SlideShare uma empresa Scribd logo

XPATH, LDAP and Path Traversal Injection

B
Blueinfy Solutions

This preso covers XPATH, LDAP and Path traversal injections.

Tecnologia
1 de 30
XPATH, LDAP and Path-Traversal Injection
XPATH
XPATH injection • XPATH parsing standard error • XPATH is method available for XML parsing • MS SQL server provides interface and one can get table content in XML format. • Once this is fetched one can run XPATH queries and obtain results. • What if username/password parsing done on using XPATH – XPATH injection
XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; • XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ • This will always true on the first node and user can get access as who ever is first user. Bingo!
LDAP Injection
Description • LDAP : Lightweight Directory Access Protocol • Runs over TCP/IP • Used for modifying and querying directory services • Object oriented • Stores and organizes information sharing some common attributes
Attack Anatomy • Normal flow : Expected Input (Good query) Expected results
Attack Anatomy • Checking for vulnerability : Erroneous Input (Bad query) Server Error/ Unexpected Behavior LDAP Injectable !!!
Attack Anatomy • Common Injection methods : – AND Injection – OR Injection • Common risks : – Information Disclosure – Role Escalation – Authentication Bypass
Attack Anatomy • AND injection – Normal query structure : (&(param1=val1)(param2=val2)) – Attacker tries to supply 2 values with the input for val1 – Thus, val2 is never checked for and the query is executed – Attacker inputs values which will always result to “true”
Attack Anatomy Login Form Asks username and password
Attack Anatomy Login Form Asks username and password Uname = abc, pwd = 123 Query : (&(uname=abc)(pwd=123))
Attack Anatomy Login Form Asks username and password Uname = abc)(&), pwd = Query : (&(uname=abc)(&))(pwd=))
Attack Anatomy • OR Injection – Similar to AND Injection – Normal query structure : (|(param1=val1)(param2=val2)) – Normally used by attacker for information disclosure
Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1 •Restricted access •Machines accessible to the uid of the user are displayed
Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*)) •Notice the injection •Attacker bypasses the user id check •(S)he can view all machines now
Path Traversal & Injection
Description • An application has numerous resources – Images – Sound – Videos – Background and page eye-candies • A normal application would group these in separate directories and put the code in a separate directory
Description • A poorly developed application would use absolute/relative paths to reach the necessary resources • Even worst done applications would directly use user preferences from URL / cookies and append them to the URI for these resources • A user could modify the URL / cookie values and view files not meant for him/her
Attack Anatomy • The attacker begins by identifying resources accessed via URIs • Then the attacker looks out for URLs or cookies which contain the resource identifiers • Usually, such applications set the resource names (and possibly even the paths) via URLs and cookies
Attack Anatomy • Before the attacker begins to browse directories, (s)he tries to find out the operating system type of the server • This is necessary because unix based servers allow forward slash for directory traversal and windows based servers allow backward slash for directory traversal
Attack Anatomy Attacker URL : http://something.com?pref=page1.html Interesting … pref =page1.html Attacker
Attack Anatomy URL : http://something.com?pref=page1.html Serves back page1.html Maybe .... path traversal ??? Attacker
Attack Anatomy Attacker Cookie: PREF=page1.html Interesting … PREF=page1.html Attacker
Attack Anatomy Cookie: PREF=page1.html Sends back a page with page1.html as the background Maybe .... path traversal ??? Attacker
Attack Anatomy • Once the attacker has determined that an application is vulnerable to path traversal, (s)he tries out the following, depending on – The operating system of the server – The level of input scanning the application does ...
Attack Anatomy • Unix based servers – Uses forward slash (/) – Attacker begins with “../” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%2f – %2e%2e/ – ..%2f
Attack Anatomy • Windows based servers – Uses backward slash () – Attacker begins with “..” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%5c – %2e%2d – ..%5c
Conclusion

Recomendados

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Processn|u - The Open Security Community
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceAmazon Web Services
 
實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)
實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)
實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)Will Huang
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 

Recomendados

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Processn|u - The Open Security Community
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceAmazon Web Services
 
實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)
實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)
實現 Angular, Docker 與 Kubernetes 持續部署 (NG+2020)Will Huang
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Azure kubernetes service (aks) part 3
Azure kubernetes service (aks) part 3Azure kubernetes service (aks) part 3
Azure kubernetes service (aks) part 3Nilesh Gule
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with AnsibleAnas
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Code obfuscation theory and practices
Code obfuscation theory and practicesCode obfuscation theory and practices
Code obfuscation theory and practicesnlog2n
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfinfosecTrain
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Keycloak on Docker.pdf
Keycloak on Docker.pdfKeycloak on Docker.pdf
Keycloak on Docker.pdfJincoco1
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
 
ComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati apertiComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati apertiGabriele Francescotto
 

Mais conteúdo relacionado

Mais procurados

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Azure kubernetes service (aks) part 3
Azure kubernetes service (aks) part 3Azure kubernetes service (aks) part 3
Azure kubernetes service (aks) part 3Nilesh Gule
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with AnsibleAnas
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Code obfuscation theory and practices
Code obfuscation theory and practicesCode obfuscation theory and practices
Code obfuscation theory and practicesnlog2n
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfinfosecTrain
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Keycloak on Docker.pdf
Keycloak on Docker.pdfKeycloak on Docker.pdf
Keycloak on Docker.pdfJincoco1
 

Mais procurados (20)

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Azure kubernetes service (aks) part 3
Azure kubernetes service (aks) part 3Azure kubernetes service (aks) part 3
Azure kubernetes service (aks) part 3
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Code obfuscation theory and practices
Code obfuscation theory and practicesCode obfuscation theory and practices
Code obfuscation theory and practices
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdf
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
Keycloak on Docker.pdf
Keycloak on Docker.pdfKeycloak on Docker.pdf
Keycloak on Docker.pdf
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 

Destaque

Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
 
ComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati apertiComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati apertiGabriele Francescotto
 
DITA Reuse Challenges and Response
DITA Reuse Challenges and ResponseDITA Reuse Challenges and Response
DITA Reuse Challenges and ResponseContrext Solutions
 
Lecture 10 logistics and supply chain
Lecture 10 logistics and supply chainLecture 10 logistics and supply chain
Lecture 10 logistics and supply chainAnkit
 
FrameMaker Corporate Templates with DITA
FrameMaker Corporate Templates with DITAFrameMaker Corporate Templates with DITA
FrameMaker Corporate Templates with DITAPublishing Smarter
 
Moving Renewable Energy Embedded Systems into the Cloud
Moving Renewable Energy Embedded Systems into the CloudMoving Renewable Energy Embedded Systems into the Cloud
Moving Renewable Energy Embedded Systems into the CloudMark Heckler
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Basic service capability, logistics and supply chain management
Basic service capability, logistics and supply chain managementBasic service capability, logistics and supply chain management
Basic service capability, logistics and supply chain managementIndraja Modem
 
Organization strategy of distribution nike
Organization strategy of distribution nikeOrganization strategy of distribution nike
Organization strategy of distribution nikedistribution-strategy
 

Destaque (15)

Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLol
 
ComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati apertiComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati aperti
 
FrameMaker XML Author Toolkit
FrameMaker XML Author ToolkitFrameMaker XML Author Toolkit
FrameMaker XML Author Toolkit
 
Sah
SahSah
Sah
 
Idiomatic C++
Idiomatic C++Idiomatic C++
Idiomatic C++
 
DITA Reuse Challenges and Response
DITA Reuse Challenges and ResponseDITA Reuse Challenges and Response
DITA Reuse Challenges and Response
 
Lecture 10 logistics and supply chain
Lecture 10 logistics and supply chainLecture 10 logistics and supply chain
Lecture 10 logistics and supply chain
 
FrameMaker Corporate Templates with DITA
FrameMaker Corporate Templates with DITAFrameMaker Corporate Templates with DITA
FrameMaker Corporate Templates with DITA
 
Moving Renewable Energy Embedded Systems into the Cloud
Moving Renewable Energy Embedded Systems into the CloudMoving Renewable Energy Embedded Systems into the Cloud
Moving Renewable Energy Embedded Systems into the Cloud
 
Portfolio
PortfolioPortfolio
Portfolio
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - Presentation
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Basic service capability, logistics and supply chain management
Basic service capability, logistics and supply chain managementBasic service capability, logistics and supply chain management
Basic service capability, logistics and supply chain management
 
Organization strategy of distribution nike
Organization strategy of distribution nikeOrganization strategy of distribution nike
Organization strategy of distribution nike
 
Www.themargolislawfirm.com
Www.themargolislawfirm.comWww.themargolislawfirm.com
Www.themargolislawfirm.com
 

Semelhante a XPATH, LDAP and Path Traversal Injection

Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | PrometheusCreating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | PrometheusInfluxData
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
15 Text files
15 Text files15 Text files
15 Text filesmaznabili
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleClaudio Criscione
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)Viral Solani
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
How to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyClare Macrae
 
Reactive Programming in .Net - actorbased computing with Akka.Net
Reactive Programming in .Net - actorbased computing with Akka.NetReactive Programming in .Net - actorbased computing with Akka.Net
Reactive Programming in .Net - actorbased computing with Akka.NetSören Stelzer
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 

Semelhante a XPATH, LDAP and Path Traversal Injection (20)

Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | PrometheusCreating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
15 Text files
15 Text files15 Text files
15 Text files
 
Java I/O
Java I/OJava I/O
Java I/O
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scale
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Attques web
Attques webAttques web
Attques web
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
How to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ Effectively
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Reactive Programming in .Net - actorbased computing with Akka.Net
Reactive Programming in .Net - actorbased computing with Akka.NetReactive Programming in .Net - actorbased computing with Akka.Net
Reactive Programming in .Net - actorbased computing with Akka.Net
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 

Mais de Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 

Mais de Blueinfy Solutions (18)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

XPATH, LDAP and Path Traversal Injection

  • 1. XPATH, LDAP and Path-Traversal Injection
  • 3. XPATH injection • XPATH parsing standard error • XPATH is method available for XML parsing • MS SQL server provides interface and one can get table content in XML format. • Once this is fetched one can run XPATH queries and obtain results. • What if username/password parsing done on using XPATH – XPATH injection
  • 4. XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
  • 5. XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; • XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ • This will always true on the first node and user can get access as who ever is first user. Bingo!
  • 7. Description • LDAP : Lightweight Directory Access Protocol • Runs over TCP/IP • Used for modifying and querying directory services • Object oriented • Stores and organizes information sharing some common attributes
  • 8. Attack Anatomy • Normal flow : Expected Input (Good query) Expected results
  • 9. Attack Anatomy • Checking for vulnerability : Erroneous Input (Bad query) Server Error/ Unexpected Behavior LDAP Injectable !!!
  • 10. Attack Anatomy • Common Injection methods : – AND Injection – OR Injection • Common risks : – Information Disclosure – Role Escalation – Authentication Bypass
  • 11. Attack Anatomy • AND injection – Normal query structure : (&(param1=val1)(param2=val2)) – Attacker tries to supply 2 values with the input for val1 – Thus, val2 is never checked for and the query is executed – Attacker inputs values which will always result to “true”
  • 12. Attack Anatomy Login Form Asks username and password
  • 13. Attack Anatomy Login Form Asks username and password Uname = abc, pwd = 123 Query : (&(uname=abc)(pwd=123))
  • 14. Attack Anatomy Login Form Asks username and password Uname = abc)(&), pwd = Query : (&(uname=abc)(&))(pwd=))
  • 15. Attack Anatomy • OR Injection – Similar to AND Injection – Normal query structure : (|(param1=val1)(param2=val2)) – Normally used by attacker for information disclosure
  • 16. Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1 •Restricted access •Machines accessible to the uid of the user are displayed
  • 17. Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*)) •Notice the injection •Attacker bypasses the user id check •(S)he can view all machines now
  • 18. Path Traversal & Injection
  • 19. Description • An application has numerous resources – Images – Sound – Videos – Background and page eye-candies • A normal application would group these in separate directories and put the code in a separate directory
  • 20. Description • A poorly developed application would use absolute/relative paths to reach the necessary resources • Even worst done applications would directly use user preferences from URL / cookies and append them to the URI for these resources • A user could modify the URL / cookie values and view files not meant for him/her
  • 21. Attack Anatomy • The attacker begins by identifying resources accessed via URIs • Then the attacker looks out for URLs or cookies which contain the resource identifiers • Usually, such applications set the resource names (and possibly even the paths) via URLs and cookies
  • 22. Attack Anatomy • Before the attacker begins to browse directories, (s)he tries to find out the operating system type of the server • This is necessary because unix based servers allow forward slash for directory traversal and windows based servers allow backward slash for directory traversal
  • 23. Attack Anatomy Attacker URL : http://something.com?pref=page1.html Interesting … pref =page1.html Attacker
  • 24. Attack Anatomy URL : http://something.com?pref=page1.html Serves back page1.html Maybe .... path traversal ??? Attacker
  • 26. Attack Anatomy Cookie: PREF=page1.html Sends back a page with page1.html as the background Maybe .... path traversal ??? Attacker
  • 27. Attack Anatomy • Once the attacker has determined that an application is vulnerable to path traversal, (s)he tries out the following, depending on – The operating system of the server – The level of input scanning the application does ...
  • 28. Attack Anatomy • Unix based servers – Uses forward slash (/) – Attacker begins with “../” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%2f – %2e%2e/ – ..%2f
  • 29. Attack Anatomy • Windows based servers – Uses backward slash () – Attacker begins with “..” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%5c – %2e%2d – ..%5c