1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
135 136<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
serving the page to the user. They represent an alternative to writing<br />
CGI programs or embedding code using server-side scripting languages,<br />
when there’s only need to perform very simple tasks. Common SSI<br />
implementations provide commands to include external files, to set<br />
and print web server CGI environment variables, and to execute external<br />
CGI scripts or system commands.<br />
Putting an SSI directive into a static HTML document is as easy as<br />
writing a piece of code like the following:<br />
we could guess if SSI are supported just by looking at the content of<br />
the target web site. If it contains .shtml files, then SSI are probably<br />
supported, as this extension is used to identify pages containing these<br />
directives. Unfortunately, the use of the shtml extension is not mandatory,<br />
so not having found any shtml files doesn’t necessarily mean<br />
that the target is not prone to SSI injection attacks.<br />
The next step consists of determining if an SSI injection attack is actually<br />
possible and, if so, what are the input points that we can use to<br />
inject our malicious code.<br />
[2] Where user input, cookie content and HTTP headers are handled.<br />
The complete list of input vectors is then quickly determined.<br />
[3] How the input is handled, what kind of filtering is performed, what<br />
characters the application is not letting through, and how many types<br />
of encoding are taken into account.<br />
Performing these steps is mostly a matter of using grep to find the<br />
right keywords inside the source code (SSI directives, CGI environment<br />
variables, variables assignment involving user input, filtering functions<br />
and so on).<br />
unlike SQL, no ACLs are enforced, as our query can access every part of<br />
the XML document.<br />
How to Test<br />
The XPath attack pattern was first published by Amit Klein [1] and is<br />
very similar to the usual SQL Injection.In order to get a first grasp of<br />
the problem, let’s imagine a login page that manages the authentication<br />
to an application in which the user must enter his/her username<br />
and password.Let’s assume that our database is represented by the<br />
following XML file:<br />
<br />
to print out the current time.<br />
<br />
to include the output of a CGI script.<br />
<br />
to include the content of a file or list files in a directory.<br />
<br />
to include the output of a system command.<br />
Then, if the web server’s SSI support is enabled, the server will parse<br />
these directives. In the default configuration, usually, most web servers<br />
don’t allow the use of the exec directive to execute system commands.<br />
As in every bad input validation situation, problems arise when the<br />
user of a web application is allowed to provide data that makes the<br />
application or the web server behave in an unforeseen manner. With<br />
regard to SSI injection, the attacker could provide input that, if inserted<br />
by the application (or maybe directly by the server) into a dynamically<br />
generated page, would be parsed as one or more SSI directives.<br />
This is a vulnerability very similar to a classical scripting language injection<br />
vulnerability. One mitigation is that the web server needs to be<br />
configured to allow SSI. On the other hand, SSI injection vulnerabilities<br />
are often simpler to exploit, since SSI directives are easy to understand<br />
and, at the same time, quite powerful, e.g., they can output the content<br />
of files and execute system commands.<br />
How to Test<br />
Black Box testing<br />
The first thing to do when testing in a Black Box fashion is finding if the<br />
web server actually supports SSI directives. Often, the answer is yes,<br />
as SSI support is quite common. To find out we just need to discover<br />
which kind of web server is running on our target, using classic information<br />
gathering techniques.<br />
Whether we succeed or not in discovering this piece of information,<br />
The testing activity required to do this is exactly the same used to test<br />
for other code injection vulnerabilities. In particular, we need to find every<br />
page where the user is allowed to submit some kind of input, and<br />
verify whether the application is correctly validating the submitted<br />
input. If sanitization is insufficient, we need to test if we can provide<br />
data that is going to be displayed unmodified (for example, in an error<br />
message or forum post). Besides common user-supplied data, input<br />
vectors that should always be considered are HTTP request headers<br />
and cookies content, since they can be easily forged.<br />
Once we have a list of potential injection points, we can check if the<br />
input is correctly validated and then find out where the provided input<br />
is stored. We need to make sure that we can inject characters used in<br />
SSI directives:<br />
< ! # = / . “ - > and [a-zA-Z0-9]<br />
To test if validation is insufficient, we can input, for example, a string<br />
like the following in an input form:<br />
<br />
This is similar to testing for XSS vulnerabilities using<br />
alert(“XSS”)<br />
If the application is vulnerable, the directive is injected and it would be<br />
interpreted by the server the next time the page is served, thus including<br />
the content of the Unix standard password file.<br />
The injection can be performed also in HTTP headers, if the web application<br />
is going to use that data to build a dynamically generated page:<br />
GET / HTTP/1.0<br />
Referer: <br />
User-Agent: <br />
Gray Box testing<br />
If we have access to the application source code, we can quite<br />
easily find out:<br />
[1] If SSI directives are used. If they are, then the web server is<br />
going to have SSI support enabled, making SSI injection at least a<br />
potential issue to investigate.<br />
Tools<br />
• Web Proxy Burp Suite - http:/portswigger.net<br />
• Paros - http:/www.parosproxy.org/index.shtml<br />
• WebScarab<br />
• String searcher: grep - http:/www.gnu.org/software/grep<br />
References<br />
Whitepapers<br />
• Apache Tutorial: “Introduction to Server Side Includes”<br />
- http:/httpd.apache.org/docs/1.3/howto/ssi.html<br />
• Apache: “Module mod_include” - http:/httpd.apache.org/<br />
docs/1.3/mod/mod_include.html<br />
• Apache: “Security Tips for Server Configuration” - http:/httpd.<br />
apache.org/docs/1.3/misc/security_tips.html#ssi<br />
• Header Based Exploitation - http:/www.cgisecurity.net/papers/<br />
header-based-exploitation.txt<br />
• SSI Injection instead of JavaScript Malware - http:/<br />
jeremiahgrossman.blogspot.com/2006/08/ssi-injection-insteadof-javascript.html<br />
• IIS: “Notes on Server-Side Includes (SSI) syntax” - http:/blogs.<br />
iis.net/robert_mcmurray/archive/2010/12/28/iis-notes-on-serverside-includes-ssi-syntax-kb-203064-revisited.aspx<br />
Testing for XPath Injection (OTG-INPVAL-010)<br />
Summary<br />
XPath is a language that has been designed and developed primarily<br />
to address parts of an XML document. In XPath injection testing, we<br />
test if it is possible to inject XPath syntax into a request interpreted by<br />
the application, allowing an attacker to execute user-controlled XPath<br />
queries.When successfully exploited, this vulnerability may allow an<br />
attacker to bypass authentication mechanisms or access information<br />
without proper authorization.<br />
Web applications heavily use databases to store and access the<br />
data they need for their operations.Historically, relational databases<br />
have been by far the most common technology for data storage,<br />
but, in the last years, we are witnessing an increasing popularity<br />
for databases that organize data using the XML language.<br />
Just like relational databases are accessed via SQL language, XML databases<br />
use XPath as their standard query language.<br />
Since, from a conceptual point of view, XPath is very similar to SQL in<br />
its purpose and applications, an interesting result is that XPath injection<br />
attacks follow the same logic as SQL Injection attacks. In some<br />
aspects, XPath is even more powerful than standard SQL, as its whole<br />
power is already present in its specifications, whereas a large number<br />
of the techniques that can be used in a SQL Injection attack depend<br />
on the characteristics of the SQL dialect used by the target database.<br />
This means that XPath injection attacks can be much more adaptable<br />
and ubiquitous.Another advantage of an XPath injection attack is that,<br />
<br />
<br />
<br />
gandalf<br />
!c3<br />
admin<br />
<br />
<br />
Stefan0<br />
w1s3c<br />
guest<br />
<br />
<br />
tony<br />
Un6R34kb!e<br />
guest<br />
<br />
<br />
An XPath query that returns the account whose username is “gandalf”<br />
and the password is “!c3” would be the following:<br />
string(/user[username/text()=’gandalf’ and password/text()=’!c3’]/account/text())<br />
If the application does not properly filter user input, the tester will<br />
be able to inject XPath code and interfere with the query result.<br />
For instance, the tester could input the following values:<br />
Username: ‘ or ‘1’ = ‘1<br />
Password: ‘ or ‘1’ = ‘1<br />
Looks quite familiar, doesn’t it? Using these parameters, the query<br />
becomes:<br />
string(/user[username/text()=’’ or ‘1’ = ‘1’ and password/<br />
text()=’’ or ‘1’ = ‘1’]/account/text())<br />
As in a common SQL Injection attack, we have created a query that always<br />
evaluates to true, which means that the application will authenticate<br />
the user even if a username or a password have not been provided.<br />
And as in a common SQL Injection attack, with XPath injection, the<br />
first step is to insert a single quote (‘) in the field to be tested, intro-