Who are we? Cesena Security and Network Applications. Why join CeSeNA?

Similar documents
Model-based Testing - From Safety to Security

Databases Exam HT2016 Solution

CS 243 Lecture 11 Binary Decision Diagrams (BDDs) in Pointer Analysis

Secret Sharing CPT, Version 3

Towards information flow control. Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011

MathOverflow. David Brown. University of Wisconsin-Madison Slides available at Rice University

Homework 4 for Modular Arithmetic: The RSA Cipher

Abstract parsing: static analysis of dynamically generated string output using LR-parsing technology

Attack Graph Modeling and Generation

CPSC 467: Cryptography and Computer Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CPSC 467: Cryptography and Computer Security

The Research and Improvement in the Detection of PHP Variable WebShell based on Information Entropy

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Weak Synchronization & Synchronizability. Multi-tape Automata and Machines

Quantum Wireless Sensor Networks

Safety and Liveness. Thread Synchronization: Too Much Milk. Critical Sections. A Really Cool Theorem

Semantic Web SPARQL. Gerd Gröner, Matthias Thimm. July 16,

Language-based Information Security. CS252r Spring 2012

8 Security against Chosen Plaintext

Quantitative Approaches to Information Protection

PHP-Einführung - Lesson 4 - Object Oriented Programming. Alexander Lichter June 27, 2017

A Quick Look at some Mathematics and Cryptography A Talk for CLIR at UConn

Math 3361-Modern Algebra Lecture 08 9/26/ Cardinality

Slides based on those in:

Practice Assignment 2 Discussion 24/02/ /02/2018

Int er net Saf et y Tip s

Appendix 4 Weather. Weather Providers

Why write proofs? Why not just test and repeat enough examples to confirm a theory?

Lecture Notes, Week 10

Course Announcements. Bacon is due next Monday. Next lab is about drawing UIs. Today s lecture will help thinking about your DB interface.

HASH FUNCTIONS. Mihir Bellare UCSD 1

Introduction to Algebra: The First Week

The Roots of Higher Mathematics Computing Square Roots and the Rabin Cryptosystem William J. Martin, WPI

Inequalities. CK12 Editor. Say Thanks to the Authors Click (No sign in required)

Lecture 11- Differential Privacy

Your World is not Red or Green. Good Practice in Data Display and Dashboard Design

Elite Galaxy Online. API Documentation v Elite Galaxy Online. All rights reserved

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Introduction to Cryptography Lecture 13

Natural Language Processing Prof. Pawan Goyal Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CHAPTER 7 FUNCTIONS. Alessandro Artale UniBZ - artale/

The Architecture of the Georgia Basin Digital Library: Using geoscientific knowledge in sustainable development

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

ELECTRE TRI plug-in in Quantum GIS and ElectreTriBM webservice What s new?

LECTURE 15: SIMPLE LINEAR REGRESSION I

Patrol: Revealing Zero-day Attack Paths through Network-wide System Object Dependencies

Map reading made easy

Evaluation Module 5 - Class B11 (September 2012) Responsible for evaluation: Dorte Nielsen / Cristina Lerche Data processing and preparation of

Madame Curie By Eve Curie

FIT100 Spring 01. Project 2. Astrological Toys

Map reading made easy

Fingerprinting the Stars Lab (Sarah Hansen & Monica Valluri)

Weather Analysis and Forecasting Handbook

T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R K

Start of the maintenance:

Introduction to ArcGIS Server Development

The Ultimate Guide To Chatbots For Businesses ONLIM 2018

HASH FUNCTIONS 1 /62

Differential Privacy

Please click the link below to view the YouTube video offering guidance to purchasers:

What did you think of Exam 1? ! Dates: a)! Too easy b)! Too hard c)! Just right d)! A little easy e)! A little hard

Pseudorandom Generators

CPSC 467b: Cryptography and Computer Security

DiscoveryGate SM Version 1.4 Participant s Guide

SPATIAL INFORMATION GRID AND ITS APPLICATION IN GEOLOGICAL SURVEY

CS 4110 Programming Languages & Logics. Lecture 16 Programming in the λ-calculus

Generalization of Fibonacci sequence

Unit 2: Polynomials Guided Notes

Incident Response tactics with Compromise Indicators

Astrology: An In-Depth Look Into The Zodiac Signs: Become Wealthy, Find Your True Love, And Master Your Destiny Using Astrology

Mathematical Logic Part One

Science in the Kitchen

University School of Nashville. Sixth Grade Math. Self-Guided Challenge Curriculum. Unit 2. Fractals

Pseudorandom Generators

Big Bang, Black Holes, No Math

About Science Prof Online PowerPoint Resources

You separate binary numbers into columns in a similar fashion. 2 5 = 32

Notes on Zero Knowledge

Farmington Square Times. Find us on Facebook! INSIDE THIS ISSUE

Locally Differentially Private Protocols for Frequency Estimation. Tianhao Wang, Jeremiah Blocki, Ninghui Li, Somesh Jha

General SQL guide for Virtual Observatory users

(So SamID 1 ( ) = Ken W. Smith.)

arxiv: v1 [cs.cr] 16 Dec 2015

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Turing Machines Part Three

3.4 Complex Zeros and the Fundamental Theorem of Algebra

micromodels of software declarative modelling and analysis with Alloy lecture 4: a case study MIT Lab for Computer Science Marktoberdorf, August 2002

CS Homework 2: Combinatorics & Discrete Events Due Date: September 25, 2018 at 2:20 PM

Unit 2: Polynomials Guided Notes

Dear AP Calculus AB student,

Lecture 14: Secure Multiparty Computation

Predicting the Past. Anticipatory Analysis with Remotely Sensed Data Kevin Ayers. IBM Government Analytics Forum 2014 May 22, 2014

Dear ABC ji: It would be a pleasure for us to be able to help you with your query.

George Danezis Microsoft Research, Cambridge, UK

Q: How can quantum computers break ecryption?

Classical Verification of Quantum Computations

Transcription:

Unexpected inputs: the danger of data and code injection

Who are we? Cesena Security and Network Applications We like computer security and we want to share our knowledge. Founded by Marco Ramilli in 2005. Rebuilt by Luca Mella in 2009. Now it s an active group, managed by Alessandro Molari, Luca Molari and Giacomo Mantani. Why join CeSeNA? To learn useful, cool stuff. To improve mental and social skills. To have (a lot of) fun! Daniele Bellavista [CeSeNA] Code and Data Injection What s CeSeNA?

Contact us! Requirement to apply CeSeNA Burning desire for knowledge. Passion for computer security. Be a geeky, techky person. Where to find us IRC: #cesena at irc.freenode.net Website: https://cesena.ing2.unibo.it/ (trust the certificate) Facebook: https://www.facebook.com/groups/105136176187559/ G+: https://plus.google.com/communities/101402441314003721224 Daniele Bellavista [CeSeNA] Code and Data Injection What s CeSeNA?

INJECTION VULNERABILITY

Injection: same old story SQL injection Introduced by sloppy (PHP) programmers. One of the main vulnerability in 2000s. Still present and exploited! Shellshock vulnerability Discovered in 2014. Present since September 1989! In some scenarios, it permits remote code execution. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

SQLi example Scenario: system containing secret stuff on the database, which can be accessed only by knowing their secret identifier. Objective: obtain all the secrets! SQL Query: exec ( SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

SQLi example Scenario: system containing secret stuff on the database, which can be accessed only by knowing their secret identifier. Objective: obtain all the secrets! SQL Query: exec ( SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d ) If secretid is 1234567 exec ( SELECT FROM S e c r e t s WHERE S e c I d = 1234567 ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

SQLi example Query: exec ( SELECT FROM S e c r e t s WHERE ID = + s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

SQLi example Query: exec ( SELECT FROM S e c r e t s WHERE ID = + s e c r e t I d ) Injection if secretid is 0 OR 1=1: exec ( SELECT FROM S e c r e t s WHERE ID = 0 OR 1=1 ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

A shellshock example Request to a CGI page: GET / v u l n e r a b l e. c g i User Agent : M o z i l l a F i r e f o x Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

A shellshock example Request to a CGI page: GET / v u l n e r a b l e. c g i User Agent : M o z i l l a F i r e f o x Response: 200 OK Hi, I m not v u l n e r a b l e! Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

A shellshock example Request: GET / v u l n e r a b l e. c g i User Agent : ( ) { i g n o r e d ; } ; echo The f o l l o w i n g s e n t e n c e i s f a l s e Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

A shellshock example Request: GET / v u l n e r a b l e. c g i User Agent : ( ) { i g n o r e d ; } ; echo The f o l l o w i n g s e n t e n c e i s f a l s e Response: 200 OK The f o l l o w i n g s e n t e n c e i s f a l s e Hi, I m not v u l n e r a b l e! Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

Data and code are confused Untrusted user-supplied inputs Web form fields (yes, even hidden tags). HTTP fields. Shell parameters. No difference between data and code No data type. Semantic checks are performed only on the result. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

Sanitization Whitelist allowed character. Drop or escape the rest. Type awareness: parse integers, encode strings, etc.. Use framework or library functions considered secure. Remember: security isn t just a fix. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

EXPLOITATION

Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Previous secretid = 0 OR 1=1 won t work! SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1=1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Previous secretid = 0 OR 1=1 won t work! SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1=1 So, just send secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Celebrate Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 However, a similar query without quotes won t be protected! SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 However, a similar query without quotes won t be protected! SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) Just try 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) If secretid = 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) If secretid = 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 1 = 1 What if, secretid = 0 OORR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

IT S YOUR TURN

Let s get our hands dirty Go to: http://cesena.ing2.unibo.it:8081/injection/ Daniele Bellavista [CeSeNA] Code and Data Injection Exercise

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback