1 / 11

Software Vulnerability Examples

Software Vulnerability Examples. SQL Injection – Example Scenario. Imagine a form in a webpage with two input text boxes: “username” and “password”.

saki
Download Presentation

Software Vulnerability Examples

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Vulnerability Examples

  2. SQL Injection – Example Scenario • Imagine a form in a webpage with two input text boxes: “username” and “password”. • The form gets submitted to a CGI script that constructs SQL query with the username ad password and runs it against a database table to authenticate the user. • If the SQL query matches an entry the user gets authenticated

  3. SQL Injection Example 1 • Web form textboxes: • “username”, “password” • CGI script code for SQL: • string query = "SELECT * FROM items WHERE username = '" + userName + "' AND password = '" + password.Text+ "'"; • CGI intended generated SQL string: • SELECT * FROM items WHERE username = <userName> AND password = <password>; • User enters: • “Administrator” as username and “secret' OR 'a'='a” as password • SQL query result is: • SELECT * FROM items WHERE username = ‘Administrator' AND password = ‘secret' OR 'a'='a'; • Result is that the right part of the OR statement is always true and the user always gets authenticated as Administrator

  4. SQL Injection Example 2 • Web form textboxes: • “username”, “password” • CGI script code for SQL: • string query = "SELECT * FROM users WHERE username = '" + userName + "' AND password = '" + password.Text+ "'"; • CGI intended generated SQL string: • SELECT * FROM users WHERE username = <userName> AND password = <password>; • User enters: • “Administrator” as username and “secret'; DELETE FROM users; --” as password • SQL query result is: • SELECT * FROM users WHERE username = ‘Administrator' AND password = ‘secret'; DELETE FROM users; --'; • Result is 3 separate SQL queries separated by semicolon. • 1st might fail. • 2nd will delete all entries in table “users”. • 3rd is just a comment

  5. SQL Injection Example 3 • Web form textboxes: • “username”, “password” • CGI script code for SQL: • string query = "SELECT * FROM users WHERE username = '" + userName + "' AND password = '" + password.Text+ "'"; • CGI intended generated SQL string: • SELECT * FROM users WHERE username = <userName> AND password = <password>; • User enters: • “Administrator” as username and “'; exec master..xp_cmdshell 'dir' --” as password • SQL query result is: • SELECT * FROM users WHERE username = ‘Administrator' AND password = ‘'; exec master..xp_cmdshell 'dir' --'; • Result is 3 separate SQL queries separated by semicolon. • 1st might fail. • 2nd executes a SQL extended procedure that runs the DOS command ”dir” • 3rd is just a comment

  6. OS Command Injection – Example Scenario • Imagine a form in a webpage with a single input text box “username”. • The form gets submitted to a CGI script that constructs a OS shell command line with the username and runs it.

  7. OS Command Injection Example • Web form textbox: • “username” • CGI script code for OS command: • $command = 'ls -l /home/' . $userName; • system($command); • CGI intended generated OS command line: • ls –l /home/<username> • User enters: • “; rm-rf/” as username • OS command line result is: • ls -l /home/; rm-rf/ • This results in two command lines: • The first one lists the content of the /home directory • The second one deletes all files

  8. Classic Buffer Overflow Example • Example C code: char buf[24]; printf("Please enter your name \n"); gets(buf); • Vulnerability • The code uses gets() • which is inherently unsafe • blindly copies all input from STDIN to the buffer without restricting how much is copied • This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition. • Strings like the below one can be used to exploit it: • "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0bx89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"

  9. Cross Site Scripting (CSS) Example • Web form textbox: • “username” • Example PHP code: $username = $_GET['username']; echo '<div class="header"> Welcome, ' . $username . '</div>'; • Example CSS: • http://trustedSite.example.com/welcome.php?username=<Script Language="Javascript">alert("You've been attacked!");</Script>

  10. Missing Authentication or Authorisation • Example Java code: BankAccount account = null; Account = new BankAccount(); return account; • Vulnerability • There is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. • Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects. • Correct example code: BankAccount account = null; if (isAuthenticated()) { Account = new BankAccount(); } return account; }

  11. Further Reading • “2011 CWE/SANS Top 25 Most Dangerous Software Errors” • http://cwe.mitre.org/top25/

More Related