Download presentation
Presentation is loading. Please wait.
1
Attacking Back-End Components
Chapter 10 November 12, 2012
2
Back-end Components? Mail Services Operating System XML and SOAP
HTTP Requests
3
How do we attack? Injection
Useful encodes: Dot - %2e, Slash - %2f, Backslash - %5c, & - %26, Equals - %3d, CRLF - %0d%0a, null terminator - %00 Also consider unicode, UTF-8, and double URL style encodings that may not be handled.
4
How do we defend? User-input validation Don’t pass through user input unnecessarily and certainly without validation
6
Mail: Email Header Manipulation
Simple to check for possibility with using “%0aBcc: tacked on to our address in the From field. If you receive a bcc, your input is getting sent straight through to a server. (Also %0d%0a). Interesting, but Bcc’ing people with our form input isn’t the most useful ability.
7
Mail: SMTP Command Injection
com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Message=foo MAIL FROM: RCPT TO: DATA From: To: Subject: Site+feedback foo . MAIL FROM: RCPT TO: DATA From: To: Subject: Cheap V1AGR4 Blah . foo . (textbook p400)
8
Mail: Preventing Rigorous validation of user-supplied data that will go to Addresses should pass regex testing which should reject newlines (among other invalid chars in addresses) The subject should not contain newlines and be of reasonable length If the contents are being directly transmitted to SMTP, you should reject any inputs that have a “.” on a line by itself.
9
Mail & OS: Tip TIP: Functions to send to application support personnel are frequently regarded as peripheral and may not be subject to the same security standards or testing as the main application functionality. Also, because they involve interfacing to an unusual back-end component, they are often implemented via a direct call to the relevant operating system command. Hence, in addition to probing for SMTP injection, you should closely review all -related functionality for OS command injection flaws. (textbook p. 401)
10
OS: Let’s look at the passwd file
#!/usr/bin/env perl use strict; use CGI qw(:standard escapeHTML); print header, start_html(“”); print “<pre>”; my $command = “du -h --exclude php* /var/www/html”; # Append user supplied “dir” parameter value to our command $command= $command.param(“dir”); $command=`$command`; print “$command\n”; print end_html; AHA! swd
11
OS: Seems to simple? These type of command injection has been found many times in commercial products HP OpenView was recently found to have one at URL: [command] | Fortunately, attackers are still limited to running commands at the web server’s (hopefully) restricted permissions, but that is more than we want them to be able to do!
12
OS: Where to Look When mapping your application (as described in Chapter 4), you should already have pinpointed places where the application interacts with the operating system by filesystem or process calls. You want to probe the places where these interactions happen in order to find possible injection paths. In testing for vulnerabilities, consider various metacharacters: & | ; ` > < && || ping is a great tool to try to run, because even if you cannot retrieve its output directly, you can tell it is running by the delay
13
OS: Preventing Best case: restrict use input to a whitelisted set of values Otherwise, restrict user input characters as much as possible See if you can accomplish whatever you are doing with language or platform features rather than direct OS interaction If you must run OS commands in your application, see if your platform has a function that can execute them in a limited interpreter rather than one allowing for chaining and redirection
14
Filesystem: File Found
Filesystem interactions are found where the server retrieves a file from the file system or includes a file from the file system It is very straightforward to see where the server accesses the file system and this could occur during whitebox testing (monitor IO) Don’t forget to try “\” also if it might be a windows server, because they are sometimes unfiltered when “/” is handled properly
15
Filesystem: Path Travesal
The attacker can read and possibly write files with the same (hopefully user limited) permissions of the web server An attacker might be able to find and read OS related files or server configuration files that can be exploited for more access or just gain access to your application source code to look for bugs
16
Filesystem: Avoiding Path Tr.
Chroot’ing the webserver fixes the most glaring problems There is generally no good reason to pass end user input directly through to a filesystem call, but if you must you can whitelist the files to be accessed and filter out any problematic characters These type of attacks don’t tend to happen by mistake. Your application would be best logging it, ing an admin, paging another admin, and terminating the user’s account (if they had one)
17
Filesystem: Includes First: Don’t include a file which has been specified via user input Second: PHP allows you to include files from a remote path. If you must use PHP, don’t let this be taken advantage of in your application File includes can be manipulated through path traversal attacks if they are based upon user input Finally, don’t interact with the OS and filesystem, the mail server, or any other backend component with user input that has not at the very least been run through a set of validation tests that would make the folks at the Transportation Safety Administration blush.
18
This is about database, but...
19
XML & SOAP & HTTP Param XML SOAP HTTP Backend, HPI & HPP
These were in this chapter also!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.