Software Vulnerability Examples

Report
Software Vulnerability Examples
SQL Injection – Example Scenario
• Imagine a form in a webpage with two input text
boxes: “username” and “password”.
• The form gets submitted to a CGI script that
constructs SQL query with the username ad
password and runs it against a database table to
authenticate the user.
• If the SQL query matches an entry the user gets
authenticated
SQL Injection Example 1
• Web form textboxes:
▫ “username”, “password”
• CGI script code for SQL:
▫ string query = "SELECT * FROM items WHERE username = '" +
userName + "' AND password = '" + password.Text + "'";
• CGI intended generated SQL string:
▫ SELECT * FROM items WHERE username = <userName> AND
password = <password>;
• User enters:
▫ “Administrator” as username and “secret' OR 'a'='a” as password
• SQL query result is:
▫ SELECT * FROM items WHERE username = ‘Administrator' AND
password = ‘secret' OR 'a'='a';
• Result is that the right part of the OR statement is always true
and the user always gets authenticated as Administrator
SQL Injection Example 2
• Web form textboxes:
▫ “username”, “password”
• CGI script code for SQL:
▫ string query = "SELECT * FROM users WHERE username = '" + userName
+ "' AND password = '" + password.Text + "'";
• CGI intended generated SQL string:
▫ SELECT * FROM users WHERE username = <userName> AND password
= <password>;
• User enters:
▫ “Administrator” as username and “secret'; DELETE FROM users; --” as
password
• SQL query result is:
▫ SELECT * FROM users WHERE username = ‘Administrator' AND
password = ‘secret'; DELETE FROM users; --';
• Result is 3 separate SQL queries separated by semicolon.
▫ 1st might fail.
▫ 2nd will delete all entries in table “users”.
▫ 3rd is just a comment
SQL Injection Example 3
• Web form textboxes:
▫ “username”, “password”
• CGI script code for SQL:
▫ string query = "SELECT * FROM users WHERE username = '" + userName
+ "' AND password = '" + password.Text + "'";
• CGI intended generated SQL string:
▫ SELECT * FROM users WHERE username = <userName> AND password
= <password>;
• User enters:
▫ “Administrator” as username and “'; exec master..xp_cmdshell 'dir' --” as
password
• SQL query result is:
▫ SELECT * FROM users WHERE username = ‘Administrator' AND
password = ‘'; exec master..xp_cmdshell 'dir' --';
• Result is 3 separate SQL queries separated by semicolon.
▫ 1st might fail.
▫ 2nd executes a SQL extended procedure that runs the DOS command ”dir”
▫ 3rd is just a comment
OS Command Injection – Example
Scenario
• Imagine a form in a webpage with a single input
text box “username”.
• The form gets submitted to a CGI script that
constructs a OS shell command line with the
username and runs it.
OS Command Injection Example
• Web form textbox:
▫ “username”
• CGI script code for OS command:
▫ $command = 'ls -l /home/' . $userName;
▫ system($command);
• CGI intended generated OS command line:
▫ ls –l /home/<username>
• User enters:
▫ “; rm -rf /” as username
• OS command line result is:
▫ ls -l /home/; rm -rf /
• This results in two command lines:
▫ The first one lists the content of the /home directory
▫ The second one deletes all files
Classic Buffer Overflow Example
• Example C code:
char buf[24];
printf("Please enter your name \n");
gets(buf);
• Vulnerability
▫ The code uses gets()
 which is inherently unsafe
 blindly copies all input from STDIN to the buffer without
restricting how much is copied
 This allows the user to provide a string that is larger than
the buffer size, resulting in an overflow condition.
▫ Strings like the below one can be used to exploit it:
 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x
46\x0c\xb0\x0bx89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\
x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/b
in/sh"
Cross Site Scripting (CSS) Example
• Web form textbox:
▫ “username”
• Example PHP code:
$username = $_GET['username'];
echo '<div class="header"> Welcome, ' . $username .
'</div>';
• Example CSS:
▫ http://trustedSite.example.com/welcome.php?user
name=<Script
Language="Javascript">alert("You've been
attacked!");</Script>
Missing Authentication or Authorisation
• Example Java code:
BankAccount account = null;
Account = new BankAccount();
return account;
• Vulnerability
▫ There is no authentication mechanism to ensure that the user
creating this bank account object has the authority to create new
bank accounts.
▫ Some authentication mechanisms should be used to verify that the
user has the authority to create bank account objects.
• Correct example code:
BankAccount account = null;
if (isAuthenticated()) {
}
}
Account = new BankAccount();
return account;
Further Reading
• “2011 CWE/SANS Top 25 Most Dangerous
Software Errors”
▫ http://cwe.mitre.org/top25/

similar documents