owasp a1 - injection | the art of manipulation

OWASP

A1 – InjectionThe art of manipulation

pavanw3b

$ whoami• Pavan aka pavanw3b• Security Engineer at• Null Hyd Core• Love hunting bugs• Got lucky with

• www.pavanw3b.com

Injections – the worst ever!• Mar’08 – Heartland Payment System - 134m CC exposed • Oct’13 – $ 100,000 stolen from a California ISP• 2007 -2012: A group of hackers stole $300m from 10+

companies• 2014 – Shellshock: Remote Code Execution• 2015 – Microsoft RDP Remote Code Executionand many many other..

Good vs Bad• Corporate Pentester

Give one week time and ask to find all the vulnerabilities.

• Attacker

Give sufficient time to find any one vulnerability to get in.

When data become commands

Vayu, you are free to go!

Applicant Name :

Criminal Registration Form

Calling Vayu, you are free to go!

data =commands

The dumb serverWhat file do you want to delete?

my_message.txt; echo ‘<?php system($_GET[“cmd”]); ?>’ > shell.php?file_name=

Types of Injection1. Command Injection2. Database Injection

o SQLoNoSQL

3. LDAP4. XML Injection

1. Remote Code Execution• User controlled data go into part of system commands.• Post Exploitation: Privilege Escalation.• Backdoor.

2.1 SQL Injection• Perform (any) unauthorized database transaction.• Dump, drop, alter & many more.• Backdoor.

2.2 NoSQL - No Injection?

3. LDAP Injection

Try ( | & * and other special chars to see errors

4. XML Injection• Attribute, Value, CDATA• XXE, XSLT, XPath

<catalog> <book id=“101”> <author>Pavan</author> <title>Dark w3b</title> <price>INR 200</price> </book></catalog>

102”><author>vayu</author><title>A treat</title><price>FREE</price></book><book id=“

<catalog> <book id=“102”> <author>vayu</author> <title>A treat</title> <price>FREE</price> </book> <book id=“101”> <author>Pavan</author> <title>Dark w3b</title> <price>INR 200</price> </book></catalog>

Payload

Result

Some Credits• https://www.owasp.org• http://www.slideshare.net/m1ke/owasp-a1-injection• Rahul Sasi:

http://www.slideshare.net/_c0c0n_/webapp-remote-code-execution-via-scripting-engines

• Amol Naik: http://www.slideshare.net/AMolNAik3/xml-xpath-injections

• The Hacker News• CIO

Questions?

Will be answeredin the humla session

Thanks/pavanw3b