Attacking Back-End Components
Download
Report
Transcript Attacking Back-End Components
Attacking Back-End Components
Chapter 10
November 12, 2012
Back-end Components?
✤
Mail Services
✤
Operating System
✤
XML and SOAP
✤
HTTP Requests
How do we attack? Injection
✤
Useful encodes:
Dot - %2e, Slash - %2f, Backslash - %5c,
& - %26, Equals - %3d, CRLF - %0d%0a,
null terminator - %00
✤
Also consider unicode, UTF-8, and double
URL style encodings that may not be
handled.
How do we defend?
✤
✤
User-input validation
Don’t pass through user input
unnecessarily and certainly
without validation
Mail: Email Header Manipulation
✤
✤
Simple to check for possibility with using “%0aBcc: [email protected]”
tacked on to our address in the From field. If you receive a bcc, your
input is getting sent straight through to a server. (Also %0d%0a).
Interesting, but Bcc’ing people with our form input isn’t the most useful
ability.
Mail: SMTP Command Injection
✤
✤
[email protected]&Subject=Site+feedback%0d%0afoo%0d%0a%2e%0d
%0aMAIL+FROM:[email protected]%0d%0aRCPT+TO:+john@wahh-mail
.com%0d%0aDATA%0d%0aFrom:[email protected]%0d%0aTo:+john@wahh-mail
.com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Message=foo
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
From: [email protected]
To: [email protected]
Subject: Site+feedback
foo
.
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
From: [email protected]
To: [email protected]
Subject: Cheap V1AGR4
Blah
.
foo
.
✤
(textbook p400)
Mail: Preventing
✤
Rigorous validation of user-supplied data that will go to email
✤
Addresses should pass regex testing which should reject newlines
(among other invalid chars in email addresses)
✤
The subject should not contain newlines and be of reasonable length
✤
If the contents are being directly transmitted to SMTP, you should
reject any inputs that have a “.” on a line by itself.
Mail & OS: Tip
✤
TIP: Functions to send email to application support personnel are
frequently regarded as peripheral and may not be subject to the same
security standards or testing as the main application functionality.
Also, because they involve interfacing to an unusual back-end
component, they are often implemented via a direct call to the
relevant operating system command. Hence, in addition to probing
for SMTP injection, you should closely review all e-mail-related
functionality for OS command injection flaws. (textbook p. 401)
OS: Let’s look at the passwd file
#!/usr/bin/env perl
use strict;
use CGI qw(:standard escapeHTML);
print header, start_html(“”);
print “<pre>”;
my $command = “du -h --exclude php* /var/www/html”;
# Append user supplied “dir” parameter value to our
command
$command= $command.param(“dir”);
$command=`$command`;
print “$command\n”;
print end_html;
✤
AHA!
OS: Seems to simple?
✤
These type of command injection has been found many times in
commercial products
✤
HP OpenView was recently found to have one at URL:
http://target:3443/OvCgi/connectedNodes.ovpl?node=a| [command] |
✤
Fortunately, attackers are still limited to running commands at the web
server’s (hopefully) restricted permissions, but that is more than we
want them to be able to do!
OS: Where to Look
✤
When mapping your application (as described in Chapter 4), you
should already have pinpointed places where the application interacts
with the operating system by filesystem or process calls.
✤
You want to probe the places where these interactions happen in
order to find possible injection paths.
✤
In testing for vulnerabilities, consider various metacharacters:
& | ; ` > < && ||
✤
ping is a great tool to try to run, because even if you cannot retrieve
its output directly, you can tell it is running by the delay
OS: Preventing
✤
Best case: restrict use input to a whitelisted set of values
✤
Otherwise, restrict user input characters as much as possible
✤
See if you can accomplish whatever you are doing with language or
platform features rather than direct OS interaction
✤
If you must run OS commands in your application, see if your platform
has a function that can execute them in a limited interpreter rather
than one allowing for chaining and redirection
Filesystem: File Found
✤
Filesystem interactions are found where the server retrieves a file
from the file system or includes a file from the file system
✤
It is very straightforward to see where the server accesses the file
system and this could occur during whitebox testing (monitor IO)
✤
Don’t forget to try “\” also if it might be a windows server, because
they are sometimes unfiltered when “/” is handled properly
Filesystem: Path Travesal
✤
http://server.net/GetFile.php?name=csce813.jpg
✤
http://server.net/GetFile.php?name=../../../../../etc/passwd
✤
The attacker can read and possibly write files with the same (hopefully
user limited) permissions of the web server
✤
An attacker might be able to find and read OS related files or server
configuration files that can be exploited for more access or just gain
access to your application source code to look for bugs
Filesystem: Avoiding Path Tr.
✤
✤
✤
Chroot’ing the webserver fixes the most glaring problems
There is generally no good reason to pass end user input directly
through to a filesystem call, but if you must you can whitelist the files
to be accessed and filter out any problematic characters
These type of attacks don’t tend to happen by mistake. Your
application would be best logging it, emailing an admin, paging
another admin, and terminating the user’s account (if they had one)
Filesystem: Includes
✤
First: Don’t include a file which has been specified via user input
✤
Second: PHP allows you to include files from a remote path. If you
must use PHP, don’t let this be taken advantage of in your application
✤
File includes can be manipulated through path traversal attacks if they
are based upon user input
✤
Finally, don’t interact with the OS and filesystem, the mail server, or
any other backend component with user input that has not at the very
least been run through a set of validation tests that would make the
folks at the Transportation Safety Administration blush.
This is about database, but...
✤
http://xkcd.com/327/
XML & SOAP & HTTP Param
✤
XML
✤
SOAP
✤
HTTP Backend, HPI & HPP
✤
These were in this chapter also!