SQL Injection Example Scenario Imagine a form in a webpage with two input text boxes username and password The form gets submitted to a CGI script that constructs SQL query with the username ad password and runs it against a database table to authenticate the user ID: 277275
Download Presentation The PPT/PDF document "Software Vulnerability Examples" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Software Vulnerability ExamplesSlide2
SQL Injection – Example Scenario
Imagine a form in a webpage with two input text boxes: “username” and “password”.
The form gets submitted to a CGI script that constructs SQL query with the username ad password and runs it against a database table to authenticate the user.
If the SQL query matches an entry the user gets authenticatedSlide3
SQL Injection Example 1
Web form textboxes:
“username”, “password”
CGI script code for SQL:
string query = "SELECT * FROM items WHERE
username =
'" +
userName
+ "' AND
password
= '" +
p
assword.Text
+
"'";
CGI intended generated SQL string:
SELECT * FROM items WHERE
username
= <
userName
> AND
password = <password>;
User enters:
“
Administrator
”
as username and
“
secret'
OR 'a'=
'a
” as password
SQL query result is:
SELECT * FROM items WHERE
username
=
‘
Administrator
'
AND
password =
‘
secret'
OR
'a'='a
';
Result is that the right part of the OR statement is always true and the user always gets authenticated as AdministratorSlide4
SQL Injection Example 2
Web form textboxes:
“username”, “password”
CGI script code for SQL:
string query = "SELECT * FROM
users
WHERE
username =
'" +
userName
+ "' AND
password
= '" +
p
assword.Text
+
"'";
CGI intended generated SQL string:
SELECT * FROM
users WHERE username
= <
userName
> AND
password = <password>;
User enters:
“
Administrator
”
as username and
“
secret';
DELETE FROM
users;
--
”
as password
SQL query result is:
SELECT * FROM
users WHERE username
=
‘
Administrator
'
AND
password
=
‘
secret';
DELETE FROM
users;
--
';
Result is 3 separate SQL queries separated by semicolon.
1
st
might fail.
2
nd
will delete all entries in table “users”.
3
rd
is just a commentSlide5
SQL Injection Example 3
Web form textboxes:
“username”, “password”
CGI script code for SQL:
string query = "SELECT * FROM
users
WHERE
username =
'" +
userName
+ "' AND
password
= '" +
p
assword.Text
+
"'";
CGI intended generated SQL string:
SELECT * FROM
users WHERE username
= <
userName
> AND
password = <password>;
User enters:
“
Administrator
”
as username and “
'; exec master..
xp_cmdshell
'
dir
' --
”
as password
SQL query result is:
SELECT * FROM
users WHERE username
=
‘
Administrator
'
AND
password
= ‘
'; exec master..
xp_cmdshell
'
dir
' --
';
Result is 3 separate SQL queries separated by semicolon.
1
st
might fail.
2
nd
executes a SQL extended procedure that runs the DOS command ”
dir
”
3
rd
is just a commentSlide6
OS Command Injection – Example Scenario
Imagine a form in a webpage with a single input text box “username”.
The form gets submitted to a CGI script that constructs a OS shell command line with the username and runs it.Slide7
OS Command Injection Example
Web form textbox:
“username”
CGI script code for OS command:
$command = '
ls
-l /home/' . $
userName
;
system($command);
CGI intended generated OS command line:
ls
–l /home/<username>
User enters:
“
;
rm
-
rf
/
”
as
username
OS command line result is:
ls
-l /home
/
;
rm
-
rf
/
This results in two command lines:
The first one lists the content of the /home directory
The second one deletes all filesSlide8
Classic Buffer Overflow Example
Example C code:
char
buf
[24];
printf
("Please enter your name
\n
");
gets(
buf
);
Vulnerability
The code uses
gets()
which
is inherently
unsafe
blindly
copies all input from STDIN to the buffer without restricting how much is
copied
This
allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition
.
Strings like the below one can be used to exploit it:
"\
xeb
\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0bx89\xf3\x8d\x4e\x08\x8d\x56\x0c\
xcd
\x80\x31\
xdb
\x89\xd8\x40\
xcd
\x80\xe8\
xdc
\
xff
\
xff
\
xff
/bin/
sh
"Slide9
Cross Site Scripting (CSS) Example
Web form textbox:
“username”
Example PHP code:
$username = $_GET['username'];
echo '<div class="header"> Welcome, ' . $username . '</div>';
Example CSS:
http://trustedSite.example.com/welcome.php?username=<Script Language="
Javascript
">alert("You've been attacked!");</Script>Slide10
Missing Authentication or Authorisation
Example Java code:
BankAccount
account = null
;
Account = new
BankAccount
();
r
eturn account;
Vulnerability
There
is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts.
Some
authentication mechanisms should be used to verify that the user has the authority to create bank account objects.
Correct example code:
BankAccount
account = null;
if (
isAuthenticated
()) {
Account
= new
BankAccount
();
}
return account
;
}Slide11
Further Reading
“2011
CWE/SANS Top 25 Most Dangerous Software
Errors”
http://cwe.mitre.org/top25/