4. HTTP Verb Tampering
HTTP Verb Tampering is an error in access control for HTTP methods.
• Administration error
• Particular case – vendor’s error
vendor’
8. HTTP Verb Tampering
Exploitation
• Practical task http://stat.local/
.htaccess file Result of GET request
Result of HACK request
9. Fragmented SQL Injections
SQL injection is an vulnerability caused by incorrect input data application
processing. User data transferred via web applications are changed to modify
processing.
SQL request used for exploitation.
exploitation.
• Insufficient data filtering
10. Fragmented SQL Injections
What’s the method?
What’ method?
Do not forget correct filtering !
filtering!
Structure of a valid request (MySQL database)
database)
INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’);
value1’ value2’
Here is a valid request with injected SQL commands
INSERT INTO table1 (c1,c2) VALUES (‘a’ , ’, user()); -- 1’);
a’ user()); 1’
11. Fragmented SQL Injections
Why?
Why?
If there is no filtering for back slash ( “ ” ), an attacker can screen the next
symbol by a single or double quote in database request , that do not allow to
request,
interpret it as a line termination symbol.
symbol.
The following is required for vulnerability exploitation :
exploitation:
the request should include more than one string variable .
variable.
Remember: it’s necessary to filter not only user data,
it’
but also data received from databases .
databases.
12. Fragmented SQL Injections
Exploitation
• Real-life example (Coppermine Photo Gallery <= 1.4.19 )
1.4.19)
GET,POST,REQUEST – “” symbol is not filtered.
filtered.
You can specify “” in email parameter.
Exploitation is possible via a child request to database when you try to access
system features after authorization.
authorization.
13. Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/index.php
http://tracker.local/index.php
«Bug tracking system for source code».
code»
16. Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/view.php
Vulnerable code (add.php file):
file)
if (isset($_POST['code']) && isset($_POST['fix'])) {
$code=htmlspecialchars($_POST['code']);
$fix=htmlspecialchars($_POST['fix']);
….
mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");
}
As a result, fix column in track table contents a
value that is user() function result.
17. HTTP Parameter Pollution
HTTP Parameter Pollution is a vulnerability caused by a situation that different
platforms (web server and web application language ) process sequence of
language)
HTTP request parameters with the same names differently.
differently.
18. HTTP Parameter Pollution
Technology/Environment Interpretation of parameters Example
ASP.NET/IIS Binding via comma par1=val1,val2
ASP/IIS Binding via comma par1=val1,val2
PHP/APACHE Последний параметр результирующий par1=val2
PHP/Zeus Last parameter includes result par1=val2
JSP, Servlet/Apache Tomcat First parameter includes result par1=val1
JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1
JSP,Servlet/Jetty First parameter includes result par1=val1
IBM Lotus Domino Первый параметр результирующий par1=val1
IBM HTTP Server Last parameter includes result par1=val2
mod_perl,libapeq2/Apache First parameter includes result par1=val1
Perl CGI/Apache First parameter includes result par1=val1
mod_perl/Apache First parameter includes result par1=val1
mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c)
Pythin/Zope First parameter includes result par1=val1
IceWarp Returns an array ['val1','val2']
AXIS 2400 Last parameter includes result par1=val2
Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2
Ricoh Aficio 1022 Printer Last parameter includes result par1=val2
webcamXP Pro First parameter includes result par1=val1
DBMan Binding via 2 tildes par1=val1~~val2
19. HTTP Parameter Pollution
According to PHP web application language .
language.
An interesting variable variables_order in php.ini configuration file
(establishes variable processing ).
(establishes processing)
Why is it interesting?
interesting?
GET /?id=1
/?id=1
Cookie: id=2
В итоге:
итоге:
$_GET[‘id’]=1
$_GET[‘id’ ]=1
$_REQUEST[‘id’]=2
$_REQUEST[‘id’ ]=2
The frequent error in request processing:
$_GET is checked, but the value is assigned to from $_REQUEST.
checked,
20. HTTP Parameter Pollution
Exploitation
• Real-life example (www.blogger.com blog service)
service)
Vulnerability as a part of «Rewarding web application security
research» program
research»
Error in input setting processing – the first suitable value is checked but
result includes the last one.
one.
Supposedly, vulnerability is in QUERY_STRING check and then in variable
declaration made via array data received in the request .
request.
27. Reversible Encryption
Reversible encryption in web applications is possibly insecure as it can be
used by attackers in:
in:
• Exploitation of SQL Injection vulnerability ;
vulnerability;
• Information disclosure (database dump);
dump);
• Arbitrary file reading;
reading;
• and so on.
on.