 00:18:06,520 --> 00:18:09,030 I'm hoping everyone here uses secure passwords. 370 00:18:09,030 --> 00:18:12,890 I'm just letting that in as an assumption. 371 00:18:12,890 --> 00:18:14,850 So you guys are definitely going to store passwords for your websites. 372 00:18:14,850 --> 00:18:17,440 You're going to make something like a login or something like that. 373 00:18:17,440 --> 00:18:19,610 What's important is to not store passwords in plain text. 374 00:18:19,610 --> 00:18:20,860 This is extremely important. 375 00:18:20,860 --> 00:18:23,960 You do not want to store a password in plain text. 376 00:18:23,960 --> 00:18:27,370 >> And you definitely don't really want to store it in a one way hash. 377 00:18:27,370 --> 00:18:32,440 So what a one way hash is that when you generate a word, when you put this 378 00:18:32,440 --> 00:18:36,200 word into a hash function, it will generate back some sort of cryptic 379 00:18:36,200 --> 00:18:39,390 message or cryptic set of keys. 380 00:18:39,390 --> 00:18:40,640 I'll show you an example. 381 00:18:40,640 --> 00:18:44,620 382 00:18:44,620 --> 00:18:50,250 I'm going to hash they word password1. 383 00:18:50,250 --> 00:18:55,280 So md5 Hash is going to return me some sort of weird information. 384 00:18:55,280 --> 00:18:59,140 >> The problem is that people out there that like to go into websites have 385 00:18:59,140 --> 00:19:02,750 already figured out sort of all the md5 hashes. 386 00:19:02,750 --> 00:19:06,030 What they did is they sat down on their computers, and they hashed every 387 00:19:06,030 --> 00:19:09,660 single possible word out there until they got sort of what this is. 388 00:19:09,660 --> 00:19:11,420 If I were to look this up-- 389 00:19:11,420 --> 00:19:12,420 I just grabbed this hash. 390 00:19:12,420 --> 00:19:14,120 If I get this hash from-- 391 00:19:14,120 --> 00:19:17,470 if I go into a website, and I find this hash because I get to the 392 00:19:17,470 --> 00:19:24,100 databases, and I look it up, someone already figured it out for me. 393 00:19:24,100 --> 00:19:28,600 394 00:19:28,600 --> 00:19:29,100 >> Yeah. 395 00:19:29,100 --> 00:19:35,030 So people sat down, and whatever md5 hash that you put in, they're going to 396 00:19:35,030 --> 00:19:37,760 return to you something that is a word. 397 00:19:37,760 --> 00:19:39,800 If I hash another word, like-- 398 00:19:39,800 --> 00:19:42,410 I don't know-- 399 00:19:42,410 --> 00:19:43,490 trees2. 400 00:19:43,490 --> 00:19:46,050 I don't want to be disappointed by my Google searches. 401 00:19:46,050 --> 00:19:49,820 402 00:19:49,820 --> 00:19:52,780 There it is, trees2. 403 00:19:52,780 --> 00:19:55,930 So a lot of websites still use md5 hash. 404 00:19:55,930 --> 00:19:57,730 They say, oh, it's secure. 405 00:19:57,730 --> 00:19:58,570 We're not storing in plain text. 406 00:19:58,570 --> 00:19:59,740 We have this md5 hash. 407 00:19:59,740 --> 00:20:01,880 And all I have to do is just Google the number. 408 00:20:01,880 --> 00:20:03,940 >> I don't even have to compute myself. 409 00:20:03,940 --> 00:20:06,790 I can just Google it, and someone already did it for me. 410 00:20:06,790 --> 00:20:08,010 Here's a bunch of them. 411 00:20:08,010 --> 00:20:09,260 Here's a bunch of passwords. 412 00:20:09,260 --> 00:20:13,890 413 00:20:13,890 --> 00:20:18,680 So definitely don't use md5 hash, because all you have to 414 00:20:18,680 --> 00:20:19,140 do is Google it. 415 00:20:19,140 --> 00:20:20,390 So what do you want to use instead? 416 00:20:20,390 --> 00:20:29,340 417 00:20:29,340 --> 00:20:30,170 OK. 418 00:20:30,170 --> 00:20:31,260 Something called salting. 419 00:20:31,260 --> 00:20:32,460 So what salting is-- 420 00:20:32,460 --> 00:20:36,280 do you guys remember when we were talking about random in-- 421 00:20:36,280 --> 00:20:37,920 I'm not sure what pset it was-- 422 00:20:37,920 --> 00:20:41,140 was it pset there or four? 423 00:20:41,140 --> 00:20:45,150 >> We were talking about finding the needle in the haystack. 424 00:20:45,150 --> 00:20:48,480 And in the pset, it said that you could actually figure out what random 425 00:20:48,480 --> 00:20:51,840 generates because someone's already ran random a million times and just 426 00:20:51,840 --> 00:20:53,230 sort of formed what they generate. 427 00:20:53,230 --> 00:20:55,840 What you want to do is put in an input. 428 00:20:55,840 --> 00:20:57,130 So that's what salting sort of is. 429 00:20:57,130 --> 00:21:00,900 They already figured out what salting returns for each work. 430 00:21:00,900 --> 00:21:04,750 >> So what salting does is you put in a salt. 431 00:21:04,750 --> 00:21:06,160 You put in a certain word. 432 00:21:06,160 --> 00:21:09,720 And it will hash that word depending on what you put in here. 433 00:21:09,720 --> 00:21:13,570 So if I hash password one with this sentence, it's going to hash 434 00:21:13,570 --> 00:21:17,180 differently if I hash password1 with a different sentence. 435 00:21:17,180 --> 00:21:21,670 It sort of gives it somewhere to start for the hashing to begin. 436 00:21:21,670 --> 00:21:25,970 So it's a lot harder to compute, but you can still compute it, especially 437 00:21:25,970 --> 00:21:26,830 if you use a bad salt. 438 00:21:26,830 --> 00:21:29,650 >> People have already also figured out common salts and figured out 439 00:21:29,650 --> 00:21:31,500 what that it is. 440 00:21:31,500 --> 00:21:34,980 Random salts are much better, but the best way is to use 441 00:21:34,980 --> 00:21:38,160 something called crypt. 442 00:21:38,160 --> 00:21:40,480 And what crypt allows you to do-- so these functions are 443 00:21:40,480 --> 00:21:41,820 already built for you. 444 00:21:41,820 --> 00:21:44,910 Many people forget that, or they forget to use it. 445 00:21:44,910 --> 00:21:54,520 But if I look up crypt PHP, crypt already returns a hash string for me. 446 00:21:54,520 --> 00:21:58,790 And it actually salts it many times and hashes it many times. 447 00:21:58,790 --> 00:22:00,070 >> So we don't have to do this. 448 00:22:00,070 --> 00:22:04,790 So all you have to do is send it into crypt. 449 00:22:04,790 --> 00:22:08,170 And it will create a great hash without you having to worry about salt 450 00:22:08,170 --> 00:22:08,990 or anything. 451 00:22:08,990 --> 00:22:12,000 Because if you were to salt it, you have to remember what salt you used 452 00:22:12,000 --> 00:22:13,800 because if not, you can't get your password back without the 453 00:22:13,800 --> 00:22:15,760 salt that you used. 454 00:22:15,760 --> 00:22:17,010 OK. 455 00:22:17,010 --> 00:22:21,120 456 00:22:21,120 --> 00:22:23,150 >> And also personal identifiable information. 457 00:22:23,150 --> 00:22:26,730 So social security, credit card-- that's pretty obvious. 458 00:22:26,730 --> 00:22:31,880 But sometimes people forget the way it works is, how much information do you 459 00:22:31,880 --> 00:22:35,690 actually need to find some one person? 460 00:22:35,690 --> 00:22:37,740 Someone did a study about this a way back. 461 00:22:37,740 --> 00:22:40,870 And it was like, if you have a full name, you can't find 462 00:22:40,870 --> 00:22:41,610 someone that easily. 463 00:22:41,610 --> 00:22:43,900 But what if you have a full name and their date of birth? 464 00:22:43,900 --> 00:22:47,770 Is that enough to identify someone specifically? 465 00:22:47,770 --> 00:22:52,760 >> What if you have their name and the street address that they live on? 466 00:22:52,760 --> 00:22:55,110 Is that enough to find someone? 467 00:22:55,110 --> 00:23:02,490 And that's when they question, what is personal identifiable information, and 468 00:23:02,490 --> 00:23:05,360 what should you worry about not giving away? 469 00:23:05,360 --> 00:23:08,770 If you give away personal identifiable information that someone gives you, 470 00:23:08,770 --> 00:23:11,420 you could potentially get sued. 471 00:23:11,420 --> 00:23:12,610 And we definitely don't want that. 472 00:23:12,610 --> 00:23:14,955 >> So when you're putting your website out, and you have a really cool 473 00:23:14,955 --> 00:23:17,230 design, hopefully you made an awesome final project. 474 00:23:17,230 --> 00:23:18,370 Any you sort of want to put it out there. 475 00:23:18,370 --> 00:23:21,420 You want to make sure that whatever you're taking from the user, if it's 476 00:23:21,420 --> 00:23:25,310 personal identifiable information, you want to make sure you're being really 477 00:23:25,310 --> 00:23:26,560 careful with it. 478 00:23:26,560 --> 00:23:29,670 479 00:23:29,670 --> 00:23:31,080 >> Shell injection. 480 00:23:31,080 --> 00:23:31,350 OK. 481 00:23:31,350 --> 00:23:37,590 Shell injection allows the intruder to get access to your actual command line 482 00:23:37,590 --> 00:23:39,660 in your server. 483 00:23:39,660 --> 00:23:44,060 And so he's able to run code that you can't control. 484 00:23:44,060 --> 00:23:49,560 Let's take an example of this beautiful string right here. 485 00:23:49,560 --> 00:23:55,570 If we go into the website again, I'm going to go into code injection. 486 00:23:55,570 --> 00:23:58,910 So what this does is-- 487 00:23:58,910 --> 00:24:00,420 it's also what we were looking at before. 488 00:24:00,420 --> 00:24:11,200 We're letting the user put in whatever he wants, and it will print out 489 00:24:11,200 --> 00:24:12,220 whatever you want. 490 00:24:12,220 --> 00:24:13,890 >> So I'm going to put a call. 491 00:24:13,890 --> 00:24:15,540 What this does is-- 492 00:24:15,540 --> 00:24:16,940 it will start by concatenating. 493 00:24:16,940 --> 00:24:19,520 So it will let me run whatever command the person's running 494 00:24:19,520 --> 00:24:21,500 before and my command. 495 00:24:21,500 --> 00:24:23,980 And I'm running a system command. 496 00:24:23,980 --> 00:24:27,310 And these last strings are-- remember what I talked to you guys about, 497 00:24:27,310 --> 00:24:31,725 whereas you have to encode it in a URL method. 498 00:24:31,725 --> 00:24:35,010 499 00:24:35,010 --> 00:24:36,992 If I run this now-- 500 00:24:36,992 --> 00:24:39,150 I'll show you over here-- 501 00:24:39,150 --> 00:24:41,100 you'll see that I ended up running a command. 502 00:24:41,100 --> 00:24:45,700 503 00:24:45,700 --> 00:24:49,320 >> This is actually the actual server that my website is running on. 504 00:24:49,320 --> 00:24:55,840 505 00:24:55,840 --> 00:24:58,510 So we don't want that, because I can run-- 506 00:24:58,510 --> 00:25:00,320 this server is not mine. 507 00:25:00,320 --> 00:25:04,030 So I don't want to mess up his sister, Marcus's server. 508 00:25:04,030 --> 00:25:07,470 But you can run more commands that are dangerous. 509 00:25:07,470 --> 00:25:11,885 And potentially, you could delete files, remove directories. 510 00:25:11,885 --> 00:25:14,390 511 00:25:14,390 --> 00:25:17,970 I can remove a certain directory if I wanted to, but I don't want 512 00:25:17,970 --> 00:25:19,530 to do that to Marcus. 513 00:25:19,530 --> 00:25:20,420 He's a nice guy. 514 00:25:20,420 --> 00:25:21,470 He let me borrow his server. 515 00:25:21,470 --> 00:25:24,620 So I'm going to let him off on the good one. 516 00:25:24,620 --> 00:25:32,280 >> So what we don't want to use-- we don't want to use eval or system. 517 00:25:32,280 --> 00:25:34,755 Eval or system allows us to make these system calls. 518 00:25:34,755 --> 00:25:37,410 519 00:25:37,410 --> 00:25:38,410 Eval means evaluate. 520 00:25:38,410 --> 00:25:40,790 System means what I ran. 521 00:25:40,790 --> 00:25:42,490 It's run something in the system. 522 00:25:42,490 --> 00:25:46,730 But we can outlaw these things in PHP so that we don't use them. 523 00:25:46,730 --> 00:25:47,400 And file upload. 524 00:25:47,400 --> 00:25:49,180 I was going to do an awesome thing with the file upload. 525 00:25:49,180 --> 00:25:52,740 But like I told you guys, my file upload thing isn't working. 526 00:25:52,740 --> 00:25:54,590 If I were to upload a file right now-- 527 00:25:54,590 --> 00:25:57,120 528 00:25:57,120 --> 00:26:00,830 if I were to upload a file, and it's a picture-- 529 00:26:00,830 --> 00:26:03,180 you have an upload thing that's a picture. 530 00:26:03,180 --> 00:26:03,660 That's fine. 531 00:26:03,660 --> 00:26:04,280 Nothing happens. 532 00:26:04,280 --> 00:26:10,840 >> But if you have an upload file, for example, and the user actually uploads 533 00:26:10,840 --> 00:26:19,220 a PHP file or a exe file or something like that, then you could potentially 534 00:26:19,220 --> 00:26:19,740 have a problem. 535 00:26:19,740 --> 00:26:21,390 This was working before. 536 00:26:21,390 --> 00:26:25,202 Unfortunately for me, it's not working anymore. 537 00:26:25,202 --> 00:26:30,230 If I, for example, upload this file, I'm not getting permission to upload 538 00:26:30,230 --> 00:26:33,400 the file due to the server not being mine. 539 00:26:33,400 --> 00:26:38,670 So the guy's really smart. 540 00:26:38,670 --> 00:26:39,610 >> So we don't want to-- 541 00:26:39,610 --> 00:26:40,130 I'm going to show you guys-- 542 00:26:40,130 --> 00:26:41,840 OK, these are some really cool tools. 543 00:26:41,840 --> 00:26:45,100 So these-- 544 00:26:45,100 --> 00:26:47,715 go into-- if you guys have Firefox-- hopefully you do. 545 00:26:47,715 --> 00:26:54,260 There's two add-ons called SQL Inject Me and Cross-Site Script Me. 546 00:26:54,260 --> 00:26:56,870 They open up as little side bars on the side. 547 00:26:56,870 --> 00:27:01,480 And if I were to go to CS60 for example-- 548 00:27:01,480 --> 00:27:04,210 so what it does is it looks for all the forms that-- 549 00:27:04,210 --> 00:27:07,220 550 00:27:07,220 --> 00:27:08,760 hopefully, I won't get in trouble for this. 551 00:27:08,760 --> 00:27:09,190 >> But OK. 552 00:27:09,190 --> 00:27:12,600 Here's the pin system. 553 00:27:12,600 --> 00:27:18,946 So when I start looking for holes in the system, the first thing I do is 554 00:27:18,946 --> 00:27:21,820 open up this beautiful little tool on the side. 555 00:27:21,820 --> 00:27:24,160 And I'm going to test forms with auto attacks. 556 00:27:24,160 --> 00:27:28,510 And so what this does is it will slowly open up a bunch of browsers. 557 00:27:28,510 --> 00:27:29,930 Here's a bunch of browsers. 558 00:27:29,930 --> 00:27:33,320 And it's trying every single combination of cross-site scripting 559 00:27:33,320 --> 00:27:37,380 that there possibly is, if you see on the side. 560 00:27:37,380 --> 00:27:42,080 >> And it will give me a result sort of what the answer is. 561 00:27:42,080 --> 00:27:42,860 All pass. 562 00:27:42,860 --> 00:27:43,910 Obviously, they all pass. 563 00:27:43,910 --> 00:27:46,190 I mean, they're really smart people up there. 564 00:27:46,190 --> 00:27:48,010 But if I were to run-- 565 00:27:48,010 --> 00:27:52,050 I've had times before when I run this on students' final projects. 566 00:27:52,050 --> 00:27:56,080 I simply run SQL Inject Me with all different attacks. 567 00:27:56,080 --> 00:28:00,080 And it's trying to SQL inject this pin server. 568 00:28:00,080 --> 00:28:03,590 So if we scroll down, for example, it says-- 569 00:28:03,590 --> 00:28:04,960 this is good if it returns. 570 00:28:04,960 --> 00:28:08,250 >> So it tested some certain values. 571 00:28:08,250 --> 00:28:11,170 And the server returned a code that was negative. 572 00:28:11,170 --> 00:28:11,780 Remove temporarily. 573 00:28:11,780 --> 00:28:13,030 This is good. 574 00:28:13,030 --> 00:28:17,050 575 00:28:17,050 --> 00:28:20,750 It tries all these tests. 576 00:28:20,750 --> 00:28:21,790 So you could simply run-- 577 00:28:21,790 --> 00:28:27,860 I wish I could find a website real quick that would let me-- 578 00:28:27,860 --> 00:28:29,110 maybe the CS50 store. 579 00:28:29,110 --> 00:28:43,890 580 00:28:43,890 --> 00:28:45,711 >> Wow, this is going to take way too long. 581 00:28:45,711 --> 00:28:53,090 582 00:28:53,090 --> 00:28:55,130 I'll let the first test not finish right. 583 00:28:55,130 --> 00:28:57,330 So it's complaining. 584 00:28:57,330 --> 00:28:58,470 So these are three things. 585 00:28:58,470 --> 00:29:00,430 These tools are free. 586 00:29:00,430 --> 00:29:03,960 You can download them and run them on your website, and it will tell you if 587 00:29:03,960 --> 00:29:06,650 you have cross-site scripting, if you have SQL, if you have 588 00:29:06,650 --> 00:29:07,900 something of the like. 589 00:29:07,900 --> 00:29:12,230 590 00:29:12,230 --> 00:29:14,500 I'm sort of messing up. 591 00:29:14,500 --> 00:29:15,550 >> What's important-- 592 00:29:15,550 --> 00:29:17,900 OK, so never trust the user. 593 00:29:17,900 --> 00:29:21,920 Whatever the user inputs to you, make sure you sanitize it, you clean it, 594 00:29:21,920 --> 00:29:25,300 you check for the right things, that it's giving you what you 595 00:29:25,300 --> 00:29:28,240 want him to give you. 596 00:29:28,240 --> 00:29:32,460 Always be updated on what frameworks that you're actually using. 597 00:29:32,460 --> 00:29:34,630 If you use something like bootstrap-- 598 00:29:34,630 --> 00:29:36,340 I know you guys are going to use bootstrap because he's going to go 599 00:29:36,340 --> 00:29:38,140 over this soon in class-- 600 00:29:38,140 --> 00:29:43,120 and Wordpress or something like that, normally this could be hacked. 601 00:29:43,120 --> 00:29:44,770 >> And then you don't even know. 602 00:29:44,770 --> 00:29:45,800 You're just running your website. 603 00:29:45,800 --> 00:29:47,360 And it's totally secure. 604 00:29:47,360 --> 00:29:51,730 And you go down. 605 00:29:51,730 --> 00:29:54,000 So I'm fishing really early. 606 00:29:54,000 --> 00:29:55,770 But I want to thank Pentest Labs. 607 00:29:55,770 --> 00:29:58,140 I'm going to show you guys something called Pentest Labs. 608 00:29:58,140 --> 00:30:05,000 If you guys are really interested in what security really is, there's a 609 00:30:05,000 --> 00:30:07,300 website called Pentest Labs if you guys go to it right now. 610 00:30:07,300 --> 00:30:10,730 Oh, well, that's not it. 611 00:30:10,730 --> 00:30:12,030 I'm just going to run it like this. 612 00:30:12,030 --> 00:30:14,400 Google tells me the answer. 613 00:30:14,400 --> 00:30:16,590 >> OK. 614 00:30:16,590 --> 00:30:19,030 And it teaches use you-- so it says, learn web penetration 615 00:30:19,030 --> 00:30:21,060 testing the right way. 616 00:30:21,060 --> 00:30:23,650 It teaches you-- 617 00:30:23,650 --> 00:30:25,150 hopefully, you're an ethical person. 618 00:30:25,150 --> 00:30:29,200 But it teaches you how you can look at how you can get inside websites. 619 00:30:29,200 --> 00:30:31,130 And if you learn how you can get inside websites, you can learn how to 620 00:30:31,130 --> 00:30:34,960 protect yourself from getting inside websites. 621 00:30:34,960 --> 00:30:39,100 Let me zoom in because maybe you guys are not looking at this right. 622 00:30:39,100 --> 00:30:46,350 >> From SQL injection to shell, so sort of how I can get from SQL 623 00:30:46,350 --> 00:30:48,530 injection to shell. 624 00:30:48,530 --> 00:30:53,890 And you download this virtual machine. 625 00:30:53,890 --> 00:30:55,690 And the virtual machine already comes with the website that you're 626 00:30:55,690 --> 00:30:56,780 going to try it on. 627 00:30:56,780 --> 00:30:58,030 You download this PDF. 628 00:30:58,030 --> 00:31:03,610 629 00:31:03,610 --> 00:31:08,370 And it will show you line by line what you have to do, what you check. 630 00:31:08,370 --> 00:31:14,560 This is what an attacker actually does to get inside a website. 631 00:31:14,560 --> 00:31:15,750 >> And some of this stuff is complicated. 632 00:31:15,750 --> 00:31:17,520 I wish I could go over more things with you guys. 633 00:31:17,520 --> 00:31:21,090 But I worry that you guys haven't really-- 634 00:31:21,090 --> 00:31:23,090 this is what I went over with you guys, web tests 635 00:31:23,090 --> 00:31:26,830 for penetration testing. 636 00:31:26,830 --> 00:31:33,540 Don't really know what SQL is and what-- 637 00:31:33,540 --> 00:31:35,960 Carl Jackson's seminar is awesome as well. 638 00:31:35,960 --> 00:31:37,360 You guys don't know sort of what this is. 639 00:31:37,360 --> 00:31:39,450 But if you go to this website, and you download these tutorials and these 640 00:31:39,450 --> 00:31:43,290 PDFs, you can take a look at sort of what the area of security really does 641 00:31:43,290 --> 00:31:46,940 in penetration testing, see how you can get inside websites and protect 642 00:31:46,940 --> 00:31:48,020 yourself from it. 643 00:31:48,020 --> 00:31:56,360 >> So if I make a super quick overview, it'll be prevent cross-site scripting. 644 00:31:56,360 --> 00:32:00,160 You want to use htmlspecialchars every time the user inputs something. 645 00:32:00,160 --> 00:32:01,580 Prevent SQL injection. 646 00:32:01,580 --> 00:32:04,510 If you do that, you're already better off than Harvard was 647 00:32:04,510 --> 00:32:06,530 when they got breached. 648 00:32:06,530 --> 00:32:10,510 And make sure your passwords are not in plain text. 649 00:32:10,510 --> 00:32:16,220 Make sure you don't only one way hash them but that you use crypt, the PHP 650 00:32:16,220 --> 00:32:18,670 function that I showed you guys. 651 00:32:18,670 --> 00:32:20,060 That way, you should be good. 652 00:32:20,060 --> 00:32:25,830 >> Also, if your friends let you, run SQL Inject Me on their websites. 653 00:32:25,830 --> 00:32:28,140 Run cross-site scripting on their websites. 654 00:32:28,140 --> 00:32:33,720 And you'll see a lot of these websites have a ton of vulnerabilities. 655 00:32:33,720 --> 00:32:40,400 It's incredible how much people forget to sanitize their databases or to make 656 00:32:40,400 --> 00:32:46,340 sure what the person's inputting is not script code. 657 00:32:46,340 --> 00:32:47,200 OK. 658 00:32:47,200 --> 00:32:49,182 I sort of ended really early. 659 00:32:49,182 --> 00:32:56,510 But if anyone has any questions about anything, you can shoot me a question. 660 00:32:56,510 --> 00:32:56,630 Yeah. 661 00:32:56,630 --> 00:32:56,970 Go, go. 662 00:32:56,970 --> 00:32:59,846 >> AUDIENCE: I just want to ask, can you explain how the file 663 00:32:59,846 --> 00:33:03,160 upload exactly works. 664 00:33:03,160 --> 00:33:03,480 >> LUCIANO ARANGO: Yeah. 665 00:33:03,480 --> 00:33:06,350 So let me show you the file upload real quick. 666 00:33:06,350 --> 00:33:11,300 So the file upload-- 667 00:33:11,300 --> 00:33:14,500 the problem wit the file upload right now is that-- 668 00:33:14,500 --> 00:33:18,541 I'm going to open the code so you guys see the code behind the scenes. 669 00:33:18,541 --> 00:33:22,390 670 00:33:22,390 --> 00:33:24,305 And it is upload. 671 00:33:24,305 --> 00:33:28,030 672 00:33:28,030 --> 00:33:31,560 Here's a code for the file uploader. 673 00:33:31,560 --> 00:33:33,980 >> We're trying to go into this directory over here. 674 00:33:33,980 --> 00:33:37,380 675 00:33:37,380 --> 00:33:44,880 And we're trying to, once we input the file, isset file-- so when there is a 676 00:33:44,880 --> 00:33:50,900 file in FILES, that image, then we try to move it here. 677 00:33:50,900 --> 00:33:51,910 We grab the file over here. 678 00:33:51,910 --> 00:33:58,350 The method is POST, type, image, file. 679 00:33:58,350 --> 00:33:59,630 And we're sending this file. 680 00:33:59,630 --> 00:34:03,910 And then once we get it, so once file has an image, we're trying to send it 681 00:34:03,910 --> 00:34:05,060 to this directory. 682 00:34:05,060 --> 00:34:09,814 >> The problem is that the website is not letting me go to this directory, 683 00:34:09,814 --> 00:34:12,239 because it doesn't want me to go back. 684 00:34:12,239 --> 00:34:13,489 It doesn't want me to go-- 685 00:34:13,489 --> 00:34:15,620 686 00:34:15,620 --> 00:34:17,070 I have to go-- so here's upload. 687 00:34:17,070 --> 00:34:17,639 Here's images. 688 00:34:17,639 --> 00:34:21,780 I have to go all the way back to the beginning and put it in there and then 689 00:34:21,780 --> 00:34:23,820 go and put it into the directory. 690 00:34:23,820 --> 00:34:30,000 So if I was running a terminal window, and I wanted to move a file-- 691 00:34:30,000 --> 00:34:30,409 [INAUDIBLE] 692 00:34:30,409 --> 00:34:32,159 can see it. 693 00:34:32,159 --> 00:34:37,940 If I wanted to move a file, I have to put the file name and then the 694 00:34:37,940 --> 00:34:40,860 complete path I want to send it to. 695 00:34:40,860 --> 00:34:45,110 >> And then the server's not letting me go back. 696 00:34:45,110 --> 00:34:46,929 And so it's not letting me get to that file. 697 00:34:46,929 --> 00:34:47,670 But normally-- 698 00:34:47,670 --> 00:34:49,360 so there's a code for uploading a file. 699 00:34:49,360 --> 00:34:52,260 So normally what will happen is that the person's not checking if my file 700 00:34:52,260 --> 00:34:57,920 ends with .jpeg, so I would want to check. 701 00:34:57,920 --> 00:35:00,054 Let me open an example too real quick. 702 00:35:00,054 --> 00:35:07,766 703 00:35:07,766 --> 00:35:08,260 >> OK. 704 00:35:08,260 --> 00:35:09,230 This person right-- 705 00:35:09,230 --> 00:35:11,980 so example two is checking if preg_match-- 706 00:35:11,980 --> 00:35:14,180 here it is over here-- 707 00:35:14,180 --> 00:35:19,660 to make sure that ends with PHP, which is good. 708 00:35:19,660 --> 00:35:20,580 This is good. 709 00:35:20,580 --> 00:35:22,820 But there's a real big problem with this. 710 00:35:22,820 --> 00:35:24,600 This is good. 711 00:35:24,600 --> 00:35:44,190 But if I were to put a file called myfavoritepicture.php.jpeg, I could 712 00:35:44,190 --> 00:35:50,060 still potentially get rid of the jpeg and run it.k That PHP's dangerous. 713 00:35:50,060 --> 00:35:53,850 You don't want the person to be able to run code on your website. 714 00:35:53,850 --> 00:35:55,750 >> But then .jpeg lets it pass. 715 00:35:55,750 --> 00:36:00,720 The idea is what you really want to do is not take files, A. But, OK, what 716 00:36:00,720 --> 00:36:07,500 you really want to do is make sure that you read over the whole world. 717 00:36:07,500 --> 00:36:08,720 And there's nothing .php in it. 718 00:36:08,720 --> 00:36:10,500 There's no .php in the whole file name. 719 00:36:10,500 --> 00:36:12,780 >> AUDIENCE: But you could put .jpeg on the end. 720 00:36:12,780 --> 00:36:15,830 The servers still run the code. 721 00:36:15,830 --> 00:36:16,870 >> LUCIANO ARANGO: No, it won't run at the beginning. 722 00:36:16,870 --> 00:36:22,310 You have to go back and try to see if you can-- 723 00:36:22,310 --> 00:36:24,210 >> AUDIENCE: So we have to-- 724 00:36:24,210 --> 00:36:26,020 OK, just another set that involves-- 725 00:36:26,020 --> 00:36:26,936 >> LUCIANO ARANGO: Yeah. 726 00:36:26,936 --> 00:36:29,230 >> AUDIENCE: OK. 727 00:36:29,230 --> 00:36:31,486 >> LUCIANO ARANGO: Yeah. 728 00:36:31,486 --> 00:36:31,900 OK. 729 00:36:31,900 --> 00:36:32,865 Any other questions? 730 00:36:32,865 --> 00:36:33,180 OK. 731 00:36:33,180 --> 00:36:37,350 I'm going to leave this up and sort of try to see if you guys can-- 732 00:36:37,350 --> 00:36:40,490 the other ones are a little bit more complicated because they require much 733 00:36:40,490 --> 00:36:44,050 more knowledge of SQL than just the beginning knowledge of web SQL is and 734 00:36:44,050 --> 00:36:47,010 what JavaScript is. 735 00:36:47,010 --> 00:36:49,730 But I'm going to try to keep this up, and hopefully you guys will learn 736 00:36:49,730 --> 00:36:53,230 about this and try to take a peek at what you can do and how many examples 737 00:36:53,230 --> 00:36:54,420 you can get through. 738 00:36:54,420 --> 00:36:56,020 >> Anyone have any other questions about it? 739 00:36:56,020 --> 00:36:59,387 740 00:36:59,387 --> 00:37:00,350 Go ahead. 741 00:37:00,350 --> 00:37:01,170 Yeah, shoot, shoot. 742 00:37:01,170 --> 00:37:01,580 Yeah, go ahead. 743 00:37:01,580 --> 00:37:01,850 Go ahead. 744 00:37:01,850 --> 00:37:02,310 >> AUDIENCE: OK. 745 00:37:02,310 --> 00:37:08,870 So I heard about how Magic Quotes are not secure enough. 746 00:37:08,870 --> 00:37:09,280 >> LUCIANO ARANGO: What-- 747 00:37:09,280 --> 00:37:10,110 Magic Quotes? 748 00:37:10,110 --> 00:37:10,595 >> AUDIENCE: Yeah. 749 00:37:10,595 --> 00:37:15,445 So it adds-- so whenever you input something, it always adds quotes. 750 00:37:15,445 --> 00:37:15,930 >> LUCIANO ARANGO: Yeah. 751 00:37:15,930 --> 00:37:16,000 Yeah. 752 00:37:16,000 --> 00:37:16,496 OK. 753 00:37:16,496 --> 00:37:19,113 >> AUDIENCE: And then I though that worked, but then I searched it up. 754 00:37:19,113 --> 00:37:21,648 And it said it's not good. 755 00:37:21,648 --> 00:37:23,050 But I'm not sure why. 756 00:37:23,050 --> 00:37:23,360 >> LUCIANO ARANGO: Yeah. 757 00:37:23,360 --> 00:37:26,240 >> AUDIENCE: Don't use Magic Quotes, because it's not secure. 758 00:37:26,240 --> 00:37:26,360 >> LUCIANO ARANGO: OK. 759 00:37:26,360 --> 00:37:31,735 So Magic Quotes is when you insert SQL and it already adds the quote for you. 760 00:37:31,735 --> 00:37:33,520 >> AUDIENCE: It always adds quotes around whatever you put in. 761 00:37:33,520 --> 00:37:34,210 >> LUCIANO ARANGO: Yeah. 762 00:37:34,210 --> 00:37:37,190 So the problem with that is that-- 763 00:37:37,190 --> 00:37:38,445 I'll take a look at-- 764 00:37:38,445 --> 00:37:41,390 >> AUDIENCE: How does it acquire the SQL statement? 765 00:37:41,390 --> 00:37:44,690 Or I guess it could be like quote select. 766 00:37:44,690 --> 00:37:49,030 >> LUCIANO ARANGO: Yeah, you need good quotes for the SQL. 767 00:37:49,030 --> 00:37:52,900 >> AUDIENCE: No, but the server does it for you. 768 00:37:52,900 --> 00:37:54,460 >> LUCIANO ARANGO: These small quotes right here, these little quotes? 769 00:37:54,460 --> 00:37:55,670 >> AUDIENCE: Yeah. 770 00:37:55,670 --> 00:37:56,450 >> LUCIANO ARANGO: Yeah. 771 00:37:56,450 --> 00:37:59,860 The problem is that you can comment out the last-- 772 00:37:59,860 --> 00:38:05,770 OK, so what I can do is I can comment out-- so let's take a look at-- let me 773 00:38:05,770 --> 00:38:07,920 open a text edit file. 774 00:38:07,920 --> 00:38:09,610 Let me just edit this right here directly. 775 00:38:09,610 --> 00:38:19,510 776 00:38:19,510 --> 00:38:20,400 OK. 777 00:38:20,400 --> 00:38:23,710 Can you guys see that clearly? 778 00:38:23,710 --> 00:38:29,730 What I can do is I can comment out the last one. 779 00:38:29,730 --> 00:38:32,190 This will comment out the last one. 780 00:38:32,190 --> 00:38:36,760 And then I'll put one here, put all malicious stuff here. 781 00:38:36,760 --> 00:38:39,840 782 00:38:39,840 --> 00:38:42,630 >> So the user's actually inputting, right? 783 00:38:42,630 --> 00:38:45,230 The user's not inputting the things, right? 784 00:38:45,230 --> 00:38:47,430 This is what I'm going to input as the person trying to get inside. 785 00:38:47,430 --> 00:38:49,430 I'm going to put in-- 786 00:38:49,430 --> 00:38:59,290 787 00:38:59,290 --> 00:39:00,180 that's one quotation mark. 788 00:39:00,180 --> 00:39:01,760 It's just squiggly by mistake. 789 00:39:01,760 --> 00:39:15,080 790 00:39:15,080 --> 00:39:19,400 And then what the code is going to do-- 791 00:39:19,400 --> 00:39:20,190 sorry, I'm going to take this out. 792 00:39:20,190 --> 00:39:22,170 What the code is going to do is it's going to add the first 793 00:39:22,170 --> 00:39:24,030 quotation marks here. 794 00:39:24,030 --> 00:39:26,040 And it's going to add the last quotation mark as well. 795 00:39:26,040 --> 00:39:29,350 796 00:39:29,350 --> 00:39:33,270 >> And it's also going to add the last, last quotation mark. 797 00:39:33,270 --> 00:39:37,380 But I'm commenting these quotation marks out, so they don't run. 798 00:39:37,380 --> 00:39:41,440 And I'm finishing this quotation mark over here. 799 00:39:41,440 --> 00:39:42,290 Do you understand? 800 00:39:42,290 --> 00:39:43,750 Are you lost? 801 00:39:43,750 --> 00:39:45,880 I can comment the last quotation mark, and take care of the 802 00:39:45,880 --> 00:39:46,680 first quotation mark. 803 00:39:46,680 --> 00:39:47,350 >> AUDIENCE: And just finish the first one. 804 00:39:47,350 --> 00:39:47,480 >> LUCIANO ARANGO: Yeah. 805 00:39:47,480 --> 00:39:48,400 And just finish the first one. 806 00:39:48,400 --> 00:39:48,790 Yeah, that's right. 807 00:39:48,790 --> 00:39:50,800 That's what I can do. 808 00:39:50,800 --> 00:39:51,890 Yeah. 809 00:39:51,890 --> 00:39:52,980 Any other questions like that? 810 00:39:52,980 --> 00:39:54,230 That's a great question. 811 00:39:54,230 --> 00:39:56,960 812 00:39:56,960 --> 00:39:59,790 No, yes, maybe. 813 00:39:59,790 --> 00:40:06,150 Hopefully, you guys will sort of make more sense when you study SQL and 814 00:40:06,150 --> 00:40:06,650 things like that. 815 00:40:06,650 --> 00:40:07,980 But make sure you-- 816 00:40:07,980 --> 00:40:10,340 keep these tools in watch. 817 00:40:10,340 --> 00:40:12,760 Sorry, these tools over here. 818 00:40:12,760 --> 00:40:14,200 These tools are great. 819 00:40:14,200 --> 00:40:17,190 If anyone has any questions, you can also email me. 820 00:40:17,190 --> 00:40:19,020 This is my normal email. 821 00:40:19,020 --> 00:40:25,015 And this is my work email, which is when I work at SEAS. 822 00:40:25,015 --> 00:40:26,040 >> OK, thanks. 823 00:40:26,040 --> 00:40:26,740 Thanks, guys. 824 00:40:26,740 --> 00:40:27,860 You're good to go. 825 00:40:27,860 --> 00:40:28,830 You don't have to stay here. 826 00:40:28,830 --> 00:40:29,570 Don't clap. 827 00:40:29,570 --> 00:40:30,170 That's weird. 828 00:40:30,170 --> 00:40:31,420 OK, thanks, guys. 829 00:40:31,420 --> 00:40:32,320