Software Vulnerability Examples

Download Report

Transcript Software Vulnerability Examples

Software Vulnerability Examples

SQL Injection – Example Scenario

• • • Imagine a form in a webpage with two input text boxes: “username” and “password”. The form gets submitted to a CGI script that constructs SQL query with the username ad password and runs it against a database table to authenticate the user.

If the SQL query matches an entry the user gets authenticated

SQL Injection Example 1

• • • • • • Web form textboxes: ▫ “username”, “password” CGI script code for SQL: ▫ string query = "SELECT * FROM items WHERE username = '" + userName + "' AND password = '" + password.Text + "'"; CGI intended generated SQL string: ▫ SELECT * FROM items WHERE username = AND password = ; User enters: ▫ “ Administrator ” as username and “ secret' OR 'a'='a ” as password SQL query result is: ▫ SELECT * FROM items WHERE username = ‘ Administrator ' AND password = ‘ secret' OR 'a'='a '; Result is that the right part of the OR statement is always true and the user always gets authenticated as Administrator

SQL Injection Example 2

• • • • • • Web form textboxes: ▫ “username”, “password” CGI script code for SQL: ▫ string query = "SELECT * FROM users WHERE username = '" + userName + "' AND password = '" + password.Text + "'"; CGI intended generated SQL string: ▫ SELECT * FROM users WHERE username = AND password = ; User enters: ▫ “ Administrator ” as username and “ secret'; DELETE FROM users; - ” as password SQL query result is: ▫ SELECT * FROM users WHERE username = ‘ Administrator ' AND password = ‘ secret'; DELETE FROM users; - '; Result is 3 separate SQL queries separated by semicolon. ▫ 1 st might fail. ▫ 2 nd ▫ 3 rd will delete all entries in table “users”. is just a comment

SQL Injection Example 3

• • • • • • Web form textboxes: ▫ “username”, “password” CGI script code for SQL: ▫ string query = "SELECT * FROM users WHERE username = '" + userName + "' AND password = '" + password.Text + "'"; CGI intended generated SQL string: ▫ SELECT * FROM users WHERE username = AND password = ; User enters: ▫ “ Administrator ” as username and “ '; exec master..xp_cmdshell 'dir' - ” as password SQL query result is: ▫ SELECT * FROM users WHERE username = ‘ Administrator ' AND password = ‘ '; exec master..xp_cmdshell 'dir' - '; Result is 3 separate SQL queries separated by semicolon. ▫ 1 st might fail. ▫ 2 nd ▫ 3 rd executes a SQL extended procedure that runs the DOS command ”dir” is just a comment

OS Command Injection – Example Scenario

• • Imagine a form in a webpage with a single input text box “username”. The form gets submitted to a CGI script that constructs a OS shell command line with the username and runs it.

OS Command Injection Example

• • • • • • Web form textbox: ▫ “username” CGI script code for OS command: ▫ $command = 'ls -l /home/' . $userName; ▫ system($command); CGI intended generated OS command line: ▫ ls –l /home/ User enters: ▫ “ ; rm -rf / ” as username OS command line result is: ▫ ls -l /home/ ; rm -rf / This results in two command lines: ▫ The first one lists the content of the /home directory ▫ The second one deletes all files

Classic Buffer Overflow Example

• • Example C code: char buf[24]; printf("Please enter your name \n"); gets(buf); Vulnerability ▫ The code uses gets()  which is inherently unsafe   blindly copies all input from STDIN to the buffer without restricting how much is copied This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

▫ Strings like the below one can be used to exploit it:  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x 46\x0c\xb0\x0bx89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\ x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/b in/sh"

Cross Site Scripting (CSS) Example

• • • Web form textbox: ▫ “username” Example PHP code: $username = $_GET['username']; echo '

Welcome, ' . $username . '
'; Example CSS: ▫ http://trustedSite.example.com/welcome.php?user

name=

Missing Authentication or Authorisation

• • • Example Java code: BankAccount account = null; Account = new BankAccount(); return account; Vulnerability ▫ There is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. ▫ Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects. Correct example code: BankAccount account = null; if (isAuthenticated()) { Account = new BankAccount(); } return account; }

Further Reading

• “2011 CWE/SANS Top 25 Most Dangerous Software Errors” ▫ http://cwe.mitre.org/top25/