4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
108<br />
Web Application Penetration Testing<br />
http: /example.com/?mode=guest&search_string=kittens&num_<br />
results=100&search_string=puppies<br />
and submit the new request.<br />
Analyze the response page to determine which value(s) were<br />
parsed. In the above example, the search results may show kittens,<br />
puppies, some combination of both (kittens,puppies or kittens~puppies<br />
or [‘kittens’,’puppies’]), may give an empty result, or<br />
error page.<br />
This behavior, whether using the first, last, or combination of input<br />
parameters with the same name, is very likely to be consistent<br />
across the entire application. Whether or not this default behavior<br />
reveals a potential vulnerability depends on the specific input validation<br />
and filtering specific to a particular application. As a general<br />
rule: if existing input validation and other security mechanisms are<br />
sufficient on single inputs, and if the server assigns only the first<br />
or last polluted parameters, then parameter pollution does not reveal<br />
a vulnerability. If the duplicate parameters are concatenated,<br />
different web application components use different occurrences or<br />
testing generates an error, there is an increased likelihood of being<br />
able to use parameter pollution to trigger security vulnerabilities.<br />
A more in-depth analysis would require three HTTP requests for<br />
each HTTP parameter:<br />
[1] Submit an HTTP request containing the standard parameter name<br />
and value, and record the HTTP response. E.g. page?par1=val1<br />
[2] Replace the parameter value with a tampered value, submit and<br />
record the HTTP response. E.g. page?par1=HPP_TEST1<br />
[3] Send a new request combining step (1) and (2). Again, save the<br />
HTTP response. E.g. page?par1=val1&par1=HPP_TEST1<br />
[4] Compare the responses obtained during all previous steps. If the<br />
response from (3) is different from (1) and the response from (3) is<br />
also different from (2), there is an impedance mismatch that may<br />
be eventually abused to trigger HPP vulnerabilities.<br />
Crafting a full exploit from a parameter pollution weakness is beyond<br />
the scope of this text. See the references for examples and details.<br />
Client-side HPP<br />
Similarly to server-side HPP, manual testing is the only reliable<br />
technique to audit web applications in order to detect parameter<br />
pollution vulnerabilities affecting client-side components. While in<br />
the server-side variant the attacker leverages a vulnerable web application<br />
to access protected data or perform actions that either not<br />
permitted or not supposed to be executed, client-side attacks aim<br />
at subverting client-side components and technologies.<br />
To test for HPP client-side vulnerabilities, identify any form or action<br />
that allows user input and shows a result of that input back to<br />
the user. A search page is ideal, but a login box might not work (as it<br />
might not show an invalid username back to the user).<br />
Similarly to server-side HPP, pollute each HTTP parameter with<br />
%26HPP_TEST and look for url-decoded occurrences of the user-supplied<br />
payload:<br />
• &HPP_TEST<br />
• &HPP_TEST<br />
• … and others<br />
In particular, pay attention to responses having HPP vectors within<br />
data, src, href attributes or forms actions. Again, whether or not<br />
this default behavior reveals a potential vulnerability depends on the<br />
specific input validation, filtering and application business logic. In addition,<br />
it is important to notice that this vulnerability can also affect<br />
query string parameters used in XMLHttpRequest (XHR), runtime<br />
attribute creation and other plugin technologies (e.g. Adobe Flash’s<br />
flashvars variables).<br />
Tools<br />
OWASP ZAP HPP Passive/Active Scanners [1]<br />
HPP Finder (Chrome Plugin) [2]<br />
References<br />
Whitepapers<br />
• HTTP Parameter Pollution - Luca Carettoni, Stefano di Paola [3]<br />
• Split and Join (Bypassing Web Application Firewalls with HTTP Parameter<br />
Pollution) - Lavakumar Kuppan [4]<br />
• Client-side Http Parameter Pollution Example (Yahoo! Classic Mail<br />
flaw) - Stefano di Paola [5]<br />
• How to Detect HTTP Parameter Pollution Attacks - Chrysostomos<br />
Daniel [6]<br />
• CAPEC-460: HTTP Parameter Pollution (HPP) - Evgeny Lebanidze<br />
[7]<br />
• Automated Discovery of Parameter Pollution Vulnerabilities in Web<br />
Applications - Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti,<br />
Engin Kirda [8]<br />
Testing for SQL Injection (OTG-INPVAL-005)<br />
Summary<br />
An SQL injection attack consists of insertion or “injection” of either<br />
a partial or complete SQL query via the data input or transmitted<br />
from the client (browser) to the web application. A successful SQL<br />
injection attack can read sensitive data from the database, modify<br />
database data (insert/update/delete), execute administration operations<br />
on the database (such as shutdown the DBMS), recover the<br />
content of a given file existing on the DBMS file system or write files<br />
into the file system, and, in some cases, issue commands to the operating<br />
system. SQL injection attacks are a type of injection attack,<br />
in which SQL commands are injected into data-plane input in order<br />
to affect the execution of predefined SQL commands.<br />
In general the way web applications construct SQL statements<br />
involving SQL syntax written by the programmers is mixed with<br />
user-supplied data. Example:<br />
select title, text from news where id=$id<br />
In the example above the variable $id contains user-supplied data,<br />
while the remainder is the SQL static part supplied by the programmer;<br />
making the SQL statement dynamic.<br />
Because the way it was constructed, the user can supply crafted<br />
input trying to make the original SQL statement execute further<br />
actions of the user’s choice. The example below illustrates the user-supplied<br />
data “10 or 1=1”, changing the logic of the SQL statement,<br />
modifying the WHERE clause adding a condition “or 1=1”.<br />
SQL Injection attacks can be divided into the following three<br />
classes: