1 Intelligent Application Switching Security Training III – Application Hacking Renaud BIDOU Security Consultant EMEA 2 Intelligent Application Switching • Applications target points • Input data • Internal components • External components • Output Agenda – Part I : Introduction 3 Intelligent Application Switching • Environment Variables • Files and commands • Injections • Basics • SQL Injections • Cross Site Scripting Agenda – Part II : Input data 4 Intelligent Application Switching • Reminder • Buffer Overflow • Heap Overflow • Format Strings Agenda – Part III : Internal Parts 6 Intelligent Application Switching Introduction 7 Intelligent Application Switching Functional Components INTRO 8 Intelligent Application Switching • Inputs • Users Inputs • The MOST dangerous • Network inputs • Shared data and memory • Internal Components • Memory management • Temporary data Weak Points INTRO 9 Intelligent Application Switching • External components • OS • Environment variables • Embedded commands • Application privileges • Other applications • Output • “Normal Output” • Errors • To users • Logs • Crash dumps Weak Points INTRO 10 Intelligent Application Switching Inputs 11 Intelligent Application Switching Environment Variables [...]... • Use an explicit authorized policy • What is not authorized is forbidden • List of authorized input may vary Reject invalid input • Some scripts try to correct • May be dangerous if($input =~ /[^a-zA-Z 0-9 \s]/) { &drop; } Intelligent Application Switching 21 Injections Intelligent Application Switching 22 INJECTION Basics • Objective • Use input capabilities to have the remote software • … display... the GUI • Other fields via HTTP proxy/editor • Use URL parameters http://www.publi-news.fr/PB/liste.html?pg=1&type=L7&tit_revue =+It+really+SUCKS+alert( document.cookies) Intelligent Application Switching 24 INJECTION Basics • HTML Injection usage • • • • Mess the output Inject CSS-like load Have input executed by scripting languages • php, asp, perl etc • Classical... /etc/shadow |” Gotcha ! Intelligent Application Switching 18 FILES Language Specificities • The \0 • • Is considered as a character by PERL Is the end of string for C • So what ? • • • Bypassing some security checks Ex: Displaying an HTML page based on user input • PERL CGI application takes the input • Adds “.html” • Sends to a C program for processing User provides “/etc/passwd\0” • CGI script sends... Escape commands • To get rid of the end of a command • Original SQL request SELECT * FROM table where x=$data AND y=0 • AND y=0 must be esacped • With SQL server $data = 1; SELECT * FROM secret_table; - With mysql $data = 1; SELECT * FROM secret_table; # Intelligent Application Switching 28 INJECTION SQL Injection • Bypassing filters • Typical authentication case • Authentication code SELECT * FROM... WHERE name=‘1’ AND pass=‘1’ OR ‘TRUE’ Intelligent Application Switching 30 INJECTION SQL Injection • Advanced techniques • • From a URL http://server/index.asp?id=$data Getting info on SQL structures 1 - Tables 1 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES • • The command output is the name of the first table UNION with an integer (1) will generate an error Microsoft OLE DB Provider... TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (‘table1’) Intelligent Application Switching 31 INJECTION SQL Injection • Advanced techniques • Getting info on SQL structures 2 - Columns UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=‘table1’ • • The command output is the name of the first column UNION with an integer (1) will generate an error . 1 Intelligent Application Switching Security Training III – Application Hacking Renaud BIDOU Security Consultant EMEA 2 Intelligent Application Switching • Applications. scripts try to correct • May be dangerous Prevention COMMAND if($input =~ /[^a-zA-Z 0-9 s]/) { &drop; }