Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New Whitepaper - "Second-order Code Injection Attacks"

from [Gunter Ollmann] Network Security [Permanent Link]
Subject: Re: New Whitepaper - "Second-order Code Injection Attacks"
Date: Thu, 11 Nov 2004 17:49:12 +0000 
Hi Jan,

Jan P. Monsch wrote:
Thank you for your very interessting paper on "Second-Order Code Injection Attacks". 

Cool - hopefully it useful to others as well.

Concerning your protection recommendations I think that they must supplemented:
- An attack has a direction. For example SQL-Injection is a back-end directed attack. XSS in contrast is a front-end directed attack. To get the optimal protection it is necessary to prevent in direction of the attack. For SQL-Injection this results in input validation and for XSS this results in output encoding (' -> &quote).

While correct for a large number of cases, this is not particularly true for second-order code injection attacks. For example, malicious SQL code may be injected into an address field, and only executed as part of a SQL query much later on a remote system (e.g. an analysis tool for shortest-path delivery routes). This may be extended such that the SQL injection's purpose is to force a ackend database (or helpdesk MDB file) to pull down more laicious code... basically XSS through SQL statements.

Sanitisation of "dangerous" characters such as single-quote is always to be recommended as the first port of call. However, there are more than 40 different (and commonly used) ways of encoding this character that are effective on UK-English/US-English/International-English formats... this expands more when dealing with other language systems.

- I think that removing characters does often not meet complex business requirements (Think of family names like D'Amato). An backend application does often not know which other applications are dependant on that data. So every component using data must protect itself. Especially in case of HTML GUIs the application must perform output encoding.

This is correct - but you have to start somewhere. There most certainly isn't a "silver bullet" for handling particular groups of dangerous characters.


- When auditing XML based application it must be verified that the XML documents encode the content properly.

Easier said than done. The process of verifying that XML documents are encode properly may actually intruce yet another vulnerable layer to the application.

--
------------------------------------------------------
G u n t e r   O l l m a n n,            MSc(Hons), BSc
Professional Services Director

Next  Generation  Security  Software  Ltd.
First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK
http://www.nextgenss.com      Fax: +44 (0)208 401 0076
------------------------------------------------------



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Sample JAVA application, Chris Vanden Berghe
Next by Date:  Paros 3.2.0alpha release, contact
Previous by Thread:  Re: New Whitepaper - "Second-order Code Injection Attacks", Jan P. Monsch
Next by Thread:  Re: New Whitepaper - "Second-order Code Injection Attacks", Rogan Dawes
Indexes:  [Date] [Thread] [Top] [All Lists]