1. Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads
Detecting Server-Side Injection Vulnerabilities using Expression Probing

2. HELLO! San-Tsai Sun, PhD Info Sec UBC Advanced Security Engineer
Information Security, Staples
Penetration Test
Static/Dynamic Vulnerability Scan
Source Code Review
Risk Analysis/Threat Modeling
Application Security Design Consultancy

3. A Light Weight Approach to Vulnerability Scan
Complimentary to Automatic Scan

4. Pitfalls of Automatic Scanner
Millions of Payloads
Impact on System
Performance, Availability, Intrusive
Triger IDS/IPS, WAF Alerts
IP Blocking
IT Investigation Efforts
False Negatives
Unknown Language/Technology
Filter and Variants
Pitfalls of Automatic Scanner

5. An Alternative Approach
Tiny Network Footprint
Quick, Negligible System Impact, Avoid IP Blocking
Resistance to WAF and Input Filter
Agnostic to Application Platform and Language
Generic Payloads
Detect Unknown Class of Vulnerabilities
An Alternative Approach

6. “The root cause of server-side injection vulnerabilities is that user-controlled input data  is treated as code by the server-side programming logic”
SQL (MS SQL, MySQL, Oracle, etc), PHP, C#/VB.NET, Java, XPath, LDAP, OGNL, and many template engines

7. Probing Situational Context
Is in Numeric Expression?
Is in Single or Double Quote String?
What are escape characters?
Is in a File Path?
Is in Interpolation Expression?
Concatenation Operators?
Can call functions?
What is the underlying language?
etc.
Probing Situational Context

8. Input Data Value == Expression?
123 == 123/(2-1)
== 123/abs(1)
== 123/power(unix_timestamp(),0)
== 123/to_number(‘1’)
Injected by tester

9. Base Probe Break Probe Fix Probe Normal Response
One per end-point under testing
Break Probe
Cause error (e.g., ‘, /0 )
“Break” the parsing or execution of underlying language
Fix Probe
“Fix” error (e.g., ‘‘, /01 )
Response similar to base
Payload syntactcally similar to Break
Break-Fix Probing

10. Is in Numeric Expression?
123
Base Response
Base
Core Logic
123/0
123/1
Vulnerable No
Yes
Break
Fix
Match Base?
Match Base? No
Yes
May Not Vulnerable
Each Break-Fix Pair anwser one Single Question
Knowledge is Build graguatelly via sequence probings

11. Is \ an escape character?
foo
Base Response
Base
Core Logic
foo‘
foo\‘
Vulnerable No
Yes
Break
Fix
Match Base?
Match Base? No
Yes
May Not Vulnerable
Each Break-Fix Pair anwser one Single Question
Knowledge is Build graguatelly via sequence probings

12. Example: SQL Injection in Numeric value
Questions
Break
Fix
Divided by 0
123/0
123/01
Divided by Expression
123/(3-3)
123/(2-1)
Generic Function Injection
123/abf(1)
123/abs(1)
Language Specifc Function Injection
123/power(current_request_ic(),0)
123/power(current_request_id(),0)
Example: SQL Injection in Numeric value
unix_timestamp() for MySQL, Oracle
to_number(‘1’) for Oracle

13. Example: SQL Injection in String value
Question
Break
Fix
Type of Quote
x’x
X’’x
Concatenation
x+’x
xx’+’x
Generic Function Injection
x’+abf(1)+’x
x’+abs(1)+’x
Language Specifc Function Injection
x’+power(current_request_ic(),0) +’x
x’+power(current_request_id(),0) +’x
Example: SQL Injection in String value
unix_timestamp() for MySQL, Oracle
to_number(‘1’) for Oracle

14. SQL Injetion Detection using Burp Intruder
DEMO
SQL Injetion Detection using Burp Intruder

15. Break Fix ../../filename ././filename , ; & x%{{xx${{x }}%x}}$x x${{x
Question
Break
Fix
In File Path?
../../filename
././filename
In OS command (linux)? , ;
In OS command (Win)?
&
Interpolation Fuzz
x%{{xx${{x
}}%x}}$x
Interpolation-Dollar
x${{x
}}$x
Interpolation-Percent
X%{{x
}}%x
Order By
1,abs(1,2)
1,abs(1)
Useful Probes

16. Manual Semi-Manual Automatic Burp Repeater
Any HTTP payload manipulation tool
Semi-Manual
Burp Intruder
Automatic
Backslash-Powered-Scanner-Burp Pro Extension
Probing Tools

17. THANKS! Any questions? You can find me at san-tsai.sun@staples.ca