4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
138<br />
Web Application Penetration Testing<br />
<br />
This is similar to testing for XSS vulnerabilities using<br />
alert(“XSS”)<br />
If the application is vulnerable, the directive is injected and it would<br />
be interpreted by the server the next time the page is served, thus<br />
including the content of the Unix standard password file.<br />
The injection can be performed also in HTTP headers, if the web<br />
application is going to use that data to build a dynamically generated<br />
page:<br />
GET / HTTP/1.0<br />
Referer: <br />
User-Agent: <br />
Gray Box testing<br />
If we have access to the application source code, we can quite<br />
easily find out:<br />
[1] If SSI directives are used. If they are, then the web server is<br />
going to have SSI support enabled, making SSI injection at least<br />
a potential issue to investigate.<br />
[2] Where user input, cookie content and HTTP headers are<br />
handled. The complete list of input vectors is then quickly<br />
determined.<br />
[3] How the input is handled, what kind of filtering is performed,<br />
what characters the application is not letting through, and how<br />
many types of encoding are taken into account.<br />
Performing these steps is mostly a matter of using grep to find<br />
the right keywords inside the source code (SSI directives, CGI environment<br />
variables, variables assignment involving user input,<br />
filtering functions and so on).<br />
Tools<br />
• Web Proxy Burp Suite - http: /portswigger.net<br />
• Paros - http: /www.parosproxy.org/index.shtml<br />
• WebScarab<br />
• String searcher: grep - http: /www.gnu.org/software/grep<br />
References<br />
Whitepapers<br />
• Apache Tutorial: “Introduction to Server Side Includes”<br />
- http: /httpd.apache.org/docs/1.3/howto/ssi.html<br />
• Apache: “Module mod_include” - http: /httpd.apache.org/<br />
docs/1.3/mod/mod_include.html<br />
• Apache: “Security Tips for Server Configuration” - http: /httpd.<br />
apache.org/docs/1.3/misc/security_tips.html#ssi<br />
• Header Based Exploitation - http: /www.cgisecurity.net/papers/<br />
header-based-exploitation.txt<br />
• SSI Injection instead of JavaScript Malware - http: /<br />
jeremiahgrossman.blogspot.com/2006/08/ssi-injectioninstead-of-javascript.html<br />
• IIS: “Notes on Server-Side Includes (SSI) syntax” - http: /blogs.<br />
iis.net/robert_mcmurray/archive/2010/12/28/iis-notes-onserver-side-includes-ssi-syntax-kb-203064-revisited.aspx<br />
Testing for XPath Injection (OTG-INPVAL-010)<br />
Summary<br />
XPath is a language that has been designed and developed primarily<br />
to address parts of an XML document. In XPath injection<br />
testing, we test if it is possible to inject XPath syntax into a request<br />
interpreted by the application, allowing an attacker to execute<br />
user-controlled XPath queries.When successfully exploited,<br />
this vulnerability may allow an attacker to bypass authentication<br />
mechanisms or access information without proper authorization.<br />
Web applications heavily use databases to store and access the<br />
data they need for their operations.Historically, relational databases<br />
have been by far the most common technology for data storage,<br />
but, in the last years, we are witnessing an increasing popularity<br />
for databases that organize data using the XML language.<br />
Just like relational databases are accessed via SQL language, XML<br />
databases use XPath as their standard query language.<br />
Since, from a conceptual point of view, XPath is very similar to SQL<br />
in its purpose and applications, an interesting result is that XPath<br />
injection attacks follow the same logic as SQL Injection attacks. In<br />
some aspects, XPath is even more powerful than standard SQL, as<br />
its whole power is already present in its specifications, whereas a<br />
large number of the techniques that can be used in a SQL Injection<br />
attack depend on the characteristics of the SQL dialect used by<br />
the target database. This means that XPath injection attacks can<br />
be much more adaptable and ubiquitous.Another advantage of an<br />
XPath injection attack is that, unlike SQL, no ACLs are enforced, as<br />
our query can access every part of the XML document.<br />
How to Test<br />
The XPath attack pattern was first published by Amit Klein [1]<br />
and is very similar to the usual SQL Injection.In order to get a first<br />
grasp of the problem, let’s imagine a login page that manages the<br />
authentication to an application in which the user must enter his/<br />
her username and password.Let’s assume that our database is<br />
represented by the following XML file:<br />
<br />
<br />
<br />
gandalf<br />
!c3<br />
admin<br />
<br />
<br />
Stefan0<br />
w1s3c<br />
guest<br />
<br />
<br />
tony<br />
Un6R34kb!e<br />
guest<br />
<br />
<br />
An XPath query that returns the account whose username is “gandalf”<br />
and the password is “!c3” would be the following: