Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New Whitepaper - "Second-order Code Injection Attacks"

from [Gunter Ollmann (NGS)] Network Security [Permanent Link]
Subject: RE: New Whitepaper - "Second-order Code Injection Attacks"
Date: Tue, 2 Nov 2004 22:28:48 -0000 
Jeff,

I see XSS as merely a subgroup of code injection attacks - and it is
important to make that distinction.  While they (as in XSS) still get a lot
of press coverage, they're not particularly remarkable.  The most effective
attacks abusing XSS vulnerabilities to date would probably be within
Phishing attacks - thankfully something that the press havn't focused upon.

The OWASP categories of "stored" or "reflected", while good for a basic
understanding, are a little too limited in scope to cover all XSS
vulnerabilities.  They are certainly inadequate for covering much of the
code injection possibilities.

Having said all that, it still suprises me how many people think that by
testing for <script>alert('XSS')</script> - getting a positive response -
means that an application is 100% vulnerable to XSS.  People need to be a
lot clearer about the types of code injection flaws a web-based application
is vulnerable to -- instead of using a Cross-site Scripting catchall tag.

Cheers,

Gunter



-----Original Message-----
From: Jeff Williams [mailto:jeff.williams@aspectsecurity.com] 
Sent: 02 November 2004 20:44
To: Crispin Cowan; Gunter Ollmann
Cc: bugtraq@securityfocus.com; webappsec@securityfocus.com
Subject: Re: New Whitepaper - "Second-order Code Injection Attacks"

Gunter,

Thanks for the comprehensive treatment of this class of 
vulnerabilities. The OWASP Top Ten paper breaks down XSS 
flaws into "stored" and "reflected"
categories, but your paper is far closer to a complete theory 
about all the ways that tainted data can undermine the 
security of applications.

--Jeff

----- Original Message -----
From: "Crispin Cowan" <crispin@immunix.com>
To: "Gunter Ollmann" <gunter@ngssoftware.com>
Cc: <bugtraq@securityfocus.com>
Sent: Monday, November 01, 2004 8:45 PM
Subject: Re: New Whitepaper - "Second-order Code Injection Attacks"



I found an instance of this class of vulnerability in 1998 where an
attacker could inject code into the "locate" database, 

which would later

be executed when root tried to do a locate on some path name
http://msgs.securepoint.com/cgi-bin/get/bugtraq/601/1.html

Mine was not the first such"secondary code injection" 

attack. It was a

consequence of exploring a PoC by MiG for a buffer overflow
vulnerability in bash, where in a tall directory tree would overflow
bash when you try to cd into that directory and you have 

the pwd set to

be part of your prompt. At the time, it did not occur to me 

that it was

a special kind of buffer overflow.

Crispin

Gunter Ollmann wrote:


Hi list,

NGS Software is pleased to make available a new whitepaper about
second-order code injection attacks.

Abstract:
"Many forms of code injection targeted at web-based 

applications (for

instance cross-site scripting and SQL injection) rely upon the

instantaneous

execution of the embedded code to carry out the attack 

(e.g. stealing a

user's current session information or executing a modified 

SQL query).
In

some cases it may be possible for an attacker to inject 

their malicious
code

into a data storage area that may be executed at a later 

date or time.

Depending upon the nature of the application and the way 

the malicious
data

is stored or rendered, the attacker may be able to conduct 

a second-order

code injection attack.

A second-order code injection attack can be classified as 

the process in

which malicious code is injected into a web-based 

application and not

immediately executed, but instead is stored by the 

application (e.g.

temporarily cached, logged, stored in a database) and then later

retrieved,

rendered and executed by the victim."

The paper can be accessed from:
http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf


Cheers,

Gunter

------------------------------------------------------
G u n t e r   O l l m a n n,            MSc(Hons), BSc
Professional Services Director

Next  Generation  Security  Software  Ltd.
First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK   Fax: +44 (0)208 401 0076
http://www.nextgenss.com
------------------------------------------------------ 







-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  re: advice needed - secure transfer of client details, Tim James
Next by Date:  Re: A secure and easy to admin forum?, Gareth Davies
Previous by Thread:  Re: New Whitepaper - "Second-order Code Injection Attacks", Jeff Williams
Next by Thread:  Re: New Whitepaper - "Second-order Code Injection Attacks", Jan P. Monsch
Indexes:  [Date] [Thread] [Top] [All Lists]