1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
219 220<br />
LDAP Injection<br />
For details on LDAP Injection: Testing for LDAP Injection<br />
|<br />
!<br />
(<br />
)<br />
%28<br />
%29<br />
&<br />
%26<br />
%21<br />
%7C<br />
*|<br />
%2A%7C<br />
*(|(mail=*))<br />
%2A%28%7C%28mail%3D%2A%29%29<br />
*(|(objectclass=*))<br />
%2A%28%7C%28objectclass%3D%2A%29%29<br />
*()|%26’<br />
admin*<br />
admin*)((|userPassword=*)<br />
*)(uid=*))(|(uid=*<br />
XPATH Injection<br />
For details on XPATH Injection: Testing for XPath Injection<br />
‘+or+’1’=’1<br />
‘+or+’’=’<br />
x’+or+1=1+or+’x’=’y<br />
/<br />
/<br />
/ *<br />
*/*<br />
@*<br />
count(/child::node())<br />
x’+or+name()=’username’+or+’x’=’y<br />
XML Injection<br />
Details on XML Injection here: Testing for XML Injection<br />
var n=0;while(true){n++;}]]><br />
SCRIPT]]>alert(‘gotcha’);/<br />
SCRIPT]]><br />
<br />
]>&xee;<br />
]>&xee;<br />
]>&xee;<br />
]>&xee;<br />
OWASP Testing Guide Appendix D:<br />
Encoded Injection<br />
Background<br />
Character encoding is the process of mapping characters, numbers<br />
and other symbols to a standard format. Typically, this is done to create<br />
a message ready for transmission between sender and receiver.<br />
It is, in simple terms, the conversion of characters (belonging to<br />
different languages like English, Chinese, Greek or any other known<br />
language) into bytes. An example of a widely used character encoding<br />
scheme is the American Standard Code for Information Interchange<br />
(ASCII) that initially used 7-bit codes. More recent examples of encoding<br />
schemes would be the Unicode UTF-8 and UTF-16 computing<br />
industry standards.<br />
In the space of application security and due to the plethora of encoding<br />
schemes available, character encoding has a popular misuse.<br />
It is being used for encoding malicious injection strings in a way that<br />
obfuscates them. This can lead to the bypass of input validation filters,<br />
or take advantage of particular ways in which browsers render<br />
encoded text.<br />
Input Encoding – Filter Evasion<br />
Web applications usually employ different types of input filtering<br />
mechanisms to limit the input that can be submitted by the user. If<br />
these input filters are not implemented sufficiently well, it is possible<br />
to slip a character or two through these filters. For instance, a<br />
/ can be represented as 2F (hex) in ASCII, while the same character<br />
(/) is encoded as C0 AF in Unicode (2 byte sequence). Therefore, it is<br />
important for the input filtering control to be aware of the encoding<br />
scheme used. If the filter is found to be detecting only UTF-8 encoded<br />
injections, a different encoding scheme may be employed to bypass<br />
this filter.<br />
Output Encoding – Server & Browser Consensus<br />
Web browsers need to be aware of the encoding scheme used to coherently<br />
display a web page. Ideally, this information should be provided<br />
to the browser in the HTTP header (“Content-Type”) field, as<br />
Content-Type: text/html; charset=UTF-8<br />
shown below:<br />
<br />
or through HTML META tag (“META HTTP-EQUIV”), as shown below:<br />
It is through these character encoding declarations that the browser<br />
understands which set of characters to use when converting bytes to<br />
characters. Note that the content type mentioned in the HTTP header<br />
has precedence over the META tag declaration.<br />
CERT describes it here as follows:<br />
Many web pages leave the character encoding (“charset” parameter<br />
in HTTP) undefined. In earlier versions of HTML and HTTP, the character<br />
encoding was supposed to default to ISO-8859-1 if it wasn’t<br />
defined. In fact, many browsers had a different default, so it was not<br />
possible to rely on the default being ISO-8859-1. HTML version 4 legitimizes<br />
this - if the character encoding isn’t specified, any character<br />
encoding can be used.<br />
If the web server doesn’t specify which character encoding is in<br />
use, it can’t tell which characters are special. Web pages with unspecified<br />
character encoding work most of the time because most<br />
character sets assign the same characters to byte values below<br />
128. But which of the values above 128 are special? Some 16-bit<br />
character-encoding schemes have additional multi-byte representations<br />
for special characters such as “’ works as a closing bracket<br />
for a HTML tag. In order to actually display this character on the<br />
web page HTML character entities should be inserted in the page<br />
source. The injections mentioned above are one way of encoding.<br />
There are numerous other ways in which a string can be encoded<br />
(obfuscated) in order to bypass the above filter.<br />
Hex Encoding<br />
Hex, short for Hexadecimal, is a base 16 numbering system i.e it<br />
has 16 different values from 0 to 9 and A to F to represent various<br />
characters. Hex encoding is another form of obfuscation that is<br />
sometimes used to bypass input validation filters. For instance, hex<br />
encoded version of the string is<br />
<br />
A variation of the above string is given below. Can be used in case<br />
‘%’ is being filtered:<br />
<br />
There are other encoding schemes, such as Base64 and Octal,<br />
that may be used for obfuscation.<br />
Although, every encoding scheme may not work every time, a bit<br />
of trial and error coupled with intelligent manipulations would<br />
definitely reveal the loophole in a weakly built input validation filter.<br />
UTF-7 Encoding<br />
UTF-7 encoding of alert(‘XSS’); is as below<br />
+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-<br />
For the above script to work, the browser has to interpret the web<br />
page as encoded in UTF-7.<br />
Multi-byte Encoding<br />
Variable-width encoding is another type of character encoding<br />
scheme that uses codes of varying lengths to encode characters.<br />
Multi-Byte Encoding is a type of variable-width encoding that<br />
uses varying number of bytes to represent a character. Multi-byte<br />
encoding is primarily used to encode characters that belong to a<br />
large character set e.g. Chinese, Japanese and Korean.<br />
Multibyte encoding has been used in the past to bypass standard<br />
input validation functions and carry out cross site scripting and<br />
SQL injection attacks.<br />
References<br />
• http: /en.wikipedia.org/wiki/Encode_(semiotics)<br />
• http: /ha.ckers.org/xss.html<br />
• http: /www.cert.org/tech_tips/malicious_code_mitigation.html<br />
• http: /www.w3schools.com/HTML/html_entities.asp<br />
• http: /www.iss.net/security_center/advice/Intrusions/2000639/default.htm<br />
• http: /searchsecurity.techtarget.com/expert/Knowledgebase-<br />
Answer/0,289625,sid14_gci1212217_tax299989,00.html<br />
• http: /www.joelonsoftware.com/articles/Unicode.html