1 chapter 7 unexpected input. 2 why unexpected data is dangerous three classes of attack can result...

1

CHAPTER 7CHAPTER 7

UNEXPECTED INPUTUNEXPECTED INPUT

2

Why Unexpected Data is Why Unexpected Data is DangerousDangerous

Three classes of attack can result from unexpected Three classes of attack can result from unexpected data:data:– Buffer overflowBuffer overflow

» An attacker sent more data than the application expectsAn attacker sent more data than the application expects

» May not gracefully handle the surplus dataMay not gracefully handle the surplus data

» Example of language (do not properly handle surplus)Example of language (do not properly handle surplus), C and , C and C++C++

» Example of language (do properly handle surplus):Example of language (do properly handle surplus): Perl (Practical Extraction &Reporting Language)Perl (Practical Extraction &Reporting Language) PHP (PHP: Hypertext Preprocessor)PHP (PHP: Hypertext Preprocessor) By increasing the size for variable storageBy increasing the size for variable storage

3


Three classes of attack can result from Three classes of attack can result from unexpected data:unexpected data:– System FunctionSystem Function

» Data use in some form to interact with a resources Data use in some form to interact with a resources that is not contained within the applicationthat is not contained within the application

» It’s including running other application, accessing It’s including running other application, accessing or working with filesor working with files

4


Three classes of attack can result from unexpected Three classes of attack can result from unexpected data:data:– Logic alterationLogic alteration

» Data is crafted as a way to modify how the application’s logic Data is crafted as a way to modify how the application’s logic handles ithandles it

» It’s include diverting mechanism, altering Structured Query It’s include diverting mechanism, altering Structured Query Language (SQL) queries and gaining access to parts of the Language (SQL) queries and gaining access to parts of the application the attacker wouldn’t normally have access toapplication the attacker wouldn’t normally have access to

Unexpected data do not have any specific format, Unexpected data do not have any specific format, can be as simple as supplying normal value that can be as simple as supplying normal value that modifies the application’s intended logical modifies the application’s intended logical executionexecution

5

Situations Involving Unexpected Situations Involving Unexpected DataData

HTTP / HTMLHTTP / HTML– Cause: lack of understanding of how they workCause: lack of understanding of how they work– The biggest mistake applications rely on the HTTP The biggest mistake applications rely on the HTTP

referrer headerreferrer header– Referrer headerReferrer header contains the address of the referring contains the address of the referring

pagepage– The client supplies the referrer header, so any altering The client supplies the referrer header, so any altering

with the client, it’s trivial to spoofwith the client, it’s trivial to spoof– Dependency on HTML form limitationsDependency on HTML form limitations– Client-side filtering, validation on the formClient-side filtering, validation on the form– Cookies, method give data to client & return backCookies, method give data to client & return back

6


Unexpected Data in SQL queriesUnexpected Data in SQL queries– Cause: the attacker is to modify the command that is Cause: the attacker is to modify the command that is

sending to your database serversending to your database server– The biggest threat within SQL is that it’s possible to The biggest threat within SQL is that it’s possible to

include extra command to be executedinclude extra command to be executed– Example:Example:

SELECT * FROM table WHERE x=$dataSELECT * FROM table WHERE x=$data» The value ($data) will be fill by the user. But, imagine an The value ($data) will be fill by the user. But, imagine an

attacker sending theattacker sending the10; SELECT * FROM table WHERE y=510; SELECT * FROM table WHERE y=5» So, the result string sentSo, the result string sentSELECT* FROM table WHERE x=10; SELECT* FROM table SELECT* FROM table WHERE x=10; SELECT* FROM table

WHERE y=5;WHERE y=5;

7


Disguising the ObviousDisguising the Obvious– Nowadays, there are few of application rely on Nowadays, there are few of application rely on

signature matching. Signature matching is one of the signature matching. Signature matching is one of the unexpected data attackunexpected data attack

– Basic signature-matching network IDS has a list of Basic signature-matching network IDS has a list of various values and situations to look for on a network. various values and situations to look for on a network. So, the IDS processes will alert when a particular scene So, the IDS processes will alert when a particular scene is matchesis matches

– IDS (Intrusion Detection System)IDS (Intrusion Detection System)– Web request, using various tactics and inventionsWeb request, using various tactics and inventions– EncodedEncoded– Self-referenced directory notationSelf-referenced directory notation

8

Finding VulnerabilitiesFinding Vulnerabilities

Same techniques to determine if an application is Same techniques to determine if an application is vulnerablevulnerable

Black-boxing tactics:Black-boxing tactics:– Use intuition on what the application is doingUse intuition on what the application is doing– Run through the full interactive process from start to Run through the full interactive process from start to

finish at least once. Look for hidden elements. Have finish at least once. Look for hidden elements. Have opportunity to undo the filteringopportunity to undo the filtering

– Try to intentionally cause an error. Goal to see if Try to intentionally cause an error. Goal to see if application alerts to an errorapplication alerts to an error

– Methodically work through each parameter, inserting first Methodically work through each parameter, inserting first a single quote(‘) and then a double quote(“). Checking for a single quote(‘) and then a double quote(“). Checking for possibility of breaking-out of a data string in a SQL querypossibility of breaking-out of a data string in a SQL query

9


Black-boxing tactics:Black-boxing tactics:– Try to determine the need and usefulness of Try to determine the need and usefulness of

each parameter. Looking for strings or each parameter. Looking for strings or members tend to be session keysmembers tend to be session keys

– Take into account the overall posture presented Take into account the overall posture presented by the web site and the application and use that by the web site and the application and use that to hypothesize possible application aspects. If to hypothesize possible application aspects. If not custom coded find the sourcenot custom coded find the source

– Keep an eye out of anything that looks like a Keep an eye out of anything that looks like a filenamefilename

10


Black-boxing tactics:Black-boxing tactics:– Research and understand the technological Research and understand the technological

limitations of the different types of web limitations of the different types of web servers / scripting applications languages and servers / scripting applications languages and database serversdatabase servers

– Look for anything that seems to look like Look for anything that seems to look like equation, formula or actual snippets of equation, formula or actual snippets of programming codeprogramming code

– Put yourself in the coder’s positionPut yourself in the coder’s position

11


Use the source (Luke):Use the source (Luke):– Application auditing on source code availableApplication auditing on source code available– calls the system function and trace back where calls the system function and trace back where

the data being given to thethe data being given to the system function system function comes fromcomes from

– Use techniques such as diffing to find Use techniques such as diffing to find vulnerabilities / changes between functionvulnerabilities / changes between function

12


Application Authentication:Application Authentication:– method to give a range random session or method to give a range random session or

authentication keyauthentication key (popular method bruteforcing) (popular method bruteforcing)

– There are two serious concerns with this approach:There are two serious concerns with this approach:» The key must prove to be truly random; any predictability will The key must prove to be truly random; any predictability will

result in increased chances of an attacker guessing a valid result in increased chances of an attacker guessing a valid session keysession key

» The size of the key space in comparison to the more extreme The size of the key space in comparison to the more extreme number of keys needed at any timenumber of keys needed at any time

– common method to use a SQL query against a database common method to use a SQL query against a database of usernames and passwordof usernames and password

13

Protection: Filtering Bad DataProtection: Filtering Bad Data

To combat unexpected data is to filter the data to To combat unexpected data is to filter the data to what is expectedwhat is expected

Escaping characters is not always enoughEscaping characters is not always enough– Remove offending dataRemove offending data

PerlPerl– Perl’s translation command with delete modifier (tr///d) Perl’s translation command with delete modifier (tr///d)

works very well for removing charactersworks very well for removing characters– Perl’s substitution operator (s///) is more flexiblePerl’s substitution operator (s///) is more flexible

Cold Fusion/Cold Fusion Markup Language (CFML)Cold Fusion/Cold Fusion Markup Language (CFML)» To remove unwanted characters from daTo remove unwanted characters from datata» Has a regular replace functHas a regular replace functionion

14


ASPASP– Introduced a regex object into their newest scripting Introduced a regex object into their newest scripting

engineengine– Use the new engine to perform a regex replacementUse the new engine to perform a regex replacement

PHPPHP– Quotemeta-escape a small set of metacharactersQuotemeta-escape a small set of metacharacters– Addslashes-sanitize at used in SQL queriesAddslashes-sanitize at used in SQL queries

Protecting Your SQL QueriesProtecting Your SQL Queries– method->quoting-to make sure that submitted data is method->quoting-to make sure that submitted data is

properly contained within aproperly contained within a set of quotes and that there set of quotes and that there are no renegades quotes contained within the data itselfare no renegades quotes contained within the data itself

15


Silently Removing vs. Alerting on Bad DataSilently Removing vs. Alerting on Bad Data– Deal with incoming user data, two choicesDeal with incoming user data, two choices

» Remove bad characters, save good & continue processRemove bad characters, save good & continue process» Stop immediately & alert to invalid inputStop immediately & alert to invalid input

– Alerts can determine which characters by attackerAlerts can determine which characters by attacker– Silently filtering the data to any include safe characters Silently filtering the data to any include safe characters

yields some different problemsyields some different problems» Integrity of data will be disturbedIntegrity of data will be disturbed» Still can determine if apps prints the submitted data after Still can determine if apps prints the submitted data after

changedchanged

– Better combine both approaches based on type and Better combine both approaches based on type and integrity of dataintegrity of data

16


Invalid Input FunctionInvalid Input Function– Function to report invalid data, especially can Function to report invalid data, especially can

report when & how an attacker is trying to report when & how an attacker is trying to subvert your application logicsubvert your application logic

– Suitable use for reporting unexpected data Suitable use for reporting unexpected data violationsviolations

– Analysis, tuning filters with greater accuracyAnalysis, tuning filters with greater accuracy– Log character violations for above purposeLog character violations for above purpose– Can deal by alert & abort once hitCan deal by alert & abort once hit

17


Token SubstitutionToken Substitution– The trick where you substitute a token The trick where you substitute a token

(typically a large, random session key)(typically a large, random session key)– To correlate sensitive databaseTo correlate sensitive database, reference to the , reference to the

datadata– Token values must be huge & random if not Token values must be huge & random if not

attacker possibly can guessattacker possibly can guess

18

Available Safety FeaturesAvailable Safety Features

Some features to reduce or minimize the Some features to reduce or minimize the risks of vulnerabilities:risks of vulnerabilities:– PerlPerl

» has a ‘taint’, enables with the-T command-line has a ‘taint’, enables with the-T command-line switch. It will warn when a user dswitch. It will warn when a user data pass into ata pass into command( bind, chdir, chmod etc)command( bind, chdir, chmod etc)

» by passing tainted data, it will refusing to execute by passing tainted data, it will refusing to execute your script and appear a messageyour script and appear a message

» to ‘untaint’, use Perl’s matching regex (m///)to ‘untaint’, use Perl’s matching regex (m///)

19


Some features to reduce or minimize the risks of Some features to reduce or minimize the risks of vulnerabilities:vulnerabilities:– PHPPHP

» includes a ‘safe-mode’, that limit the uses of PHP’s system includes a ‘safe-mode’, that limit the uses of PHP’s system functionfunction

» when safe mode is enables:when safe mode is enables: PHP limits-only to access file PHP limits-only to access file owned by the UID or files in directory owned byowned by the UID or files in directory owned by PHP UIDPHP UID

» he use of exec, system, passthru and popen only be able to runhe use of exec, system, passthru and popen only be able to run application contained in PHP_SAFE_MODE_EXEC_DIR application contained in PHP_SAFE_MODE_EXEC_DIR directorydirectory

» Mysql-Connect limits – only allow database connections(UID Mysql-Connect limits – only allow database connections(UID of the Web server /of the Web server / UID of the current running script)UID of the current running script)

20


Some features to reduce or minimize the risks of Some features to reduce or minimize the risks of vulnerabilities:vulnerabilities:– Cold Fusion/Cold Fusion Markup LanguageCold Fusion/Cold Fusion Markup Language

» used to limits the scope of system functionsused to limits the scope of system functions

– ASP (VBScript and JScript)ASP (VBScript and JScript)» contain a configuration switch, disallows”../” notation. So, the contain a configuration switch, disallows”../” notation. So, the

attacker are possible to gain access to the file not found under the attacker are possible to gain access to the file not found under the root Web directoryroot Web directory

– MySQLMySQL» contains the ability to read data in from or out to files during contains the ability to read data in from or out to files during

queries using this syntax: queries using this syntax: SELECT * INTO FILE ”/file/to/save.db” FROM tableSELECT * INTO FILE ”/file/to/save.db” FROM table» limit this by not granting ‘file’ permission to any users(in limit this by not granting ‘file’ permission to any users(in

MySQL)MySQL)

21

End Of Chapter 7End Of Chapter 7

1 chapter 7 unexpected input. 2 why unexpected data is dangerous three classes of attack can result...

Documents