Segfault ethical hacking week 4

 

1. Burp Suite

Burp Suite is a web proxy tool that intermediates requests and responses between the client and the web server. By using a proxy, it allows the analysis of all transmitted packets, enables packet modification, and supports the delivery of modified packets to the server.

User > Display > Appearance 

It can be switched to dark mode.

Burp Proxy Setting

Register proxy listener

Bind to Port

Set the port that the proxy listener will use.

Bind to address

    Loopback only : Receives only requests coming from the local system.

    All interafces : Receives requests from all network interfaces.

    Specific address : Receives only requests from a designated address.

2. Burp Suite Functions

Intercept :

    Halts incoming packets. Packets intercepted can be modified and sent to the web server.

History : 

    Stores all packets observed through the proxy. Detailed inspection is possible.

Repeater : 

    Sends the same request or slightly modified requests repeatedly for response analysis.

Decoder: 

    Performs operations such as encryption, decryption, or hash transformation on extracted data from packets. 

Comparer: 

    Compares two sets of data to easily identify differences

Request: 

It contains applied resources or client information.
Looking at GET /4_burp/flag.php HTTP/1.1, it is composed of:

• Method: The action to be performed (e.g., GET).
• Path: The specific route to the resource (e.g., /4_burp/flag.php).
• Protocol: The communication protocol being used (e.g., HTTP).
• Protocol Version: The version of the protocol (e.g., 1.1).

Response: 

It contains applied resources or client information.
Looking at HTTP/1.1 200 OK, it is composed of:

• Protocol: The communication protocol being used (e.g., HTTP).
• Protocol Version: The version of the protocol (e.g., 1.1).
• Status Code: Indicates the result of the request (e.g., 200 OK).

The output value is displayed with a blank line below the header.

Status Code: 

    200 : OK

    300 : Redirect

    400 : Client Error

    500: Server Error

Segfault ethical hacking week 3

1. Login Authentication

Login is the process of verifying a user’s identity. It consists of two main components: identification and authentication.

Identification:

Identification refers to locating specific data among a large set of information. Identifying information must be unique and non-duplicable, such as a user ID, phone number, or email address.
In databases, these are typically used as primary keys, which must not be duplicated under any circumstances.
Even if identifying information is public, it usually doesn't pose a direct security risk. However, personally identifiable information (PII) is considered more sensitive and dangerous when exposed.

• Personally Identifiable Information (PII): Data that can be used to uniquely identify an individual, such as resident registration numbers, driver's license numbers, or passport numbers.

Authentication:

Authentication is the process of verifying that the person is truly who they claim to be. Login is a common form of authentication.
It usually involves credentials, such as a password, but can also include OTP (One-Time Passwords), and must be securely stored in the database (e.g., hashed and salted).

In summary:

Login involves both identification (who you are) and authentication (proving it’s really you).
You must provide both an identifier and authentication credentials together.

select * from member

where id='nomaltic'

2. Login Logic Case

1) Performing Identification and Authentication Simultaneously

This approach performs both identification and authentication in a single step.
It implements login by executing one SQL query that checks both the identifier and the credentials at the same time.

Example: Logging in by querying the database once using both the username (or email/phone number) and password.

Pseudo Code

$sql = "select * from meeber where"

$sql .= "id='$user_id' and pass='$user_pass"

$ret = $sql.execute();

if($ret){

    // login success

}else{

    // login failed

}

Putting both the ID and password into a single SELECT statement.

This method compares the ID with the database, and simultaneously checks the password.
If both conditions are satisfied, the login is successfully executed.

In other words, the login query validates both the user ID and the password in one step.

If the user ID is "normaltic" and the password is "1234", a matching user record will be returned.
If either the ID or the password is incorrect, no results will be returned.

In this approach, if a result is returned from the query, the login is considered successful.
If no result is returned, the login is treated as failed.

$sql = "select * from meeber where id='_______' and pass='________'"

2) Performing Identification and Authentication Separately

This method separates identification (ID) and authentication (password) into two steps.
First, the system retrieves the password from the database using the provided ID and stores it in a variable such as db_pass.
Then, it compares the user’s input password with the password stored in the database.

An if statement is used to determine whether the login is successful or not, based on the result of the comparison.

Pseudo Code

$sql = "select * from meeber where id='_______' " ---

|-- Identification part

$db_pass = sql.ret['pass'] ---

if($db_pass == $user_pass){ ---

    // login success |

}else{ |-- Authentication part

    // login failed ---

}

*** HASHING ***

Hashing is a one-way function, meaning the original value cannot be restored from the hash.
It is different from encryption or encoding, and unlike encryption, it is not reversible (no decryption).

Even if a hash is exposed, it is generally safe — at least for a single use — because the original value cannot be recovered from it.

Since hashing produces a consistent and deterministic result, it can always be used for comparison.
Although we can’t know what password a user entered, we can still verify whether it’s correct, by comparing the hash values.

The hash value itself does not change, as long as the input remains the same.

3) Performing Identification and Authentication Simultaneously (Hashing)

4) Performing Identification and Authentication Separately (Hashing)

3. Login Persistence

1) In the early days of the web, login persistence was handled using cookies.

The Set-Cookie header would store both the user ID and password, and the browser would automatically include these cookie values with every request.

However, the origin of the request is the client — and since attackers are also clients,
they can manipulate cookie values freely.

This means that if sensitive information like user IDs and passwords are stored in cookies, it becomes vulnerable to tampering or misuse by malicious users.

Cookie: loginUser=normaltic; PHPSESSID=

Cookie: loginUser=doldol; PHPSESSID=

A user could modify cookies to log in as a different user.

The main issue was that cookies are stored on the client side, which means the user can freely edit or manipulate them.

2) The Introduction of Sessions

Sessions were introduced as a more secure method.
With sessions, login information is stored on the server side, not on the client.

This approach makes it much harder for users or attackers to manipulate authentication data, since it is not accessible or editable from the client side.

<?php

        session_start();

        $_SESSION['id'] = 'normaltic';

?>

They try to steal the session ID.
If you inspect the cookies, you can often find the session ID stored there.

In fact, some past account hacking incidents on platforms like Naver and YouTube involved session hijacking — where the attacker used a stolen session ID to impersonate a user.

To enhance security, the session ID changes every time you log in.
So even if a session ID is stolen, it becomes useless as soon as the user logs in again or logs out.

However, in poorly implemented systems, the session might not be invalidated properly on logout, which can leave the session vulnerable.

3)  JWT(JSON Web Token)

 What is JWT?

• A digital token issued after login

• Enables stateless authentication (no session saved on the server)

 How it works

1. Server issues a JWT upon successful login

2. Client stores the token (in localStorage or cookies)

3. Client sends the token with each request (Authorization header)

4. Server verifies the token to authenticate

Header:

{

  "alg": "HS256",

  "typ": "JWT"

}

Payload:

{

  "user_id": 101,

  "username": "normaltic",

  "is_admin": true,

  "exp": 1713000000

}

Signature:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

 Pros

• No need to store sessions on the server

• Scales well for distributed systems

 Cons

• Risky if exposed → Use HTTPS

• Logout is harder to manage (token expiration needed)

GET /dashboard HTTP/1.1  

Host: example.com  

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR...

Segfault ethical hacking week 2

 

1. Index page    

Create an index page to check whether the user is logged in or not.  

<?php

    if($_GET[login_id] == ""){

      header("location:login.php");

      exit;

    }

?>

Header

Put the content that needs to go inside the header into the response header.

header("location:login.php");

Redirect to login.php.

exit;

If you don't use exit, the code can be exposed. Although the screen might appear the same, from a hacker's perspective, the underlying code could be revealed. Sections that should only be visible after logging in might become accessible.

The meaning of exit is that the program stops running at that point.

2. Function

The function named login1 is created in login_func.php and used from there.

<?php                          

require_once('login_func.php');

?>  

In login_func.php, compare the ID and password to authenticate whether the login is successful or not.

3. In case of Errors

When developing for the web, even a small typo in PHP code can cause an error.

Since PHP executes code from top to bottom, inserting checkpoints throughout the code can help with debugging and locating errors later on. 

echo "This > " . $login_res;

Segfault ethical hacking week 1

1. What is a web server?

A web server is essentially a software that responds to user requests by delivering files such as HTML, images, CSS, and JavaScript. These files are then visualized through a web browser and appear to us as a web page.

There are various ways to run a web server, but one simple method is to use Python’s built-in HTTP server.

python3 -m http.server 80

2. How to request files from a web server

A web server delivers files requested by the user through a URL. A URL is structured as follows.

http:// 192.168.50.128:80/nomaltic.png

Web Root Path
When running a server with Python, the directory from which the server is executed becomes the web root directory. Only files within subdirectories of this root can be requested. Files located above the root directory cannot be accessed through the web server—this restriction is in place for security reasons.

If the web server's root path were set to the actual root directory ("/") of the server, it could potentially expose all files on the system. Therefore, in a production environment, it's essential to configure the server to allow access only to appropriate directories.

Ports and URL Requests
The default port for the HTTP protocol is 80, and for HTTPS, it is 443.
If the port is not specified in a URL, the browser will use the default port based on the protocol.
https://www.google.com can omit the port.
If you're using a port other than 80 or 443, you must explicitly specify it in the URL.

3. Static Pages vs. Dynamic Pages

Static Page

• Delivers unchanging resources such as HTML, images, CSS, and JavaScript

• The web server (e.g., Apache, Nginx, http.server) responds directly

Dynamic Page

• Renders different content depending on user input (e.g., message boards, search results)

• Requires a Web Application Server (WAS)

• Uses dynamic languages and frameworks such as PHP, JSP, Python Flask, Node.js, etc.

4. Web Server Architecture: 3-Tier Structure

A web server system is typically composed of the following three-tier structure:

1. Web Server

   • Handles static file delivery

   • Examples: Nginx, Apache, Python http.server

2. WAS (Web Application Server)

   • Handles dynamic request processing

   • Examples: Tomcat, Flask, Express, Spring Boot, etc.

3. Database (DB)

• Stores data and processes queries

• Examples: MySQL, PostgreSQL, MongoDB, etc.