Transcript Software Vulnerability Examples
Software Vulnerability Examples
SQL Injection – Example Scenario
• • • Imagine a form in a webpage with two input text boxes: “username” and “password”. The form gets submitted to a CGI script that constructs SQL query with the username ad password and runs it against a database table to authenticate the user.
If the SQL query matches an entry the user gets authenticated
SQL Injection Example 1
• • • • • • Web form textboxes: ▫ “username”, “password” CGI script code for SQL: ▫ string query = "SELECT * FROM items WHERE username = '" + userName + "' AND password = '" + password.Text + "'"; CGI intended generated SQL string: ▫ SELECT * FROM items WHERE username =
SQL Injection Example 2
• • • • • • Web form textboxes: ▫ “username”, “password” CGI script code for SQL: ▫ string query = "SELECT * FROM users WHERE username = '" + userName + "' AND password = '" + password.Text + "'"; CGI intended generated SQL string: ▫ SELECT * FROM users WHERE username =
SQL Injection Example 3
• • • • • • Web form textboxes: ▫ “username”, “password” CGI script code for SQL: ▫ string query = "SELECT * FROM users WHERE username = '" + userName + "' AND password = '" + password.Text + "'"; CGI intended generated SQL string: ▫ SELECT * FROM users WHERE username =
OS Command Injection – Example Scenario
• • Imagine a form in a webpage with a single input text box “username”. The form gets submitted to a CGI script that constructs a OS shell command line with the username and runs it.
OS Command Injection Example
• • • • • • Web form textbox: ▫ “username” CGI script code for OS command: ▫ $command = 'ls -l /home/' . $userName; ▫ system($command); CGI intended generated OS command line: ▫ ls –l /home/
Classic Buffer Overflow Example
• • Example C code: char buf[24]; printf("Please enter your name \n"); gets(buf); Vulnerability ▫ The code uses gets() which is inherently unsafe blindly copies all input from STDIN to the buffer without restricting how much is copied This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.
▫ Strings like the below one can be used to exploit it: "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x 46\x0c\xb0\x0bx89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\ x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/b in/sh"
Cross Site Scripting (CSS) Example
• • • Web form textbox: ▫ “username” Example PHP code: $username = $_GET['username']; echo '
name=
Missing Authentication or Authorisation
• • • Example Java code: BankAccount account = null; Account = new BankAccount(); return account; Vulnerability ▫ There is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. ▫ Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects. Correct example code: BankAccount account = null; if (isAuthenticated()) { Account = new BankAccount(); } return account; }
Further Reading
• “2011 CWE/SANS Top 25 Most Dangerous Software Errors” ▫ http://cwe.mitre.org/top25/