Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads Detecting Server-Side Injection Vulnerabilities using Expression Probing

HELLO! San-Tsai Sun, PhD Info Sec UBC Advanced Security Engineer Information Security, Staples san-tsai.sun@staples.ca Penetration Test Static/Dynamic Vulnerability Scan Source Code Review Risk Analysis/Threat Modeling Application Security Design Consultancy

A Light Weight Approach to Vulnerability Scan Complimentary to Automatic Scan

Pitfalls of Automatic Scanner Millions of Payloads Impact on System Performance, Availability, Intrusive Triger IDS/IPS, WAF Alerts IP Blocking IT Investigation Efforts False Negatives Unknown Language/Technology Filter and Variants Pitfalls of Automatic Scanner

An Alternative Approach Tiny Network Footprint Quick, Negligible System Impact, Avoid IP Blocking Resistance to WAF and Input Filter Agnostic to Application Platform and Language Generic Payloads Detect Unknown Class of Vulnerabilities An Alternative Approach

“The root cause of server-side injection vulnerabilities is that user-controlled input data  is treated as code by the server-side programming logic” SQL (MS SQL, MySQL, Oracle, etc), PHP, C#/VB.NET, Java, XPath, LDAP, OGNL, and many template engines

Probing Situational Context Is in Numeric Expression? Is in Single or Double Quote String? What are escape characters? Is in a File Path? Is in Interpolation Expression? Concatenation Operators? Can call functions? What is the underlying language? etc. Probing Situational Context

Input Data Value == Expression? 123 == 123/(2-1) == 123/abs(1) == 123/power(unix_timestamp(),0) == 123/to_number(‘1’) Injected by tester

Base Probe Break Probe Fix Probe Normal Response One per end-point under testing Break Probe Cause error (e.g., ‘, /0 ) “Break” the parsing or execution of underlying language Fix Probe “Fix” error (e.g., ‘‘, /01 ) Response similar to base Payload syntactcally similar to Break Break-Fix Probing

Is in Numeric Expression? 123 Base Response Base Core Logic 123/0 123/1 Vulnerable No Yes Break Fix Match Base? Match Base? No Yes May Not Vulnerable Each Break-Fix Pair anwser one Single Question Knowledge is Build graguatelly via sequence probings

Is \ an escape character? foo Base Response Base Core Logic foo‘ foo\‘ Vulnerable No Yes Break Fix Match Base? Match Base? No Yes May Not Vulnerable Each Break-Fix Pair anwser one Single Question Knowledge is Build graguatelly via sequence probings

Example: SQL Injection in Numeric value Questions Break Fix Divided by 0 123/0 123/01 Divided by Expression 123/(3-3) 123/(2-1) Generic Function Injection 123/abf(1) 123/abs(1) Language Specifc Function Injection 123/power(current_request_ic(),0) 123/power(current_request_id(),0) Example: SQL Injection in Numeric value unix_timestamp() for MySQL, Oracle to_number(‘1’) for Oracle

Example: SQL Injection in String value Question Break Fix Type of Quote x’x X’’x Concatenation x+’x xx’+’x Generic Function Injection x’+abf(1)+’x x’+abs(1)+’x Language Specifc Function Injection x’+power(current_request_ic(),0) +’x x’+power(current_request_id(),0) +’x Example: SQL Injection in String value unix_timestamp() for MySQL, Oracle to_number(‘1’) for Oracle

SQL Injetion Detection using Burp Intruder DEMO SQL Injetion Detection using Burp Intruder

Break Fix ../../filename ././filename , ; & x%{{xx${{x }}%x}}$x x${{x Question Break Fix In File Path? ../../filename ././filename In OS command (linux)? , ; In OS command (Win)? & Interpolation Fuzz x%{{xx${{x }}%x}}$x Interpolation-Dollar x${{x }}$x Interpolation-Percent X%{{x }}%x Order By 1,abs(1,2) 1,abs(1) Useful Probes

Manual Semi-Manual Automatic Burp Repeater Any HTTP payload manipulation tool Semi-Manual Burp Intruder Automatic Backslash-Powered-Scanner-Burp Pro Extension Probing Tools

THANKS! Any questions? You can find me at san-tsai.sun@staples.ca santsaisun@gmail.com