2 Input Vulnerabilities We all know not to run “code” retrieved from suspicious placesBut passive “data” may beinterpreted as malicious instructionsSystem.out.println(“/etc/password”);vs.File file = new File(“/etc/password”);
3 3 Most Common Input Vulnerabilities on Web 1. Cross-site Scripting2. SQL Injection3. Directory TraversalSee - the Open Web App Security Project
5 Example: Invectus on Macdonald’s queryText=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3EqueryText=”><img src=” height=”650″ width=”1000″>Source:
12 Famous Examples Obama website redirected to Hillary Clinton Twitter Pop-UpsInvectus attacks (over 20 sites)
13 Best Solution Filter any data which is echo’d back to HTML e.g. String input = request.getParameter(“data”);String clean = new HTMLInputFilter().filter( input );
14 Simple Web AppA Web form that allows the user to look up account detailsUnderneath – a Java Web application serving the requests
15 SQL Injection Example Happy-go-lucky SQL statement: Leads to SQL injectionOne of the most common Web application vulnerabilities caused by lack of input validationBut how?Typical way to construct a SQL query using string concatenationLooks benign on the surfaceBut let’s play with it a bit more…String query = “SELECT Username, UserID, PasswordFROM Users WHEREusername =“ + user + “ ANDpassword =“ + password;
17 Injecting Malicious Data (2) Press “Submit”query = “SELECT Username,UserID, PasswordFROM Users WHEREUsername = 'bob’--’ AND Password = ‘‘”
18 Injecting Malicious Data (3) Press “Submit”query = “SELECT Username,UserID, PasswordFROM Users WHEREUsername = 'bob’; DROP Users--’ AND Password = ‘‘”
19 Heart of the Issue: Tainted Input Data SQL injectionsapplicationdatabaseevilhackerWeb AppinputevilinputoutputbrowserMay lead to vulnerabilities insert validation in the applicationcross-site scriptingInsert input checking!
21 Mitigating SQL Injection Always use Prepared Statements or Stored ProceduresInstead of:stmt.execute("UPDATE EMPLOYEES SET SALARY = “+input1+“ WHERE ID = “ + input2);Use:PreparedStatement pstmt = conn.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?“pstmt.setBigDecimal(1, input1)pstmt.setInt(2, input2)The account used to make the database connection must have “Least privilege.” If the application only requires read access then the account must be given read access only.Avoid disclosing error information: Weak error handling is a great way for an attacker to profile SQL injection attacks.Uncaught SQL errors normally give too much information to the user and contain things like table names and procedure names.
23 Recent ExamplesOn March 27, 2011 mysql.com, the official homepage for MySQL, was compromisedOn June 1, 2011, LulzSec steal information from Sony PS3 usersIn August, 2011, Hacker Steals User Records From Nokia Developer Site
24 Directory/Path Traversal Occurs when user input is used to create the path for reading a file on diskString file = request.getParameter(“photo”)new File(“/images/” + file);See
25 Directory Traversal Malicious input: Has been used to retrieve Has been used to retrieve“web.xml” filesApache conf filesUNIX password filesOther exampleYou let user choose between different style templates and save the template filename in their profile
26 Example 2 http://some_site.com.br/get-files.jsp?file=report.pdf In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory.dir/some filedir/some file
27 Best Solution Don’t construct file paths from user input Understand how your web server handles file access.Create a UUID (Universally Unique IDentifier)for each file and save as a column with datauuid = UUID.randomUUID().toString()File savedFile = File(uuid);Example database table for imagespicIDpicNamepicDescpicOwnerpicFormatuuid