Data normalization weaknesses

9.985 Aufrufe

Veröffentlicht am

Veröffentlicht in: Technologie
0 Kommentare
3 Gefällt mir
Statistik
Notizen
  • Als Erste(r) kommentieren

Keine Downloads
Aufrufe
Aufrufe insgesamt
9.985
Auf SlideShare
0
Aus Einbettungen
0
Anzahl an Einbettungen
5
Aktionen
Geteilt
0
Downloads
39
Kommentare
0
Gefällt mir
3
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie

Data normalization weaknesses

  1. 1. Data normalization weaknesses @d0znpp VolgaCTF, 03/09/2013
  2. 2. Intro • Researcher, bug-hunter, CEO • Web application security in depth • @d0znpp personal twitter • lab.onsec.ru our blog (@ONsec_lab)
  3. 3. What is normalization? • Transferring and storing data are always accompanied by their formatting • First normalization than formatting • Encoding (different charsets) • Truncation (limited sizes) • Trims • Canonizations • ...
  4. 4. Data normalization or input validation weaknesses?
  5. 5. Web application basics • Client-Server model • Client is browser (Chrome, Safari, IE, FF) • Server is web server software (Nginx, Apache) • Application server (FastCGI,Tomcat) • Database storage (SQL or noSQL)
  6. 6. Web application example. Depth #1 Browser WebServer Database AppServer HTTP FCGI SQL
  7. 7. Web application example. Depth #2 Browser WebServer Database AppServer HTTP FCGI SQL Operation System File System FS driver
  8. 8. Web application example. Depth #3 Browser WebServer Database AppServer HTTP FCGI SQL OS File System FS driver Network layer
  9. 9. Protocol level normalization Browser WebServer Database AppServer HTTP FCGI SQL OS File System FS driver Network layer
  10. 10. Protocol level normalization • Urlencoding - what could be simpler? • %22 to « • %23 to # • %25 to % • Double url-encoding is basic bypass for many input validators, right?
  11. 11. 2+ urlencoding Why not?! Browser Frontend Backend HTTP FCGI OS Balancer HTTP %252527 %2527 %27 Input validator
  12. 12. Protocol level normalization Browser WebServer Database AppServer HTTP FCGI SQL OS File System FS driver Network layer
  13. 13. Protocol level normalization • HTTP parameter pollution • https://www.owasp.org/images/b/ba/ AppsecEU09_CarettoniDiPaola_v0.8.pdf • ?id=1&id=2 id=1,2 • HTTP parameter contamination • http://netsec.rs/files/Http%20Parameter %20Contamination%20-%20Ivan%20Markovic %20NSS.pdf • ?load[file ?load_file
  14. 14. Protocol level normalization • Something new? • Why only parameters? • Let’s try to fuzz smth else! :) • GET{F}/{F}HTTP.1.1 • {F} = 0x09, 0x0b, 0x0c, 0x0d, 0x32 • Apache/2.2.22 (Unix) • GET / bla-bla bla bla bla ehohoh Valid packet!
  15. 15. File paths normalization Browser WebServer Database AppServer HTTP FCGI SQL OS File System FS driver Network layer
  16. 16. Filesystem names canonization • Path Traversal • /../../../../../../etc/passwd • Normalization • http://www.ush.it/2009/02/08/php- filesystem-attack-vectors/ • http://onsec.ru/ onsec.whitepaper-02.eng.pdf
  17. 17. Filesystem names canonization • Normalization • /etc/passwd//////////////////////////////////.php • C:boot.<< • C:boot’‘ini • C:boot.in>
  18. 18. Database storing normalization Browser WebServer Database AppServer HTTP FCGI SQL OS File System FS driver Network layer
  19. 19. Database storing normalization • Encodings • Client encoding • Storing encoding • Trim • Size limited truncation
  20. 20. Database storing normalization • VARCHAR or BLOB ? • What size limit of CREATE TABLE t1 (login TEXT) ? • INSERT INTO loginsVALUES (:id, :login, :password) • $login = « admin aa»
  21. 21. Application layer normalization Browser WebServer Database AppServer HTTP FCGI SQL OS File System FS driver Network layer
  22. 22. Application layer normalization • SSRF bible. Cheatsheet • https://docs.google.com/document/d/ 1v1TkWZtrhzRLy0bYXBcdLUedXGb9nj TNIJXa3u9akHM/# • PHP fsockopen() url parsing tricks
  23. 23. Application layer normalization • Port overwriting, formatting • localhost:81 • localhost:+81AAAAA • localhost: 00081 AAA
  24. 24. IT IS ENCODING !!!
  25. 25. Multibyte encodings • One byte for one char • More bytes for one char ! • á • 0xE1 • 0xC3A1 UTF-8 C-form • 0x61CC81 UTF-8 D-form
  26. 26. addslashes() bypass • http://shiflett.org/blog/2006/jan/addslashes- versus-mysql-real-escape-string • ’ to ’ • Replace 0x27 byte to 0x5c27 • But what about multibyte? • 0xbf5c - valid char for GBK encoding • 0xbf5c27 -> 0xbf5c 0x27
  27. 27. addslashes() bypass • http://kuza55.blogspot.ru/2007/06/mysql- injection-encoding-attacks.html • Find all encodings where 0x5c is valid second byte at any char • big5, [A1-F9] • sjis, [81-9F], [E0-FC] • gbk, [81-FE] • cp932, [81-9F], [E0-FC]
  28. 28. Homework! escapeshellarg/cmd() • Note that: • PHP use SH by default at system(), not BASH • SH have no multibyte encoding • escapeshellarg cut bytes 0x80-0xFF
  29. 29. But... escapeshellarg() • http://lab.onsec.ru/2013/03/breaking- escapeshellarg-news.html • for shell no differences between • ls -la • ls ‘’-la’’ • ls ‘-la’ • unzip ‘-d/var/www’ - escaped, but arg!
  30. 30. PHP string encoding http://www.php.net/manual/ language.types.string.php#language.types.string.details • String will be encoded in whatever fashion it is encoded in the script file • If Zend Multibyte is enabled, the script may be written in an arbitrary encoding (which is explicity declared or is detected) and then converted to a certain internal encoding, which is then the encoding that will be used for the string literals • State-dependent encodings where the same byte values can be used in initial and non-initial shift states may be problematic
  31. 31. Multibyte problems • Lengths in chars or bytes? • State-dependent encodings • 0x0102 char • 0x0203 char • 0x01020203 two chars • But what about case when 0x0202 is valid char also? • Try to find 0x0202 in this string ;)
  32. 32. Thanks for attention! d0znpp@ONsec.ru @d0znpp @ONsec_lab lab.onsec.ru

×