4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
137<br />
Web Application Penetration Testing<br />
The original userid node has been commented out, leaving only<br />
the injected one. The document now complies with its DTD rules.<br />
Tools<br />
• XML Injection Fuzz Strings (from wfuzz tool) -<br />
https: /wfuzz.googlecode.com/svn/trunk/wordlist/Injections/<br />
XML.txt<br />
References<br />
Whitepapers<br />
• Alex Stamos: “Attacking Web Services” -<br />
http: /www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt<br />
• Gregory Steuck, “XXE (Xml eXternal Entity) attack”,<br />
http: /www.securityfocus.com/archive/1/297714<br />
Testing for SSI Injection (OTG-INPVAL-009)<br />
Summary<br />
Web servers usually give developers the ability to add small pieces<br />
of dynamic code inside static HTML pages, without having to<br />
deal with full-fledged server-side or client-side languages. This<br />
feature is incarnated by the Server-Side Includes (SSI). In SSI injection<br />
testing, we test if it is possible to inject into the application<br />
data that will be interpreted by SSI mechanisms. A successful exploitation<br />
of this vulnerability allows an attacker to inject code into<br />
HTML pages or even perform remote code execution.<br />
Server-Side Includes are directives that the web server parses<br />
before serving the page to the user. They represent an alternative<br />
to writing CGI programs or embedding code using server-side<br />
scripting languages, when there’s only need to perform very simple<br />
tasks. Common SSI implementations provide commands to<br />
include external files, to set and print web server CGI environment<br />
variables, and to execute external CGI scripts or system commands.<br />
Putting an SSI directive into a static HTML document is as easy as<br />
writing a piece of code like the following:<br />
<br />
to print out the current time.<br />
<br />
to include the output of a CGI script.<br />
<br />
to include the content of a file or list files in a directory.<br />
<br />
to include the output of a system command.<br />
Then, if the web server’s SSI support is enabled, the server will<br />
parse these directives. In the default configuration, usually, most<br />
web servers don’t allow the use of the exec directive to execute<br />
system commands.<br />
As in every bad input validation situation, problems arise when the<br />
user of a web application is allowed to provide data that makes<br />
the application or the web server behave in an unforeseen manner.<br />
With regard to SSI injection, the attacker could provide input<br />
that, if inserted by the application (or maybe directly by the server)<br />
into a dynamically generated page, would be parsed as one or<br />
more SSI directives.<br />
This is a vulnerability very similar to a classical scripting language<br />
injection vulnerability. One mitigation is that the web server needs<br />
to be configured to allow SSI. On the other hand, SSI injection vulnerabilities<br />
are often simpler to exploit, since SSI directives are<br />
easy to understand and, at the same time, quite powerful, e.g.,<br />
they can output the content of files and execute system commands.<br />
How to Test<br />
Black Box testing<br />
The first thing to do when testing in a Black Box fashion is finding<br />
if the web server actually supports SSI directives. Often, the answer<br />
is yes, as SSI support is quite common. To find out we just<br />
need to discover which kind of web server is running on our target,<br />
using classic information gathering techniques.<br />
Whether we succeed or not in discovering this piece of information,<br />
we could guess if SSI are supported just by looking at the<br />
content of the target web site. If it contains .shtml files, then SSI<br />
are probably supported, as this extension is used to identify pages<br />
containing these directives. Unfortunately, the use of the shtml<br />
extension is not mandatory, so not having found any shtml files<br />
doesn’t necessarily mean that the target is not prone to SSI injection<br />
attacks.<br />
The next step consists of determining if an SSI injection attack is<br />
actually possible and, if so, what are the input points that we can<br />
use to inject our malicious code.<br />
The testing activity required to do this is exactly the same used to<br />
test for other code injection vulnerabilities. In particular, we need<br />
to find every page where the user is allowed to submit some kind<br />
of input, and verify whether the application is correctly validating<br />
the submitted input. If sanitization is insufficient, we need to test<br />
if we can provide data that is going to be displayed unmodified (for<br />
example, in an error message or forum post). Besides common<br />
user-supplied data, input vectors that should always be considered<br />
are HTTP request headers and cookies content, since they<br />
can be easily forged.<br />
Once we have a list of potential injection points, we can check if<br />
the input is correctly validated and then find out where the provided<br />
input is stored. We need to make sure that we can inject<br />
characters used in SSI directives:<br />
< ! # = / . “ - > and [a-zA-Z0-9]<br />
To test if validation is insufficient, we can input, for example, a<br />
string like the following in an input form: