Web Application Security - Injection Vulnerability | Tim Layton ...

In the web application security series I plan on discussing the top web application security vulnerabilities that continue to top the latest news headlines of our nations largest and most trusted companies.? Insecure software is continually facilitating security breaches of our financial, healthcare, defense, energy, and other critical infrastructure, which lead to significant unplanned expenses and national security risks.

As our business models continue to rely more heavily on insecure networks, achieving application security continues to rise as an area of focus and importance. Organizations can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10 Report.? My hope is to raise the awareness of the top vulnerabilities that should be common knowledge for all web application developers.? In this series, I will focus on the OWASP Top 10.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.? OWASP?s freedom from commercial pressures allows them to provide unbiased, practical, cost-effective information about application security.? According to the industry trusted 2012 Verizon Data Breach Investigations Report, external threat agents continue to account for 98% of all reported breaches and 99% of breached records.? Hacking continues to top the charts for threats at a whopping 81% of all reported breaches and 99% of records. Hacking alone is not the full story because threat vectors (i.e., hacking, malware, social, misuse, physical, environmental, etc.) are intertwined and are used together to carry out sophisticated attacks.? For example, malware comes in second behind hacking accounting for 69% of all reported breaches and 95% of records.? Based on our increasing reliance on untrusted networks and web-facing applications, it is in all of our best interests to ensure the most common vulnerabilities are addressed and accounted for across all organizations.

The primary target audience for this series is security engineers and application developers; however, technical resources can use this information to help educate management on the risks to their organization.

Injection Vulnerability Overview

The attacker or commonly known as the bad actor typically wants to find a way to run their own code on your web server for the purpose of accessing your confidential data or turning your web host into a zombie machine that they control for malicious purposes. Hackers use the injection vulnerability for a variety of reasons to include: accessing your data, modifying the contents of your website, take control of your web server, shut down your SQL server.

Your web servers are sitting on the Internet superhighway just waiting to serve requests to anyone who asks.? A web host typically passes user input to application servers (e.g., databases, LDAP servers, XML parsing, etc.) for processing.? The most common and widespread injection attack is the SQL injection while others include LDAP lookups, and OS command injection that are particularly dangerous.

OWASP describes injection flaws as follows:? ?SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker?s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data?.

The injection vulnerability is a major concern for just about every company because literally anyone (internal, external), trusted and untrusted sources can send data to your web-facing systems.? Most business web application systems require databases by their very nature and ports 80 (HTTP) and 443 (HTTPS) must be open to facilitate operations.

In the scope of security vulnerabilities and difficultly factor on the part of the attacker, injection attacks are relatively easy and common.? If you are not a developer, it may seem unlikely or even uncommon that injection flaws are so easy to exploit.? The amount of legacy systems and related code are a major source of pain for organizations when it comes to these types of vulnerabilities.? The data shows SQL and LDAP queries are routinely vulnerable.? Simple security tools and scanners using port 80 and 443 assist attackers find related vulnerabilities for exploit.? The smarter hacker is now using Google to gain visibility into well-known vulnerabilities and bypassing the noisy security tools route.

Injection attacks are serious because they can lead to complete data loss, data corruption, data leakage, and even complete compromise of the host system.? Depending on the configuration of your technical security policies (ACLs , firewall rules, network architecture, etc.) a host system compromise can lead to an enterprise-wide security incident very quickly.? Best-case scenario the incident is a black eye on your organization and a waste of precious assets, time, and money.? About 70% of all attacks sourcing from the Internet come in through web applications.? Spending more money on firewalls and security tools isn?t going to solve this problem.

Reported SQL Injection Incidents

• On October 1, 2012, a hacker group called ?Team GhostShell? published the personal records of students, faculty, employees, and alumni from 53 universities including Harvard, Princeton, Stanford, Cornell, Johns Hopkins, and the University of Zurich on pastebin.com. The hackers claimed that they were trying to ?raise awareness towards the changes made in today?s education?, bemoaning changing education laws in Europe and increases in tuition in the United States^.
• In July 2012 a hacker group was reported to have stolen 450,000 login credentials from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo?s security by using a ?union-based SQL injection technique?.
• In May 2012, the website for Wurm Online, a massively multiplayer online game, was shut down from an SQL injection while the site was being updated
• In June 2011, PBS was hacked, mostly likely through use of SQL injection; the full process used by hackers to execute SQL injections was described in this Imperva blog.
• On June 1, 2011, ?hacktivists? of the group Lulzsec were accused of using SQLI to steal coupons, download keys, and passwords that were stored in plaintext on Sony?s website, accessing the personal information of a million users.
• Over a period of 4?hours on April 27, 2011, an automated SQL injection attack occurred on Broadband Reports website that was able to extract 8% of the username/password pairs: 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts.
• On April 11, 2011, Barracuda Networks was compromised using an SQL injection flaw. E?mail addresses and usernames of employees were among the information obtained
• On March 27, 2011, mysql.com, the official homepage for MySQL, was compromised by a hacker using SQL blind injection
• On February 5, 2011 HBGary, a technology security firm, was broken into by LulzSec using a SQL injection in their CMS-driven website

Working Example

LEGAL NOTICE: This information is published to educate the public about this security issue. You are prohibited to use this information to violate the Computer Fraud And Abuse Act of 1987. You are prohibited to use this information for anything that is illegal or violates any law, statute, act, etc. You will indemnify, defend and hold harmless, the author of this article from and against any damages and costs, including attorney fees resulting from anyone?s misusing and or abusing the information from this article.? My goal is educational in nature, and my intent is to make organizations aware of this vulnerability so that they can take action and implement the proper controls to protect themselves.

How easy is it to find a website vulnerable to a SQL injection attack?? It is ridiculously easy, and that is why the reported incidents listed above continues to grow because even large companies continue to make the same amateur mistakes over and over.? In this example, I provide an outline of how easy it is to find vulnerable websites and launch an injection attack.

Let?s turn to Google for a little help.? Using Google dorks it is tremendously easy to find sites potentially vulnerable to the injection attack.? Google dorks are information collected by the Google search bots that reveal foolish security vulnerabilities of websites and then by using advanced Google commands and operators we gain intelligence and visibility into potential vulnerabilities.? In many cases, there is no need for bad actors to use noisy network layer techniques (e.g., port scanning, vulnerability testing, etc.) which are very noisy and set off alarm bells.? Google does all the heavy lifting 24?7 via their search bots, and no one seems to care.? In fact, I personally find very few people that are fully aware of Google?s privacy policies and implications.? I could take this example above one step further and use Google Alerts to monitor a targeted website for specific dorks and vulnerabilities.

You can find well known Google dorks on sites like exploit-db and hackers for charity.? Entire books have been written on using Google to support hacking activities, and it is a skill and topic within itself.

Moving forward with the example, I used a common Google dork for injection vulnerabilities and for illustration purposes, I will use the inurl: advanced search command.? You can use the Google supplied advanced search page if you are lazy and don?t want to learn the operators and commands.? I entered ?inurl:index.php?id=? into a Google search query to identify a potential list of vulnerable sites.? I won?t list the sites I found for obvious reasons.? Once you get the returned list from Google all you have to do is click on the returned list or enter the URL of the target site into your address bar with the appended Google Dork and an ending single quote.? For example: http://www.exampledomain.com/index.php?id=2?. If the site remains on the same page or shows page not found, then it is not vulnerable.? If it returns any type of SQL error, it is vulnerable to a SQL injection attack.? There are script kiddie applications freely available to automate all of this for anyone who has a computer and an Internet connection.

If you would like to test your website for a wide range of injection vulnerabilities, one open source tool, you could use is sqlmap.? sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to access the underlying file system and executing commands on the operating system via out-of-band connections.

In this video by 7Safe is a solid overview and walk through of SQL Injection.? The information is a little dated, but the concept and overview is very good.

OWASP Vulnerability Check

Per the OWASP guidance, ?The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.

Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.

Automated dynamic scanning, which exercises the application may provide insight into whether some exploitable injection problems exist. Scanners cannot always reach interpreters and can have difficulty detecting whether an attack was successful.?

Controls for Injection Vulnerabilities

The primary design goal for web applications is to separate the server side actions (commands, queries) from the user input (untrusted data).

OWASP recommends the following actions to help prevent injection-based attacks from being realized:

1. The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Beware of APIs, such as stored procedures, that appear parameterized, but may still allow injection under the hood.
2. If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP?s ESAPI has some of these escaping routines.
3. Positive or ?whitelist? input validation with appropriate canonicalization also helps protect against injection, but is not a complete defense as many applications require special characters in their input. OWASP?s ESAPI has an extensible library of white list input validation routines.

Web Application Security Series

• Injection
• Cross-Site Scripting
• Broken Authentication & Session Management
• Insecure Direct Object References
• Cross-site Request Forgery
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards

?

I always welcome your input and comments.

Tim Layton

Follow Tim on Twitter at http://twitter.com/timlaytonstl

Read New Articles at http://www.timlayton.com

Connect with Tim on LinkedIn at http://www.linkedin.com/in/timlayton

EMC Infocus Blog at http://infocus.emc.com/author/tim_layton/

Source: http://www.timlayton.com/2012/10/22/injection/

khloe kardashian mark davis marine urination video hostess cadillac ats bain capital marines urinating