5MMSSI - Information Systems Security 1 - vulnerabilities and attacks Fabien Duchene 1 Karim Hossen 1 1 Laboratoire d’Informatique de Grenoble, VASCO team Grenoble Institute of Technology - Grenoble INP Ensimag fi[email protected]2011-2012 Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 2011-2012 1 / 36
36
Embed
5MMSSI - Information Systems Security 1 - vulnerabilities and … · 2011-09-22 · 5MMSSI - Information Systems Security 1 - vulnerabilities and attacks Fabien Duchene1 Karim Hossen1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
5MMSSI - Information Systems Security1 - vulnerabilities and attacks
Fabien Duchene1
Karim Hossen1
1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag
Also works if we use HTTP POST, here with Firefox Hackbar 4
Note: we only tried to get the data, but think about5
1 s t a t i o n =103 OR 1=1 ; DROP t a b l e w e a t h e r d a t a
3[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection4[Firefox hackbar add-on] Firefox hackbar add-on5Most SQL server implementations allow multiple statements. API do
generally not: PHP:mysql query() and Python:sqlite3.[.].execute() do notsupport this. Some functions such as Python:sqllite3.[.].executescript() howeverdoFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 13/36 2011-2012 13 / 36
Web based vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” I
Incorrect type handlinguser input is not filtered for escape characters (eg: ’ ” ..)parameters are passed without using prepared statement
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +” ’ ; ”
How would you set the variable userName to bypass theauthentication?
SQLi: basic - “Incorrectly filtered escape characters” II
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1
WHERE name=’”+userName+” ’ ; ”
How do we prevent the logon attempt counter to increase for thatusername?A possible answer:
Blind SQL injection?production environment do not let you see the error outputswhen trying to inject in such a system: “blind injection”more injection techniques on [Hackipedia - SQL injection]
1 101 AND (SELECT p i n FROM p i n s WHERE cc number=1111222233334444)<(POWER( 2 , 1 1 )+POWER( 2 , 8 )+POWER( 2 , 5 )+POWER( 2 , 4 )+POWER( 2 , 3 )+POWER( 2 , 2 )+POWER( 2 , 0 ) )
211 + 28 + 25 + 24 + 23 + 22 + 20 = 2365
Let us verify one last time that the value is 2364
by using the CHAR(x) (x: integer ; ex in ASCII encoding:CHAR(41)=’A’ ; CHAR(61)=’a’)ASCII(c) (c: character ; eg: ASCII(’a’)=61)and SUBSTRING(str,start,length) SQL functions
Encoding-dependent: ASCII, UTF8, UTF16 ...Heuristic: would promote characters of the assumed alphabet
we want to find the first character of the field user name of the tableusers of the record with user id equal to 6969 ... thanks to thefollowing SQL request: (and we are able to manipulate $bet id)we know that bet id = 3679 is a valid ID
1 ’SELECT MAX( ‘ bet amount ‘ ) FROM ‘ bets ‘ WHERE ‘ b e t i d ‘= ’ +$ b e t i d + ’ ; ’
Path vulnerabilityability to access (read and/or execute and/or write..) files, folders thatwere initially not intended to be accessible from the web-application
How would you perform an HTTP GET request in order tolist the content of the /etc/passwd file?LFI. A possible answer:run code from a remote file?RFI. A possible answer:
(once more) input sanitizationlimit file inclusion to a selected subset of directories. This can bedone at several layers:
interpreter (eg: PHP (allow url fopen allow url include), ASP.Net)web-server (eg: Apache httpd) configuration)chroot jails or similar systems (children processes will only be able toopen files within the defined chroot jail authorization)
enforce strict ACL on sensitive files and run websites on differentidentity than the owner(s) of those sensitive files
Malicious link constructionHow would A construct a malicious link so that people who will performthat request would (if authenticated) send here 2000 USD?
Transmission to the victimHow would A send that link to the victim?A possible answer:
The victim gets trickedAssuming Ilyas is authenticated, if he clicks the link, Aimelyne will receivethe money.
What is the problem that now could occur?Answer:How to prevent that?A solution:
9
9We here assumed a GET request. POST request could also be tricked (eg:HTML form, input submission triggered via javascript)Fabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 32/36 2011-2012 32 / 36
server side:for each form request, include a “fresh state token”
freshness requires a sufficient randomizationeg. dependencies: user identity, session, time, webpage from which therequest come from, form “status”ASP.Net: viewstateJava: Nothing out of the box, but ability to build it. OWASPCSRFGuard
checking the HTTP header refererlimiting the lifetime of tickets (eg: cookies)